Nitty-Gritty Detail Comparison of CCPA and CPRA

 
 

Category

Topic

CCPA Provision

CPRA Provision

1

Scope

Effective Date

January 1, 2020, with two caveats:

(1) enforcement actions taken by California AG to not occur til July 1, 2020; and

(2) collection of personal data of a job applicant and/or employee and/or contractor by a business not in scope til January 1, 2021

January 1, 2023 with the following caveats:

(1) the right of access shall only apply to personal information collected by a business on or after January 1, 2022

(2) extends the CCPA's exemption re: the collection of personal data of a job application and/or employee and/or contractor by a business from an expiration date of January 1, 2021 to January 1, 2023

(3) the CPRA's changes to the funding dynamics of the Consumer Privacy Fund, the regulation process, and the creation and funding of the California Privacy Protection agency all become operative on the effective date of the CPRA (i.e. 5 days after voting results are certified)

2

Scope

Who is Regulated?

A for-profit “Business” that "collects consumers' personal information" and has the following thresholds:

(1) gross revenue greater than $25 million OR

(2) buys/sells/shares personal information on over 50,000 consumers, households or devices; OR

(3) derives 50% or more of its revenue from selling consumer personal information.

Also covers any entity that controls or is controlled by a business and "shares common branding" with the business. [§ 1798.140(c)]

A for-profit “Business” that "collects consumers' personal information" and has the following thresholds:

(1) gross revenue greater than $25 million in the preceding calendar year OR

(2) buys/sells/shares personal information on over 100,000 consumers or households; OR

(3) derives 50% or more of its revenue from selling or sharing consumer personal information.

Also covers (a) any entity that controls or is controlled by a business and "shares common branding" with the business and "with whom the business shares consumers' personal information"; (b) "a joint venture or partnership composed of businesses In which each business has at least a 40 percent interest"; and (c) any entity that does business in California and voluntarily certifies to the California Privacy Protection Agency that it is in compliance with the CRPA.  [§ 1798.140(d)]

3

Scope

Who is Protected?

A "Consumer" that is a natural person who is California resident.  [§ 1798.140(g)]  Resident defined per Cal. Rev. Code § 17014 as

(1) Every individual who is in this state for other than a temporary or transitory purpose.

(2) Every individual domiciled in this state who is outside the state for a temporary or transitory purpose.

A "Consumer" that is a natural person who is California resident.  [§ 1798.140(i)]  Resident defined per Cal. Rev. Code § 17014 as

(1) Every individual who is in this state for other than a temporary or transitory purpose.

(2) Every individual domiciled in this state who is outside the state for a temporary or transitory purpose.

4

Scope

Do Children Get Special Protection?

Yes, "a business shall not sell the personal information" of children aged from 13-16 unless the child directly "opts-in" to the sale.  For children under 13, a business requires parental consent to the sale of their child's personal data. [§ 1798.120(c)-(d)]

Note that "the law is intended to supplement federal and state law," so existing Federal privacy laws re: children (e.g. COPPA) still apply.  [§ 1798.196]

Yes, "a business shall not sell or share the personal information" of children aged from 13-16 unless the child directly "opts-in" to the sale.  For children under 13, a business requires parental consent to the sale or sharing of their child's personal data. [§ 1798.120(c)-(d)]   Furthermore, for children under 16 who did not give consent, businesses must "wait for at least 12 months before requesting the consumer's consent again" or "until the consumer attains 16 years of age."  [§ 1798.135(a)]

In addition, the Privacy Protection Agency can level administrative enforcement fines of $7500 per violation of the law in cases where the "business, service provider, contractor or other person has actual knowledge that the consumer is under 16 years of age."  [§ 1798.155(a)]

Note that the provisions of the CPRA relating to children under 16 years of age shall only apply to the extent not in conflict with Children's Online Privacy Protection Act (COPPA).  [Sec. 30 Savings Clause]

5

Scope

Covers Employees?

No, not until January 1, 2021.  [§ 1798.145(h)]  Specifically, "the title shall not apply to … personal information that is collected by a business about a natural person in the course of the natural person acting as … an employee"  and "this subdivision shall become inoperative on January 1, 2021."

No, not until January 1, 2023.   Specifically, "the title shall not apply to … personal information that is collected by a business about a natural person in the course of the natural person acting as … an employee."  Nor shall the consumer rights (right of access, deletion, etc.) "apply to personal information reflecting a written or verbal communication or a transaction between the business" and the employee.  Also applies to job applicants and contractors.  [§§ 1798.145(m) - (n)]

6

Scope

What Information is Protected?

“Personal information” (PI) means "information that identifies, relates to, describes, is reasonably capable of being associated with ..."a particular consumer or household.  It then lists specific examples such as:

(1) Identifiers such as a real name, alias, postal address, unique personal identifier (which can include a device), IP address, email address, account name, social security number, driver’s license number, and passport number;

(2) Commercial information, including records of personal property, products or services purchased, or other purchasing or consuming histories or tendencies;

(3) Biometrics;

(4) Internet or other network activity information (e.g. browsing history);

(5) Geolocation data;

(6) Audio, electronic, visual, thermal, olfactory, or similar information;

(7) Professional or employment-related information;

(8) Education information as defined in FERPA; and

(9) Inferences drawn from any of the information above

It does not include publicly available information or information that is deidentified. Nor does it apply to data already covered by federal privacy laws such as HIPAA, GLBA, FCRA and GLBA.  [§§ 1798.140(o) and 1798.145(c)-(f).]

“Personal information” (PI) means "information that identifies, relates to, describes, is reasonably capable of being associated with ..."a particular consumer or household.  It then lists specific examples such as:

(1) Identifiers such as a real name, alias, postal address, unique personal identifier (which can include a device), IP address, email address, account name, social security number, driver’s license number, and passport number;

(2) Commercial information, including records of personal property, products or services purchased, or other purchasing or consuming histories or tendencies;

(3) Biometrics;

(4) Internet or other network activity information (e.g. browsing history);

(5) Geolocation data;

(6) Audio, electronic, visual, thermal, olfactory, or similar information;

(7) Professional or employment-related information;

(8) Education information as defined in FERPA;

(9) Inferences drawn from any of the information above; and

(10) Sensitive personal information (definition below)

It does not include publicly available information, data that is lawfully obtained and truthful and a matter of public concern, and data that is "lawfully made available to the public by the consumer or from widely distributed media."  Does not apply to information that is deidentified. Nor does it apply to data already covered by federal privacy laws such as HIPAA, GLBA, FCRA and GLBA.  [§§ 1798.140(v) and 1798.145(c)-(f)]

7

Scope

Additional Restrictions on Sensitive Data?

