CCPA 2.0: Key differences with the CCPA
The California Consumer Privacy Act (CCPA), which took effect at the beginning of this year, protects the privacy of consumers of The Golden State by giving them greater control over businesses’ use of their personal information.
Specifically, the CCPA grants California consumers the rights to:
What is the California privacy rights act (CPRA)?
Despite a set of amendments to the CCPA passed in 2019 and the California Attorney General’s Final Regulations, the coalition at Californians for Consumer Privacy placed the California Privacy Rights and Enforcement Act of 2020 (CPRA), commonly referred to as CCPA 2.0, on the November 2020 ballot to give Californians the opportunity to vote on updated privacy law.
Does CPRA replace CCPA?
In general, CCPA 2.0 (i.e. CPRA) amends the CCPA by expanding consumer rights, heightening privacy protections, and establishing an enforcement agency to protect consumers through vigorous enforcement of the law.
When does the California privacy rights act (CPRA) go into effect?
The CPRA will enter into effect on January 1, 2023. However, the CPRA includes a “look-back” period meaning that many of its provisions will be applicable to personal information collected from January 1, 2022.
What are the differences between CCPA and CPRA?
CCPA 2.0 sets forth key differences with the current CCPA.
In particular, CCPA 2.0 would:
Change in scope: What data is now covered by CCPA 2.0?
CCPA 2.0 establishes a new classification for sensitive personal information (SPI) which includes information such as social security numbers, driver license numbers, and biometric information. CCPA 2.0 also extends several privacy rights to employees meaning that employee data will now fall under the scope of the law.
CPRA consumer rights
The CPRA grants consumers the following rights:
CCPA 2.0: Businesses’ responsibilities
CCPA 2.0 would place additional obligations on businesses, including setting forth responsibilities that essentially amount to privacy principles, such as transparency, purpose and storage limitations, and data security.
In particular, the law would:
CPRA “do not sell or share” requirement
The CPRA removes the ambiguous interpretation of the CCPA’s “Do Not Sell” requirement by introducing “Do Not Sell or Share” opt-out obligations for organizations to comply with. Businesses are required to provide consumers with a “Do Not Sell or Share My Information” link on their websites.
Sensitive personal information under the CPRA
The CPRA defines Sensitive Personal Information as a new category of data that falls under its scope.
Sensitive Personal Information can include:
Implementation & enforcement of CPRA compliance
The CCPA 2.0 calls for vigorous protection of consumers’ privacy rights.
To that end, it would create the California Privacy Protection Agency to implement and enforce the law. Comprised of appointed experts in privacy, technology, and consumer rights, the agency would provide guidance to businesses and consumers on their responsibilities and rights, respectively.
The agency would also have the authority to investigate alleged violations of the law, bring civil actions against violators, issues injunctions, and levy administrative fines.
In addition, recognizing that CCPA 2.0 must keep pace with changes, the law would require future amendments to further the law and privacy protections. Finally, CCPA 2.0 updates the CCPA’s definitions, such as the newly defined “profiling” and “sensitive personal information,” and revises exemptions.
CCPA 2.0: Timeline and next steps
The California Attorney General has issued a notice on the proposed CCPA 2.0.
CCPA 2.0 was voted into law by California voters on the California General Election ballot on November 3, 2020. The law will become effective on January 1, 2023.
Following in California’s footsteps, Illinois, Nevada, New York, and Washington are next in line, with privacy legislation expected to be passed.
How to be compliant with the california privacy rights act (CPRA)
To learn more about how OneTrust’s CCPA solutions and CCPA compliance software can help your business comply with the CCPA, visit OneTrust for CCPA or request a demo today.