California Consumer Privacy Act: What You Need To Know About CCPA and CPRA

The CCPA law, which went into effect at the beginning of 2020, mandates a suite of online privacy protections for California residents. Under the law, people are entitled to know what type of information companies store about them and decide how some of that data may be shared. 
The original law only covered selling and gave consumers a button to opt-out of having their personal information sold. The new law defines sharing as disclosing consumers’ personal information for “cross-context behavioral advertising” to a third party for the purposes of ad targeting even if no money is exchanged. 
Want to learn more? Check out “The Future of the Web” to find out everything you need to know about the new restrictions, cookies, IDFA, first-party data, and all things privacy from our Tinuiti experts. Another important way in which the original CCPA was further expanded by the CRPA amendment is that a bright line was drawn between selling a consumer’s information and sharing it.
Under the first CCPA law, the liability of businesses in the case of a data breach was somewhat ambiguous. A company could be sued for a data breach that resulted in compromised personal information. What exactly businesses were required to do to implement reasonable security measures wasn’t spelled out, however.

‘Personal Information’ vs. ‘Sensitive Personal Information’

Another change between the two laws is which types of businesses have to adhere to the policies. The original CCPA applied to all for-profit businesses operating in California (whether they’re based in the state or not), collect personal information from California residents, and determine how that information is collected, used, and shared. 
The updated CPRA tightens up this issue and articulates that the business may be held liable if a data breach compromises a consumer’s email address and their password or security question/answer.

Selling Vs. Sharing 

An amendment to the law, the California Privacy Rights Act (CPRA), which was passed at the end of 2020 and goes into effect in 2023, further strengthens and expands the original CCPA protections. Under the new CPRA amendment, consumers gain even more control over an even wider range of information about themselves.
The updated law tightens up that definition to essentially give small businesses more flexibility by requiring only bigger businesses to comply. The new threshold is that the new law will only cover companies that earn more than million in revenue per year, derive half their revenue annually from selling consumers’ personal information, or collect or process 100,000 consumer records per year (up from 50,000 in the original law.) 
Several states, including New York, Hawaii, Maryland, and Massachusetts, have introduced laws similar to CCPA and GDPR. Other states such as Virginia, Washington, and New York are moving closer to enacting consumer privacy laws. Federally, momentum is gathering within Congress to address national privacy legislation.
Together, the CCPA and CPRA will form one set of comprehensive data privacy laws in the state of California.
The big takeaway for marketers is that California residents will have the right to prevent both their personal and sensitive personal information from being used to make the type of inferences that guide automated advertising decision-making to target consumers.  This will obviously force marketers, who rely heavily on this type of data, to rethink their strategies to conform to the law.

Data Breach Liability

The California Consumer Privacy Act (CCPA) is one of the toughest and most comprehensive online privacy laws in the nation and no doubt a harbinger of similar legislation that will likely be passed by other states—and ultimately—the federal government. So, even if your business isn’t based in California, it’s a good idea to pay attention to what’s happening out on the Left Coast. 
The original CCPA protected “personal information” which was broadly defined as any data that could be linked with a particular consumer or household and includes obvious details such as names, addresses, and emails. 

Right to Correct

Come 2023, businesses will also need to offer a “Limit the Use of My Sensitive Personal Information” button to consumers.  

New Enforcement Mechanisms

The new CPRA amendment defines the right to online privacy to further include a new category termed “sensitive personal information” which covers Social Security and drivers’ license numbers, geolocation, race, ethnicity, religion, sexual orientation, health/biometric/genetic data, financial data, and more. (In this way, the expanded law much more closely resembles the much more extensive privacy protections in the European Union under the General Data Protection Regulation or GDPR) 
Currently, under the CCPA, privacy violations are enforceable by the state Attorney General, with fines topping out at ,500 for regular violations and ,500 for intentional or reckless violations.
Much of this data is collected for personalized, cross-channel ad targeting based on information obtained about a consumer across different apps or services. By prohibiting the sharing of this information, consumers will, in essence, avoid being targeted by ads based on data gleaned from their search, browser, and purchase histories, how they behave when navigating websites,  as well as where their devices are geolocated and their device’s settings. 

Which Businesses Have to Comply With the Law?  

According to Red Clover Advisors:
“Because regulatory oversight requires an enormous amount of time and resources, the updated law mandates and funds the creation of a new state governmental body, the Privacy Protection Agency. Its remit will be to enforce CPRA and other privacy-related laws. Businesses will likely see enhanced auditing and enforcement efforts once the new agency is established in 2023.”
In a nutshell, businesses currently required to have a “Do Not Sell My Personal Information” opt-out link on their websites will have to add the words “Or Share” in 2023 so consumers will now see a button that says: “Do Not Sell or Share My Personal Information.”

What’s Next? 

In addition, vendors and contractors handling this type of data on behalf of these companies must also become compliant under the law. 
A new facet of the updated privacy amendment not present in the original law is that consumers will be able to correct inaccurate personal and sensitive personal information about them that is held by businesses. This is a build on the earlier privacy protections which guaranteed the right to know, to delete,  to opt-out, and not to face discrimination for choosing to opt-out.