N/A

Yes.  "Sensitive Personal Information" (SPI) includes a consumer's:

(1) social security, driver's license, state ID card, or passport number;

(2) account log-in (including access code and password), financial account, debit card, or credit card number

(3) precise geolocation;

(4) racial or ethnic origin, religious or philosophical beliefs, or union membership -- ala the GDPR;

(5) mail, email and text messages, unless the business is the intended recipient of the communication;

(6) genetic and biometric data;

(7) personal information collected and analyzed concerning a consumer's health;

(8) personal information collected and analyzed concerning a consumer's sex life or sexual orientation.  [§ 1798.140(ae)]

Businesses must inform consumers that they are collecting SPI, the purposes for collection, and whether SPI will be sold and shared as well as the length of time this data will be stored.   Businesses cannot collect additional SPI for additional purposes that are incompatible with the disclosed purpose, and cannot store SPI beyond the expressed length of time. [§ 1798.100(a)]   A consumer shall have the right at any time to limit the use of their SPI. [§ 1798.121(a)]  A business must also either put on its homepage a clear link titled "Limit the Use of My SPI" or support an opt-out signal.  As SPI is personal information, a consumer can also request that the business does not sell or share SPI, [§ 1798.135 (a)] as well respect the consumer's rights re: personal information (right to access, delete, rectify, etc.).

8

Scope

Exemptions?

There are several exemptions for both businesses and types of personal data collected. 

For businesses:

(1) Businesses that are non-profits and/or small businesses under $25m and/or don't collect the requisite amount of personal data (per "Who is Regulated?" above) [§ 1798.140(c)]

(2) Businesses should not be restricted in order to comply with civil, criminal or regulatory inquiry and/or a subpoena/summons by a government authority [§ 1798.145(a)]

For types of personal data:

(1) Personal data subject to sector-specific federal and/or state privacy laws such as GLBA, HIPAA, California's Confidential Medical Information (CMI) Act [§ 1798.145(c)-(f)]

(2) Personal data involving ownership of motor vehicles (e.g. such as information collected for recalls) [§ 1798.145(g)]

(3) Personal data involving job applicants, employees, contractors and owner/directors of businesses til January 1, 2021 [§ 1798.145(h)]

(4) Personal data that is deidentified or aggregate data [§ 1798.145(a)]

(5) Personal data collected as part of a clinical trial [§ 1798.145(c)]

(6) Personal data collected outside of California involving non-California residents [§ 1798.145(a)]

There are several exemptions for both businesses and types of personal data collected. 

For businesses:

(1) Businesses that are non-profits and/or small businesses under $25m and/or don't collect the requisite amount of personal data (per "Who is Regulated?" above) [§ 1798.140(d)]

(2) Businesses should not be restricted in order to comply with civil, criminal or regulatory inquiry and/or a subpoena/summons by a government authority [§ 1798.145(a)]

For types of personal data:

(1) Usage of personal data in emergency situations [§ 1798.145(a)]

(2) Personal data subject to sector-specific federal and/or state privacy laws such as GLBA, HIPAA, California's Confidential Medical Information (CMI) Act [§§ 1798.145(c)-(f)]

(3) Personal data involving ownership of motor vehicles (e.g. such as information collected for recalls) [§ 1798.145(g)]

(4) Personal data involving job applicants, employees, contractors and owner/directors of businesses til January 1, 2021 [§ 1798.145(m)]

(5) Personal data that is deidentified or aggregate data [§ 1798.145(a)]

(6) Personal data collected as part of a clinical trial [§ 1798.145(c)]

(7) Personal data collected outside of California involving non-California residents [§ 1798.145(a)]

(8) Personal data involving grades, educational scores and educational test results [§ 1798.145(q)]

(9) Personal data such as a photograph in a yearbook if consent given [§ 1798.145(r)]

9

Scope

Lawful Bases to Process Personal Data?

No.  The US Constitution's 1st Amendment in general lets a business collect data that it wants to (see Sorrell v. IMS Health Inc.).  But the CCPA requires that a business disclose what categories and the purpose for which they are collecting personal information (see Right to be Informed below), so as long as the consumer is informed and they don't opt out (or opt-in in the case of minors), the business can collect.   But note that Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. Sec. 45(a)(1).

No.  The US Constitution's 1st Amendment in general lets a business collect data that it wants to (see Sorrell v. IMS Health Inc.).  But the CRPA requires that a business disclose what categories and the purpose for which they are collecting personal information (see Right to be Informed below), so as long as the consumer is informed and they don't opt out (or opt-in in the case of minors), the business can collect.   CRPA also requires businesses to retain personal information for no longer than necessary.  But note that Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. Sec. 45(a)(1).

10

Scope

Law is Protected from Watering Down?

N/A.  

Yes.  The CPRA may be amended after its approval by the voters by a statute that is passed by a vote of a majority of the members of each house of the Legislature and signed by the Governor, provided that such amendments are "consistent with and further the purpose and intent" of the CPRA. 

11

Individual Rights

Right to be Informed (aka Right to Know or Right to be Notified)

“A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.”  [§ 1798.100(b)]   Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data.  [§ 1798.105(b)]

 A business that "controls the collection" of PI and/or SPI shall, "at or before the point of collection," inform the consumer the categories and purposes of PI and/or SPI "that are collected or used and whether such information is sold or shared."  PI and/or SPI shall not be collected for additional purposes that incompatible with the disclosed purpose for which that information is collected. The business needs to also inform of the length of time of the collection of that information. [§ 1798.100(a)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)] Besides having the right to know what personal information is sold and shared, consumers have the right to know to whom. [§ 1798.115(b)]

12

Individual Rights

Right to Access

"A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.”  [§ 1798.100(a)]   This includes any third-parties the business has shared the personal data with.  And that the business shall provide that information once they verified the consumer request.   [§ 1798.100(c)]  Furthermore, a business shall “promptly take steps to disclose and deliver, free of charge to the consumer, the personal information.”   But "a business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period."  [§ 1798.100(d)]

