Skip to main content

Meet CCPA 2.0: The California Privacy Rights Act

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain how the CPRA generally modifies and enhances the CCPA
  • Identify new key terms and concepts introduced by the CPRA

The California Privacy Rights Act

On November 3, 2020, less than one year after the California Consumer Privacy Act (CCPA) went into effect, California voters approved the California Privacy Rights Act (CPRA), which amends and builds upon the CCPA. Effective January 1, 2023, the CPRA expands the privacy and data protection obligations under the CCPA, making it both more comprehensive and aligned to global standards. Let’s take a quick look at some of the key changes the CPRA brings.

New Terms and Concepts

The CPRA introduces us to some new terms and concepts, including Sensitive Personal Information. You can find a general overview of a few key terms below.

Contractor: The CPRA builds on the concepts of Service Providers and Third Parties by adding “Contractor” to the mix. While you may have already determined who’s a Service Provider or who’s a Third Party in your preparation for the CCPA, it’s important to understand the specific Contractor provisions introduced under the CPRA and how your previous CCPA analysis may be impacted. Contractors are similar conceptually to Service Providers, but we expect subsequent regulations to further clarify relevant differences.

Sensitive Personal Information (SPI): If you’re familiar with the EU’s GDPR, then the concept of Sensitive Personal Information may not be entirely new. SPI is a category of personal information that is generally considered more harmful to a Consumer if the data is ever breached or compromised. The impact may lead to discrimination, harassment, identity theft, or impact their quality of life in other harmful ways. While the definition of SPI can vary depending on the legal framework, under the CPRA it includes data such as social security numbers, financial account information, children’s data, and precise geolocation information. 

If a Business determines that any of the data it collects or processes qualifies as SPI under the CPRA, there are additional obligations and limitations to consider. For example, the CPRA includes detailed provisions related to notices, disclosures, and additional individual rights that need to be afforded to a Consumer when their SPI is collected or processed. 

Sharing: The CPRA establishes stronger opt-out rights for consumers  by adding “Sharing” which involves disclosing Personal Information for the purposes of cross-context behavioral advertising (another specific CPRA defined term), whether or not monetary or other valuable consideration is exchanged. Selling or Sharing and what they mean for a Business in terms of applicability, additional obligations, opt-out rights, and so on are complex privacy topics. It's imperative that you engage with your own legal experts on how to navigate their intricacies as it relates to your Business. 

People touching screens and phones

Additional Obligations

The CPRA also establishes new obligations that a Business must meet in order to properly protect the privacy and security of individuals. For example, the CPRA adds specific provisions related, but not limited, to:

  • Transparency (in the form of additional notice and disclosure requirements)
  • Audits and risk assessments
  • Data retention
  • Contractual requirements between Businesses, Service Providers, and so forth

Expanded Individual Rights

The CCPA initially provided Consumers with some foundational privacy rights such as the right to access and deletion. It also included its own version of the right to opt out, which gives Consumers the right to tell Businesses (at any time) to stop Selling their Personal Information. The CPRA expands on this by also incorporating a right to opt out of Sharing. Additionally, the CPRA gives Consumers further control of their Personal Information by allowing them to correct any Personal Information a Business may have about them and to restrict the way a Business uses or discloses any Sensitive Personal Information. 

Enforcement: Introducing the California Privacy Protection Agency 

The advent of the CPRA also establishes a new enforcement body, the California Privacy Protection Agency (CPPA). The CPPA is a new state governing agency that consists of a five-member board whose primary duties include the implementation and enforcement of the CCPA and CPRA. It is also responsible for providing guidance on the CCPA, updating current regulations and adopting new ones. Similar to the data protection authorities who enforce the EU’s GDPR, the CPPA’s duties also include investigating complaints and imposing fines for violations of noncompliance.   

The CCPA, as amended by the CPRA, is considered one of the most comprehensive privacy laws in the United States and has very specific provisions that can be complex for a Business to navigate. Therefore, it's essential that you consult with your own legal experts to determine the CCPA’s impact on your Business. 

Resources 

Keep learning for
free!
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities