CCPA & CPRA: what companies need to pay attention to now

In 2020, the California Consumer Protection Act (CCPA) was enacted to address growing concerns about the sale and collection of personal data in California: since then, it has granted California residents various rights and set rules for companies that sell or collect personal data. However, it initially left the consequences of third-party processing of consumer data open to interpretation, leading to its amendment or renewal, known since 2023 as the California Privacy Rights Act (CPRA).

In this article, we report on these changes, what impact they have on companies in and outside California, who is affected and what to watch out for. If you would like a free initial consultation, please click here. 

What do the CCPA & CPRA laws entail and what is the difference between the two?

The California Consumer Privacy Act (CCPA) came into force on January 1, 2020 and is the first comprehensive data protection law in the USA that applies specifically to the state of California. This law established the consumer protection rights of California citizens for the first time and set the first standards for the handling of personal data.

An important extension of this law is the California Privacy Rights Act (CPRA), which came into force on July 1, 2023, with retroactive effect until January 1, 2022. The CPRA tightens the requirements for companies regarding the use of personally identifiable information (PI) and ensures that this data is handled responsibly and in compliance with the law from that date. It is important to understand that the CPRA is a supplement to the CCPA, as it refers throughout to the CCPA legislative text, expanding, completing and adding new provisions to its regulations.

In addition to the aforementioned innovations, the CPRA also established the California Privacy Protection Agency (CPPA), a new government agency that monitors and enforces compliance with data protection statewide. The introduction of an independent data protection authority was seen as urgently necessary for the enforcement of the rights of those affected and as a counterbalance to the IT giants in Silicon Valley.

Thus, it can be summarized that there are not really two separate data protection laws in California, but one data protection regime consisting of the CCPA/CPRA setup.

What innovations does the CPRA bring? 

1. The main innovations: An overview

• Amendment of the CCPA definitions of PI (personal information)

• Amendment of the opt-out right to specifically regulate cross-contextual behavioral advertising and its use of personal information.

• Creation of a new category called sensitive personal information (SPI).

• Amending CCPA rights for California residents and adding new rights

• Expanding the consent requirement to cover more scenarios.

• Addition of GDPR-like requirements for businesses.

In addition, the CPRA (unlike the CCPA before it) safeguards privacy law in California in that it mandates that any changes to the law must be consistent with its purpose and intent, making it virtually impossible to water down legally.

This is one of the most significant changes, as it makes the law virtually watertight against any attempts to weaken privacy protections or loosen regulations for businesses through industry or special interest pressure.

2. What new requirements does the CPRA impose on companies?

As a general change for California, the CPRA introduces three new requirements for businesses that are closely aligned with the EU's GDPR regime:

A. Data minimization

Under California's privacy regime, as amended by the CPRA, a website or business may only collect, use and disclose personal information from Californians if it is consistent with the purpose of collection and is reasonable. In other words, you may not collect or disclose more information than is strictly necessary for the stated purpose of the collection.

B. Purpose limitation

Similarly, a website or business is not permitted to collect, use, or disclose Californians' PI for a new purpose without first disclosing it, just as it is not permitted to collect or disclose data without any stated purpose.

C. Storage Limitation

The CPRA also amends the CCPA to require a website or business to notify California residents (at the time of collection) of the retention period of each category of personal information collected, meaning that users have a right to know how long their information will be stored after collection.

2. What new rights does the CPRA define?

The CPRA provides California residents with new rights and five modified rights. The most relevant for businesses are:

• Right to prohibit data sharing: consumers can request that companies do not sell or share their personal information (“Do not share or sell my personal information” ). For sensitive personal data, explicit consent is also required (“Limit the use of my sensitive personal information”).

• Right to correction and deletion: Citizens have the right to request the correction or deletion of their data. Companies are also obliged to ask third parties who hold this data to update or delete it.

• Right of access: Consumers can request to see what personal data is stored and receive information on how long this data is stored (Data Subject Access Requests = DSAR).

3. New category: sensitive personal information (SPI)

The CPRA creates a new category of personal information - sensitive personal information (SPI). This includes:

• Data relating to ethnicity and origin

• Religious beliefs, political and philosophical convictions

• Data on sexual life or sexual orientation

• Genetic and biometric data

• Health data

• Geolocation

• Social security number and driver's license

• Financial information

SPI is regulated separately from normal personal information, with users having enhanced rights over the use of their SPI, including the right to have collected SPI disclosed, to opt out of the use of SPI, and to provide subsequent consent for the use of SPI where users have previously opted out. The CPRA thus sets specific standards and limits for SPI and gives consumers more control over how organizations use their personal data.