"A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories" and "specific pieces of personal information the business it has collected.”  [§ 1798.110(a)]   This includes any third-parties the business has shared the personal data with.  And that the business shall provide that information once they verified the consumer request.  Furthermore, a business shall "disclose and deliver the required information to a consumer free of charge to the consumer” within a 45 day period of receiving a verifiable consumer request.   The disclosure "shall cover the 12-month period preceding the business's receipt of the verifiable consumer request," and any right beyond the 12-month period "shall only apply to personal information collected on or after January 1, 2022." [§ 1798.130(a)]   A business "shall not be required to provide personal information to a consumer more than twice in a 12-month period." [§ 1798.130(b)]

13

Individual Rights

Right to Correct (aka Right to Rectification)

N/A

"A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer correct such inaccurate personal information."  [§ 1798.106(a)]

14

Individual Rights

Right to Delete (aka Right to Erasure or Right to be Forgotten)

“A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”   [§ 1798.105(a)]   The business must also direct any service providers that the business utilizes to also delete the consumer’s personal information from their records.  [§ 1798.105(c)]   There are 9 exceptions in [§ 1798.105(d)] including performing the contractual obligations that exist between business and consumer, for security purposes, debugging, the exercise of free speech, and engage in research in the public interest.

“A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” [§ 1798.105(a)]  The business must also notify any service providers or contractors, as well as to "notify all third parties to whom the business has sold or shared that information," to also delete the consumer’s personal information from their records.  A service provider or contractor is not required to fulfill a deletion requested submitted directly by the consumer. [§ 1798.105(c)]  There are 8 exceptions in [§ 1798.105(d)] including performing the contractual obligations that exist between business and consumer, help insure security and integrity, debugging, the exercise of free speech, and engage in research that conforms to applicable ethics and privacy laws.

15

Individual Rights

Right to Restrict Processing

N/A, with exception of the right to opt-out of the selling of personal information (see below).

N/A, with exception of the right to opt-out of the selling and sharing of personal information and also the limiting use of sensitive personal information (see below).

16

Individual Rights

Right to Data Portability

Once a consumer requests access to their personal data from a business, and that request is verified, the “information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit the information to another entity without hindrance.”  [§ 1798.100(d)]

As part of a consumer's Right to Access, a business shall "provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format, which also may be transmitted to another entity at the consumer's request without hindrance." [§ 1798.130 (a)]

17

Individual Rights

Right to Object to Processing

N/A, with exception of the right to opt-out of the selling of personal information (see below).

N/A, with exception of the right to opt-out of the selling and sharing of personal information and also the limiting use of sensitive personal information (see below).

18

Individual Rights

Right to "Opt Out" of Sale and Sharing of Personal Information (aka Right to Say No)

"A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.”  [§ 1798.120(a)]

"A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer's personal information. This right may be referred to as the right to opt-out of sale or sharing." [§ 1798.120(a)]

19

Individual Rights

Right to Limit Use of Sensitive Personal Information (including Precise Geolocation)

N/A

"A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer's sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services."  [§ 1798.121 (a)]  Recall that sensitive personal information includes precise geolocation.  

20

Individual Rights

Right to Reject Automated Decision Making and Profiling

N/A

The CPRA leaves the possibility of this right being issued as a regulation by the Privacy Protection Agency. [§ 1798.185 (a)]

21

Individual Rights

Right of No Retaliation (aka Right to not be Discriminated Against)

The CCPA states that if a consumer requests access or any of their individual rights, they can’t be discriminated against.  Examples include (and directly quoted from [§ 1798.125(a)]):

(1) Denying goods or services to the consumer.

(2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.

(3) Providing a different level or quality of goods or services to the consumer.

(4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

The CPRA states that if a consumer requests access or any of their individual rights, they can’t be discriminated against.  Examples include (and directly quoted from [§ 1798.125(a)]):

(1) Denying goods or services to the consumer.

(2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.

(3) Providing a different level or quality of goods or services to the consumer.

(4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

The CPRA specifically states that this right "does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs."

22

Obligations

Privacy Policy Disclosure

A business that collects a consumer’s personal information shall "disclose to that consumer the categories and specific pieces of personal information the business has collected."  This needs to be done "at or before the point of collection."   [§§ 1798.100(a)-(b)]  A business must also disclose the consumer's rights, e.g. "the consumer’s rights to request the deletion of the consumer’s personal information." [§ 1798.105(a)]  Privacy policies must be updated "at least once every 12 months." [§ 1798.130(a)]

A business that "controls the collection" of PI and/or SPI shall, "at or before the point of collection," inform the consumer the categories and purposes of PI and/or SPI "that are collected or used and whether such information is sold or shared."  PI and/or SPI shall not be collected for additional purposes that incompatible with the disclosed purpose for which that information is collected. The business needs to also inform of the length of time of the collection of that information. [§ 1798.100(a)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)] Businesses must also tell consumer not only what personal information is sold and shared, but they must disclose to consumers to whom. [§ 1798.115(b)]

23

Obligations

Data Protection by Design and Default

N/A, with the exception that  a business must identify what data is personal in the design of their systems and apps so as to provide proper notification. 

A business shall not collect additional categories of PI and/or SPI that are "incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice." [§ 1798.100(a)]  Clearly a business must design their systems and apps to identify not only what data is personal but what is sensitive information.  A business shall not collect this data "for longer than is reasonably necessary for that disclosed purpose" (i.e. principle of storage limitation).  Furthermore, the "business's collection ... of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed" (i.e. data or purpose minimization, aka principle of proportionality). [§ 1798.100(c)]   Finally, a business must also "implement reasonable  ... procedures and practices appropriate to the nature of the personal information to protect."  [§ 1798.100(e)]

24

Obligations

Written Contracts with Processors / Service Providers / Contractors / Third Parties

This is implied that a contract is in place with a service provider given the definition of "service provider" that is an entity that "processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business."  [§ 1798.140(v)]

"A business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with such third party, service provider, or contractor."  The contract must include that the PI used, sold or shared is only for a limited and specified purpose and those entities must also comply with the CPRA's obligations re: the protection of PI and the rights of consumers over their PI. [§ 1798.100(d)] 

The definition of contractor and service provider does specify that a business can enforce via contract the ability for the business to monitor "compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months." [§ 1798.140(ag)]  Furthermore, both service providers and contractors must assist businesses in complying with the CCPA, e.g. verified consumer deletion requests [§ 1798.105(c)].  But "a service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor." 

A contractor or service provider that engages another entity to assist in the processing of a business's personal information must "notify the business of such engagement." [§ 1798.140(ag)] 

25

Obligations

Maintain Records of Processing Activities

Not really.  The proposed CCPA regulations that are drafted as of March 2020 do assume there will be some documentation of consumer requests re: their personal information.

The Privacy Protection Agency will create regulations "specifying record keeping requirements for businesses to ensure compliance with this title." [§ 1798.199.40]  It is implied that records need to be maintained re: what personal information is shared or sold with which third parties.  Also, a "business may maintain a confidential record of deletion requests." [§ 1798.105(c)]  Furthermore, a business should document their security procedures and practices to show compliance of implementing reasonable security procedures. [§ 1798.150(a)]

26

Obligations

Respond to Rights Requests

A business must respond to a "verifiable consumer request." [§ 1798.140(y)]. The proposed CCPA regulations document how these requests should be logged. Furthermore, a business must "disclose and deliver the required information to a consumer free of charge within 45 days" and can extend the 45 days once. [§ 1798.130(a)]  This information must be provided "free of charge to the consumer" but "shall not be required to provide personal information to a consumer more than twice in a 12-month period." [§ 1798.100(c)]  Businesses must also respond to other rights requests (e.g. deletions, do not sell, etc.) with no limitations. [§ 1798.105(c), 1798.120(d)]

A business must respond to a "verifiable consumer request." [§ 1798.140(ak)]  Furthermore, a business must "disclose and deliver the required information to a consumer free of charge within 45 days" and can extend the 45 days once. [§ 1798.130(a)]  This information must be provided "free of charge to the consumer" but "shall not be required to provide personal information to a consumer more than twice in a 12-month period." [§ 1798.130(a)]   Businesses must also respond to other rights requests (e.g. deletions, do not sell, etc.) with no limitations. [§ 1798.105(c), 1798.120(d)]

27

Obligations

New Homepage Links Required (e.g. do not sell/share personal information, limit use of sensitive personal information)

A business must "provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information."  [§ 1798.135(a)]

A business must "provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell or Share My Personal Information,” as well as a link titled "Limit the Use of My Sensitive Personal Information" to Internet Web page(s) that enable a consumer, or a person authorized by the consumer, to opt-out of the sale and sharing of the consumer’s personal information and/or limiting the use of their SPI.  A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information."  [§ 1798.135(a)]  A business may support on their web page and mobile application an "opt-out preference signal" that automatically indicates the consumer's intent to opt-out and/or limit usage.  The technical specifications of this "opt-out signal preference" will be defined via regulations created by the Privacy Protection Agency.  [§ 1798.135(b)]

28

Obligations

Implement Appropriate Security Measures

Not a direct obligation found in the CCPA.  Per the private right of action section [§ 1798.150(a)] it states that "any consumer whose nonencrypted and nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action."  Furthermore, existing California law states that "a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." [§ 1798.81.5]

"A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure." [§ 1798.100(e)]  In addition, the Privacy Protection Agency will issue regulations "requiring businesses whose processing of consumers' personal information presents significant risk to consumers' privacy or security, to: ... perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent." [§ 1798.185(a)]

Furthermore, existing California law states that "a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." [§ 1798.81.5]

29

Obligations

Security Breach Notification

N/A, but California has an existing (and separate) data breach notification law § 1798.82. 

N/A, but California has an existing (and separate) data breach notification law § 1798.82. 

30

Obligations

Data Protection Impact Analysis

N/A

The Privacy Protection Agency will issue regulations "requiring businesses whose processing of consumers' personal information presents significant risk to consumers' privacy or security, to:  (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent" ... and (B) "submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal Information." [§ 1798.185(a)]

31

Obligations

Data Protection Officers

N/A

N/A 

32

Obligations

Adhere to the Rules of Cross-Border Data Transfers

N/A

N/A

33

Enforcement

Dedicated Supervisory Authority

The CCPA did not create a dedicated agency to enforce the CCPA.  The California Attorney General (AG) is tasked with adopting regulations re: the CCPA based on public participation. [§ 1798.185] "Any business or third party may seek the opinion of the AG for guidance on how to comply with the provisions of this title." [§ 1798.185] The AG can issue civil fines (see below). Any proceeds from civil actions will go into the Consumer Privacy Fund.  This Fund is "created within the General Fund in the State Treasury, and is available upon appropriation by the Legislature to offset any costs incurred by the state courts in connection with actions brought to enforce this title and any costs incurred by the Attorney General in carrying out the Attorney General’s duties." [§ 1798.160]  The AG "shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner." [§ 1798.185]

The CPRA establishes Privacy Protection Agency (PPA), whose primary mission is to "protect the fundamental privacy rights of natural persons with respect to the use of their personal information" [§ 1798.199.40] and is vested with full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act. [§ 1798.199.10] The PPA has a 5 member board who appoints an executive director. [§ 1798.199.30]  The PPA enforces the CPRA through administrative actions, and is also tasked to "promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information." [§ 1798.199.40]. The PPA is funded through the Consumer Privacy Fund, with annual budget of $10 million from the State’s General Fund. [§ 1798.199.195]  The regulations associated with the CPRA will be adopted by the California Attorney General with "broad public participation" [§ 1798.185] but once the PPA is operational will assume ownership of the regulation process [§ 1798.199.40]

34

Enforcement

Penalties (Civil Fines)

"A business shall be in violation ... if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General." [§ 1798.155 (b)]

"Upon the sworn complaint of any person or on its own initiative," the PPA "may investigate possible violations of this title relating to any business, service provider, contractor, or person." [§ 1798.199.45]  Violators of the CPRA will be given 30 day notice by the PPA [§ 1798.199.50], and when the PPA "determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred." If the PPA determines a violation has occurred, it can issue a cease and desist order, as well order an entity to "pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state." [§ 1798.199.55]  The PPA "may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records or other items material to the performance" of the PPA's duties. [§ 1798.199.65]

35

Enforcement

Penalties (Private Rights of Action)

CCPA enables a consumer's private right of action only in the narrow context of their "nonencrypted and nonredacted personal information" was "subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices."  Damages may be "not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater."  [§ 1798.150(a)]  There is not another right of action beyond a breach occurring (e.g. no private right of action if a business is not deleting their information upon request).  Furthermore, the definition of "personal information" is from a narrower definition of personal information found in [§ 1798.81.5].  Note that "actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business." [§ 1798.150(b)]