To protect SPI, the CPRA has introduced two new buttons that websites must now display prominently: “Do Not Sell Or Share My Personal Information” and “Limit The Use Of My Sensitive Personal Information”. 

4. Changing the right to opt-out: new regulation of behavioral advertising

While the CCPA defined the right to opt-out as a restriction on the use, sale and disclosure of personal information for advertising purposes in exchange for money, the CPRA creates two separate types of advertising:

1. cross-contextual behavioral advertising and

2. non-personalized advertising

The former is regulated by the right to opt-out, the latter is not.

Cross-contextual behavioral advertising: the right to opt-out of behavioral advertising means that California residents can ask companies to stop sharing their personal information with third parties to prevent them from being targeted with ads based on behavioral data - from their search, browsing and purchasing history, online preferences, device settings, geolocation, to the way they scroll and click on a website.

Non-personalized advertising: This is defined by the CPRA as a business purpose and is therefore exempt from any opt-out requirements.

Instead of the CCPA opt-out right for personal information in general that California residents enjoy today, the CPRA now specifies its regulations to apply only to PI used for behavioral advertising. Thus, the CPRA amends the CCPA to specifically regulate behavioral advertising that uses personal information.

5. The CPRA's new consent provisions

The CPRA also expands the CCPA's current consent requirements, which are perhaps the most GDPR-like feature of California's privacy law, to include the following:

• Consent required for the sale or disclosure of personal information after a user has already opted out

• Consent required for the sale or disclosure of personal information of minors

• Consent required for the secondary use, sale or disclosure of sensitive personal information after a user has opted out

• Consent required for exceptions in the context of research

• Consent required to opt-in for financial incentives

A quick comparison with the GDPR

The concept of the SPI is similar to Article 9 of the General Data Protection Regulation (GDPR), which requires a higher level of data protection for sensitive personal data.

Nevertheless, it quickly becomes apparent that the legislative initiative is very business-friendly. This is because many things fall short of the GDPR, such as the data protection officer or the transfer to third countries, which does not yet exist in this form.

Consumers are given the option to opt out of the sale and transfer of their data, but this is not decoupled from the right to use a service. As a result, providers of a service can therefore regulate that users are excluded from their service if they refuse to share their data.

Furthermore, there is no regulation for the transfer of data outside of California. As a result, data transfer outside of California is not covered by the new legal provisions, meaning that companies can easily escape the regulations by using non-Californian service providers.

Who is affected by the CCPA & CPRA data protection laws?

It is important to note that the CCPA & CPRA is not only aimed at companies based in California. It applies to all businesses that process personal data of consumers in California.

The CPRA changes the definition of “business” to exclude smaller businesses and include larger businesses that derive significant revenue from the collection, sharing and/or sale of Californians' personal information (PI).

The CCPA & CPRA therefore apply specifically to for-profit businesses that collect and maintain personal information about California residents. The following companies must comply with these laws:

• Companies with gross annual sales of more than 25 million US dollars.

• Businesses that derive 50% or more of their annual revenue from the sale of personal information of California residents.

• Businesses that annually purchase, receive or sell personal information from more than 100,000 (formerly 50,000) California residents, households or devices.

These changes are expected to shift compliance from smaller companies to larger companies whose businesses rely more heavily on the collection and sharing of personal information, both in terms of scope and method (from sale-only collection to sharing).

Companies that do not meet these criteria, such as non-profit organizations, smaller companies that do not meet the turnover thresholds mentioned and those that do not process large amounts of personal data, are excluded.

What are the obligations for businesses?

The CPRA imposes new requirements on how your website allows consumers to opt out of the sale or sharing of their PI and adds a requirement on how your website allows users to exercise their right to restrict the use of their PI:

1. Opt-out rights for consumers: on your website or app, you must ensure consumers the ability to prohibit the use or sale of their personal information through an “opt-out” option.

2. Implement required buttons: The CPRA amends the CCPA's “Do Not Sell” button so that your website must include a link titled “Do Not Sell Or Share My Personal Information.”