The CPRA enables a consumer's private right of action if their "nonencrypted and nonredacted personal information" or "whose email address in combination with a password or security question and answer that would permit access to the account" was "subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices."  Damages may be "not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater." [§ 1798.150(a)] There is not another right of action beyond a breach occurring (e.g. no private right of action if a business is not deleting their information upon request).  Furthermore, the definition of "personal information" is from a narrower definition of personal information found in [§ 1798.81.5]. Note that "actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days' written notice identifying the specific provisions of this title the consumer alleges have been or are being violated" but the "implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach." [§ 1798.150(b)]

Category Topic CCPA Provision CPRA Provision
1 Scope Effective Date January 1, 2020, with two caveats:
(1) enforcement actions taken by California AG to not occur til July 1, 2020; and
(2) collection of personal data of a job applicant and/or employee and/or contractor by a business not in scope til January 1, 2021
January 1, 2023 with the following caveats:
(1) the right of access shall only apply to personal information collected by a business on or after January 1, 2022
(2) extends the CCPA’s exemption re: the collection of personal data of a job application and/or employee and/or contractor by a business from an expiration date of January 1, 2021 to January 1, 2023
(3) the CPRA’s changes to the funding dynamics of the Consumer Privacy Fund, the regulation process, and the creation and funding of the California Privacy Protection agency all become operative on the effective date of the CPRA (i.e. 5 days after voting results are certified)
2 Scope Who is Regulated? A for-profit “Business” that “collects consumers’ personal information” and has the following thresholds:
(1) gross revenue greater than $25 million OR
(2) buys/sells/shares personal information on over 50,000 consumers, households or devices; OR
(3) derives 50% or more of its revenue from selling consumer personal information.

Also covers any entity that controls or is controlled by a business and “shares common branding” with the business. [§ 1798.140(c)]
A for-profit “Business” that “collects consumers’ personal information” and has the following thresholds:
(1) gross revenue greater than $25 million in the preceding calendar year OR
(2) buys/sells/shares personal information on over 100,000 consumers or households; OR
(3) derives 50% or more of its revenue from selling or sharing consumer personal information.

Also covers (a) any entity that controls or is controlled by a business and “shares common branding” with the business and “with whom the business shares consumers’ personal information”; (b) “a joint venture or partnership composed of businesses In which each business has at least a 40 percent interest”; and (c) any entity that does business in California and voluntarily certifies to the California Privacy Protection Agency that it is in compliance with the CRPA. [§ 1798.140(d)]
3 Scope Who is Protected? A “Consumer” that is a natural person who is California resident. [§ 1798.140(g)] Resident defined per Cal. Rev. Code § 17014 as
(1) Every individual who is in this state for other than a temporary or transitory purpose.
(2) Every individual domiciled in this state who is outside the state for a temporary or transitory purpose.
A “Consumer” that is a natural person who is California resident. [§ 1798.140(i)] Resident defined per Cal. Rev. Code § 17014 as
(1) Every individual who is in this state for other than a temporary or transitory purpose.
(2) Every individual domiciled in this state who is outside the state for a temporary or transitory purpose.
4 Scope Do Children Get Special Protection? Yes, “a business shall not sell the personal information” of children aged from 13-16 unless the child directly “opts-in” to the sale. For children under 13, a business requires parental consent to the sale of their child’s personal data. [§ 1798.120(c)-(d)]

Note that “the law is intended to supplement federal and state law,” so existing Federal privacy laws re: children (e.g. COPPA) still apply. [§ 1798.196]
Yes, “a business shall not sell or share the personal information” of children aged from 13-16 unless the child directly “opts-in” to the sale. For children under 13, a business requires parental consent to the sale or sharing of their child’s personal data. [§ 1798.120(c)-(d)] Furthermore, for children under 16 who did not give consent, businesses must “wait for at least 12 months before requesting the consumer’s consent again” or “until the consumer attains 16 years of age.” [§ 1798.135(a)]

In addition, the Privacy Protection Agency can level administrative enforcement fines of $7500 per violation of the law in cases where the “business, service provider, contractor or other person has actual knowledge that the consumer is under 16 years of age.” [§ 1798.155(a)]

Note that the provisions of the CPRA relating to children under 16 years of age shall only apply to the extent not in conflict with Children’s Online Privacy Protection Act (COPPA). [Sec. 30 Savings Clause]
5 Scope Covers Employees? No, not until January 1, 2021. [§ 1798.145(h)] Specifically, “the title shall not apply to … personal information that is collected by a business about a natural person in the course of the natural person acting as … an employee” and “this subdivision shall become inoperative on January 1, 2021.” No, not until January 1, 2023. Specifically, “the title shall not apply to … personal information that is collected by a business about a natural person in the course of the natural person acting as … an employee.” Nor shall the consumer rights (right of access, deletion, etc.) “apply to personal information reflecting a written or verbal communication or a transaction between the business” and the employee. Also applies to job applicants and contractors. [§§ 1798.145(m) – (n)]
6 Scope What Information is Protected? “Personal information” (PI) means “information that identifies, relates to, describes, is reasonably capable of being associated with …”a particular consumer or household. It then lists specific examples such as:
(1) Identifiers such as a real name, alias, postal address, unique personal identifier (which can include a device), IP address, email address, account name, social security number, driver’s license number, and passport number;
(2) Commercial information, including records of personal property, products or services purchased, or other purchasing or consuming histories or tendencies;
(3) Biometrics;
(4) Internet or other network activity information (e.g. browsing history);
(5) Geolocation data;
(6) Audio, electronic, visual, thermal, olfactory, or similar information;
(7) Professional or employment-related information;
(8) Education information as defined in FERPA; and
(9) Inferences drawn from any of the information above

It does not include publicly available information or information that is deidentified. Nor does it apply to data already covered by federal privacy laws such as HIPAA, GLBA, FCRA and GLBA. [§§ 1798.140(o) and 1798.145(c)-(f).]
“Personal information” (PI) means “information that identifies, relates to, describes, is reasonably capable of being associated with …”a particular consumer or household. It then lists specific examples such as:
(1) Identifiers such as a real name, alias, postal address, unique personal identifier (which can include a device), IP address, email address, account name, social security number, driver’s license number, and passport number;
(2) Commercial information, including records of personal property, products or services purchased, or other purchasing or consuming histories or tendencies;
(3) Biometrics;
(4) Internet or other network activity information (e.g. browsing history);
(5) Geolocation data;
(6) Audio, electronic, visual, thermal, olfactory, or similar information;
(7) Professional or employment-related information;
(8) Education information as defined in FERPA;
(9) Inferences drawn from any of the information above; and
(10) Sensitive personal information (definition below)

It does not include publicly available information, data that is lawfully obtained and truthful and a matter of public concern, and data that is “lawfully made available to the public by the consumer or from widely distributed media.” Does not apply to information that is deidentified. Nor does it apply to data already covered by federal privacy laws such as HIPAA, GLBA, FCRA and GLBA. [§§ 1798.140(v) and 1798.145(c)-(f)]
7 Scope Additional Restrictions on Sensitive Data? N/A Yes. “Sensitive Personal Information” (SPI) includes a consumer’s:
(1) social security, driver’s license, state ID card, or passport number;
(2) account log-in (including access code and password), financial account, debit card, or credit card number
(3) precise geolocation;
(4) racial or ethnic origin, religious or philosophical beliefs, or union membership — ala the GDPR;
(5) mail, email and text messages, unless the business is the intended recipient of the communication;
(6) genetic and biometric data;
(7) personal information collected and analyzed concerning a consumer’s health;
(8) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation. [§ 1798.140(ae)]

Businesses must inform consumers that they are collecting SPI, the purposes for collection, and whether SPI will be sold and shared as well as the length of time this data will be stored. Businesses cannot collect additional SPI for additional purposes that are incompatible with the disclosed purpose, and cannot store SPI beyond the expressed length of time. [§ 1798.100(a)] A consumer shall have the right at any time to limit the use of their SPI. [§ 1798.121(a)] A business must also either put on its homepage a clear link titled “Limit the Use of My SPI” or support an opt-out signal. As SPI is personal information, a consumer can also request that the business does not sell or share SPI, [§ 1798.135 (a)] as well respect the consumer’s rights re: personal information (right to access, delete, rectify, etc.).
8 Scope Exemptions? There are several exemptions for both businesses and types of personal data collected.
For businesses:
(1) Businesses that are non-profits and/or small businesses under $25m and/or don’t collect the requisite amount of personal data (per “Who is Regulated?” above) [§ 1798.140(c)]
(2) Businesses should not be restricted in order to comply with civil, criminal or regulatory inquiry and/or a subpoena/summons by a government authority [§ 1798.145(a)]
For types of personal data:
(1) Personal data subject to sector-specific federal and/or state privacy laws such as GLBA, HIPAA, California’s Confidential Medical Information (CMI) Act [§ 1798.145(c)-(f)]
(2) Personal data involving ownership of motor vehicles (e.g. such as information collected for recalls) [§ 1798.145(g)]
(3) Personal data involving job applicants, employees, contractors and owner/directors of businesses til January 1, 2021 [§ 1798.145(h)]
(4) Personal data that is deidentified or aggregate data [§ 1798.145(a)]
(5) Personal data collected as part of a clinical trial [§ 1798.145(c)]
(6) Personal data collected outside of California involving non-California residents [§ 1798.145(a)]
There are several exemptions for both businesses and types of personal data collected.
For businesses:
(1) Businesses that are non-profits and/or small businesses under $25m and/or don’t collect the requisite amount of personal data (per “Who is Regulated?” above) [§ 1798.140(d)]
(2) Businesses should not be restricted in order to comply with civil, criminal or regulatory inquiry and/or a subpoena/summons by a government authority [§ 1798.145(a)]
For types of personal data:
(1) Usage of personal data in emergency situations [§ 1798.145(a)]
(2) Personal data subject to sector-specific federal and/or state privacy laws such as GLBA, HIPAA, California’s Confidential Medical Information (CMI) Act [§§ 1798.145(c)-(f)]
(3) Personal data involving ownership of motor vehicles (e.g. such as information collected for recalls) [§ 1798.145(g)]
(4) Personal data involving job applicants, employees, contractors and owner/directors of businesses til January 1, 2021 [§ 1798.145(m)]
(5) Personal data that is deidentified or aggregate data [§ 1798.145(a)]
(6) Personal data collected as part of a clinical trial [§ 1798.145(c)]
(7) Personal data collected outside of California involving non-California residents [§ 1798.145(a)]
(8) Personal data involving grades, educational scores and educational test results [§ 1798.145(q)]
(9) Personal data such as a photograph in a yearbook if consent given [§ 1798.145(r)]
9 Scope Lawful Bases to Process Personal Data? No. The US Constitution’s 1st Amendment in general lets a business collect data that it wants to (see Sorrell v. IMS Health Inc.). But the CCPA requires that a business disclose what categories and the purpose for which they are collecting personal information (see Right to be Informed below), so as long as the consumer is informed and they don’t opt out (or opt-in in the case of minors), the business can collect. But note that Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. Sec. 45(a)(1). No. The US Constitution’s 1st Amendment in general lets a business collect data that it wants to (see Sorrell v. IMS Health Inc.). But the CRPA requires that a business disclose what categories and the purpose for which they are collecting personal information (see Right to be Informed below), so as long as the consumer is informed and they don’t opt out (or opt-in in the case of minors), the business can collect. CRPA also requires businesses to retain personal information for no longer than necessary. But note that Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. Sec. 45(a)(1).
10 Scope Law is Protected from Watering Down? N/A. Yes. The CPRA may be amended after its approval by the voters by a statute that is passed by a vote of a majority of the members of each house of the Legislature and signed by the Governor, provided that such amendments are “consistent with and further the purpose and intent” of the CPRA.
11 Individual Rights Right to be Informed (aka Right to Know or Right to be Notified) “A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.” [§ 1798.100(b)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)] A business that “controls the collection” of PI and/or SPI shall, “at or before the point of collection,” inform the consumer the categories and purposes of PI and/or SPI “that are collected or used and whether such information is sold or shared.” PI and/or SPI shall not be collected for additional purposes that incompatible with the disclosed purpose for which that information is collected. The business needs to also inform of the length of time of the collection of that information. [§ 1798.100(a)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)] Besides having the right to know what personal information is sold and shared, consumers have the right to know to whom. [§ 1798.115(b)]
12 Individual Rights Right to Access “A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.” [§ 1798.100(a)] This includes any third-parties the business has shared the personal data with. And that the business shall provide that information once they verified the consumer request. [§ 1798.100(c)] Furthermore, a business shall “promptly take steps to disclose and deliver, free of charge to the consumer, the personal information.” But “a business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.” [§ 1798.100(d)] “A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories” and “specific pieces of personal information the business it has collected.” [§ 1798.110(a)] This includes any third-parties the business has shared the personal data with. And that the business shall provide that information once they verified the consumer request. Furthermore, a business shall “disclose and deliver the required information to a consumer free of charge to the consumer” within a 45 day period of receiving a verifiable consumer request. The disclosure “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request,” and any right beyond the 12-month period “shall only apply to personal information collected on or after January 1, 2022.” [§ 1798.130(a)] A business “shall not be required to provide personal information to a consumer more than twice in a 12-month period.” [§ 1798.130(b)]
13 Individual Rights Right to Correct (aka Right to Rectification) N/A “A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer correct such inaccurate personal information.” [§ 1798.106(a)]
14 Individual Rights Right to Delete (aka Right to Erasure or Right to be Forgotten) “A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” [§ 1798.105(a)] The business must also direct any service providers that the business utilizes to also delete the consumer’s personal information from their records. [§ 1798.105(c)] There are 9 exceptions in [§ 1798.105(d)] including performing the contractual obligations that exist between business and consumer, for security purposes, debugging, the exercise of free speech, and engage in research in the public interest. “A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” [§ 1798.105(a)] The business must also notify any service providers or contractors, as well as to “notify all third parties to whom the business has sold or shared that information,” to also delete the consumer’s personal information from their records. A service provider or contractor is not required to fulfill a deletion requested submitted directly by the consumer. [§ 1798.105(c)] There are 8 exceptions in [§ 1798.105(d)] including performing the contractual obligations that exist between business and consumer, help insure security and integrity, debugging, the exercise of free speech, and engage in research that conforms to applicable ethics and privacy laws.
15 Individual Rights Right to Restrict Processing N/A, with exception of the right to opt-out of the selling of personal information (see below). N/A, with exception of the right to opt-out of the selling and sharing of personal information and also the limiting use of sensitive personal information (see below).
16 Individual Rights Right to Data Portability Once a consumer requests access to their personal data from a business, and that request is verified, the “information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit the information to another entity without hindrance.” [§ 1798.100(d)] As part of a consumer’s Right to Access, a business shall “provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format, which also may be transmitted to another entity at the consumer’s request without hindrance.” [§ 1798.130 (a)]
17 Individual Rights Right to Object to Processing N/A, with exception of the right to opt-out of the selling of personal information (see below). N/A, with exception of the right to opt-out of the selling and sharing of personal information and also the limiting use of sensitive personal information (see below).
18 Individual Rights Right to “Opt Out” of Sale and Sharing of Personal Information (aka Right to Say No) “A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.” [§ 1798.120(a)] “A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information. This right may be referred to as the right to opt-out of sale or sharing.” [§ 1798.120(a)]
19 Individual Rights Right to Limit Use of Sensitive Personal Information (including Precise Geolocation) N/A “A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.” [§ 1798.121 (a)] Recall that sensitive personal information includes precise geolocation.
20 Individual Rights Right to Reject Automated Decision Making and Profiling N/A The CPRA leaves the possibility of this right being issued as a regulation by the Privacy Protection Agency. [§ 1798.185 (a)]
21 Individual Rights Right of No Retaliation (aka Right to not be Discriminated Against) The CCPA states that if a consumer requests access or any of their individual rights, they can’t be discriminated against. Examples include (and directly quoted from [§ 1798.125(a)]):
(1) Denying goods or services to the consumer.
(2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(3) Providing a different level or quality of goods or services to the consumer.
(4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
The CPRA states that if a consumer requests access or any of their individual rights, they can’t be discriminated against. Examples include (and directly quoted from [§ 1798.125(a)]):
(1) Denying goods or services to the consumer.
(2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(3) Providing a different level or quality of goods or services to the consumer.
(4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