3. Compliance with the right of access: You must ensure that consumers have the right to request access to data collection and all related processes. It is recommended to implement procedures for Data Subject Access Requests (DSARs). A DSAR is a citizen's request for access to the data stored about them by a company. It is a statutory right to privacy and a company's response within a certain period of time is mandatory.  

4. Add on: In addition, the CPRA encourages businesses to provide a single, clearly labeled link that makes it easy for a consumer to simultaneously object to the sale or disclosure of PI and restrict the use or disclosure of the consumer's SPI.

How do I achieve CCPA/CPRA compliance?

According to the latest CCPA/CPRA regulations, every company must have an updated and transparent privacy policy, which can be understood as a full website disclosure. Since it is one of the most important documents on any website, it is crucial that you know how to implement a proper privacy policy on your website.

Compliance can be enabled by taking the following steps to keep website visitors informed in a transparent and legally compliant manner:

1. Educate website visitors about their rights.

2. Implement a Consent Management Platform (CMP) to allow users to easily opt-out of cookies and tracking.

3. Provide clearly visible access to all information collected about the respective user.

4. Actively refer to the “right to erasure”.

5. Reference the right to non-discrimination if a website visitor has chosen to exercise their rights under the CCPA.

6. Provide a phone number or contact option for website visitors to request access and deletion of data.

7. List all types of information you collect as a website provider.

8. List all categories of personal data that your company has “sold” in the last 12 months.

9. List all categories of personal information that your company has “shared for business purposes” in the last 12 months.

10. A link to your “Do Not Sell My Personal Information” page must be included in the privacy policy.

What are the consequences for companies that fail to comply with the CCPA/CPRA?

Those who fail to comply with data protection laws in a timely manner may face the following consequences:

• Fines and penalties: companies that willfully violate the regulations can face fines of up to $7,500 per violation. For negligent violations, the fines can be up to USD 2,500 per violation. In addition, affected consumers have the right to bring civil actions, which can result in penalties of between USD 100 and USD 750 per incident.

• Reputational damage and loss of trust: Data breaches and non-compliance with legal requirements can significantly damage a company's reputation. Such a loss of trust among consumers and other stakeholders can have a lasting negative impact on business and customer relationships.

• Regulatory intervention: The California Privacy Protection Agency (CPPA) has the authority to initiate investigations against companies and take further regulatory action to ensure compliance with the law. In serious cases, the processing of personal data may even be prohibited.

It is therefore worth investing in data protection measures in good time, as further requirements could be added to the law in the future.

CCPA & CPRA compliance through a Consent Management Platform (CMP)

To comply with CCPA and CPRA requirements, effective consent management is essential. A centralized solution, such as a Consent Management Platform (CMP), makes this process much easier. A CMP, also known as a cookie banner, not only helps you comply with legal requirements, but also builds trust with your customers through transparent and easily accessible privacy practices.

Your advantages with a Consent Management Platform (CMP):

• Centralized consent management: using a CMP makes it possible to manage all data protection requirements clearly in one place. This helps to maintain an overview and ensure that all processes are compliant.

• Automated processing of data protection requests: With a CMP, you can efficiently process data protection requests from your customers. Automating this process makes fulfilling Data Subject Access Requests (DSARs) easier and less error-prone.

• Analyze consumer behavior and improve consent rates: A CMP provides the ability to monitor and analyze consumer requests and behavior. Based on these insights, you can make targeted improvements to increase the opt-in rate. This is crucial in order to continue collecting valuable data for marketing purposes and data analysis.

Choose DWC for your CCPA/CPRA compliance and generate valuable insights despite strict data protection requirements

With the new additions of the CCPA/CPRA, organizations need to ensure they are prepared for compliance with the new and expanded consumer privacy rights included in the CPRA. They need to put robust systems and controls in place to ensure they are able and willing to respond quickly to customer requests. To prepare for CPRA compliance, many businesses may need to make major changes to their existing security and privacy measures, hire additional staff or engage third-party services.

We are happy to help you achieve CCPA/CPRA compliance. To do so, we offer a free initial consultation and review the steps you need to take.

Our company specializes in the field of data protection, particularly consent management, and has been helping companies worldwide implement various data protection laws, including the CCPA, since the introduction of the first data protection laws such as the GDPR. However, our expertise extends far beyond mere compliance.

We are also pioneers in optimizing tracking systems through server-side tagging, a technique that is becoming particularly important as stricter privacy laws often mean less data is available and consent rates can drop.