The CPRA specifically states that this right “does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs.”
22 Obligations Privacy Policy Disclosure A business that collects a consumer’s personal information shall “disclose to that consumer the categories and specific pieces of personal information the business has collected.” This needs to be done “at or before the point of collection.” [§§ 1798.100(a)-(b)] A business must also disclose the consumer’s rights, e.g. “the consumer’s rights to request the deletion of the consumer’s personal information.” [§ 1798.105(a)] Privacy policies must be updated “at least once every 12 months.” [§ 1798.130(a)] A business that “controls the collection” of PI and/or SPI shall, “at or before the point of collection,” inform the consumer the categories and purposes of PI and/or SPI “that are collected or used and whether such information is sold or shared.” PI and/or SPI shall not be collected for additional purposes that incompatible with the disclosed purpose for which that information is collected. The business needs to also inform of the length of time of the collection of that information. [§ 1798.100(a)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)] Businesses must also tell consumer not only what personal information is sold and shared, but they must disclose to consumers to whom. [§ 1798.115(b)]
23 Obligations Data Protection by Design and Default N/A, with the exception that a business must identify what data is personal in the design of their systems and apps so as to provide proper notification. A business shall not collect additional categories of PI and/or SPI that are “incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice.” [§ 1798.100(a)] Clearly a business must design their systems and apps to identify not only what data is personal but what is sensitive information. A business shall not collect this data “for longer than is reasonably necessary for that disclosed purpose” (i.e. principle of storage limitation). Furthermore, the “business’s collection … of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed” (i.e. data or purpose minimization, aka principle of proportionality). [§ 1798.100(c)] Finally, a business must also “implement reasonable … procedures and practices appropriate to the nature of the personal information to protect.” [§ 1798.100(e)]
24 Obligations Written Contracts with Processors / Service Providers / Contractors / Third Parties This is implied that a contract is in place with a service provider given the definition of “service provider” that is an entity that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business.” [§ 1798.140(v)] “A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with such third party, service provider, or contractor.” The contract must include that the PI used, sold or shared is only for a limited and specified purpose and those entities must also comply with the CPRA’s obligations re: the protection of PI and the rights of consumers over their PI. [§ 1798.100(d)]

The definition of contractor and service provider does specify that a business can enforce via contract the ability for the business to monitor “compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.” [§ 1798.140(ag)] Furthermore, both service providers and contractors must assist businesses in complying with the CCPA, e.g. verified consumer deletion requests [§ 1798.105(c)]. But “a service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor.”

A contractor or service provider that engages another entity to assist in the processing of a business’s personal information must “notify the business of such engagement.” [§ 1798.140(ag)]
25 Obligations Maintain Records of Processing Activities Not really. The proposed CCPA regulations that are drafted as of March 2020 do assume there will be some documentation of consumer requests re: their personal information. The Privacy Protection Agency will create regulations “specifying record keeping requirements for businesses to ensure compliance with this title.” [§ 1798.199.40] It is implied that records need to be maintained re: what personal information is shared or sold with which third parties. Also, a “business may maintain a confidential record of deletion requests.” [§ 1798.105(c)] Furthermore, a business should document their security procedures and practices to show compliance of implementing reasonable security procedures. [§ 1798.150(a)]
26 Obligations Respond to Rights Requests A business must respond to a “verifiable consumer request.” [§ 1798.140(y)]. The proposed CCPA regulations document how these requests should be logged. Furthermore, a business must “disclose and deliver the required information to a consumer free of charge within 45 days” and can extend the 45 days once. [§ 1798.130(a)] This information must be provided “free of charge to the consumer” but “shall not be required to provide personal information to a consumer more than twice in a 12-month period.” [§ 1798.100(c)] Businesses must also respond to other rights requests (e.g. deletions, do not sell, etc.) with no limitations. [§ 1798.105(c), 1798.120(d)] A business must respond to a “verifiable consumer request.” [§ 1798.140(ak)] Furthermore, a business must “disclose and deliver the required information to a consumer free of charge within 45 days” and can extend the 45 days once. [§ 1798.130(a)] This information must be provided “free of charge to the consumer” but “shall not be required to provide personal information to a consumer more than twice in a 12-month period.” [§ 1798.130(a)] Businesses must also respond to other rights requests (e.g. deletions, do not sell, etc.) with no limitations. [§ 1798.105(c), 1798.120(d)]
27 Obligations New Homepage Links Required (e.g. do not sell/share personal information, limit use of sensitive personal information) A business must “provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.” [§ 1798.135(a)] A business must “provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell or Share My Personal Information,” as well as a link titled “Limit the Use of My Sensitive Personal Information” to Internet Web page(s) that enable a consumer, or a person authorized by the consumer, to opt-out of the sale and sharing of the consumer’s personal information and/or limiting the use of their SPI. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.” [§ 1798.135(a)] A business may support on their web page and mobile application an “opt-out preference signal” that automatically indicates the consumer’s intent to opt-out and/or limit usage. The technical specifications of this “opt-out signal preference” will be defined via regulations created by the Privacy Protection Agency. [§ 1798.135(b)]
28 Obligations Implement Appropriate Security Measures Not a direct obligation found in the CCPA. Per the private right of action section [§ 1798.150(a)] it states that “any consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.” Furthermore, existing California law states that “a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” [§ 1798.81.5] “A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.” [§ 1798.100(e)] In addition, the Privacy Protection Agency will issue regulations “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to: … perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent.” [§ 1798.185(a)]

Furthermore, existing California law states that “a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” [§ 1798.81.5]
29 Obligations Security Breach Notification N/A, but California has an existing (and separate) data breach notification law § 1798.82. N/A, but California has an existing (and separate) data breach notification law § 1798.82.
30 Obligations Data Protection Impact Analysis N/A The Privacy Protection Agency will issue regulations “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent” … and (B) “submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal Information.” [§ 1798.185(a)]
31 Obligations Data Protection Officers N/A N/A
32 Obligations Adhere to the Rules of Cross-Border Data Transfers N/A N/A
33 Enforcement Dedicated Supervisory Authority The CCPA did not create a dedicated agency to enforce the CCPA. The California Attorney General (AG) is tasked with adopting regulations re: the CCPA based on public participation. [§ 1798.185] “Any business or third party may seek the opinion of the AG for guidance on how to comply with the provisions of this title.” [§ 1798.185] The AG can issue civil fines (see below). Any proceeds from civil actions will go into the Consumer Privacy Fund. This Fund is “created within the General Fund in the State Treasury, and is available upon appropriation by the Legislature to offset any costs incurred by the state courts in connection with actions brought to enforce this title and any costs incurred by the Attorney General in carrying out the Attorney General’s duties.” [§ 1798.160] The AG “shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” [§ 1798.185] The CPRA establishes Privacy Protection Agency (PPA), whose primary mission is to “protect the fundamental privacy rights of natural persons with respect to the use of their personal information” [§ 1798.199.40] and is vested with full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act. [§ 1798.199.10] The PPA has a 5 member board who appoints an executive director. [§ 1798.199.30] The PPA enforces the CPRA through administrative actions, and is also tasked to “promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information.” [§ 1798.199.40]. The PPA is funded through the Consumer Privacy Fund, with annual budget of $10 million from the State’s General Fund. [§ 1798.199.195] The regulations associated with the CPRA will be adopted by the California Attorney General with “broad public participation” [§ 1798.185] but once the PPA is operational will assume ownership of the regulation process [§ 1798.199.40]
34 Enforcement Penalties (Civil Fines) “A business shall be in violation … if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.” [§ 1798.155 (b)] “Upon the sworn complaint of any person or on its own initiative,” the PPA “may investigate possible violations of this title relating to any business, service provider, contractor, or person.” [§ 1798.199.45] Violators of the CPRA will be given 30 day notice by the PPA [§ 1798.199.50], and when the PPA “determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred.” If the PPA determines a violation has occurred, it can issue a cease and desist order, as well order an entity to “pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state.” [§ 1798.199.55] The PPA “may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records or other items material to the performance” of the PPA’s duties. [§ 1798.199.65]
35 Enforcement Penalties (Private Rights of Action) CCPA enables a consumer’s private right of action only in the narrow context of their “nonencrypted and nonredacted personal information” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Damages may be “not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.” [§ 1798.150(a)] There is not another right of action beyond a breach occurring (e.g. no private right of action if a business is not deleting their information upon request). Furthermore, the definition of “personal information” is from a narrower definition of personal information found in [§ 1798.81.5]. Note that “actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.” [§ 1798.150(b)] The CPRA enables a consumer’s private right of action if their “nonencrypted and nonredacted personal information” or “whose email address in combination with a password or security question and answer that would permit access to the account” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Damages may be “not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.” [§ 1798.150(a)] There is not another right of action beyond a breach occurring (e.g. no private right of action if a business is not deleting their information upon request). Furthermore, the definition of “personal information” is from a narrower definition of personal information found in [§ 1798.81.5]. Note that “actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated” but the “implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach.” [§ 1798.150(b)]
Previous
Previous

Nitty-Gritty Detail Comparison of GDPR and CPRA

Next
Next

CPRA Cheat Sheet