From CCPA to CPRA: What to Know About the California Privacy Law

The new California Privacy Rights Act (CPRA or CCPA 2.0) is one of the most comprehensive privacy laws to date. It has jurisdictional power that transcends far beyond state lines.

The CPRA amends and expands the original California Consumer Privacy Act (CCPA, A.B. 375). The data privacy legislation also promises more regulatory oversight with costly fines for non-compliance.

CPRA is effective January 1, 2023, and the regulatory enforcement start date is July 1, 2023. New CCPA compliance requirements under CPRA will apply to all personal information collected on or after January 1, 2022.

Any association that collects, stores, and uses personal data should pay attention to compliance regulations under California's new privacy law as well as other regulatory regimes around the world. Today, I'll explain exactly.

Let's jump in.

What Is the New Privacy Law in California?

The California Privacy Rights Act is a landmark privacy legislation that closes loopholes in the California Consumer Privacy Act and adds stricter data processing, consent, and disclosure requirements.

According to the State of California Department of Justice, the CPRA gives "California consumers" the following additional individual privacy rights:

The right to know about the personal information a business collects about them and how it is used and shared;

The right to delete personal information collected from them (with some exceptions);

The right to opt-out of the sale of their personal information; and

The right to non-discrimination for exercising their CCPA rights.

In essence, the California privacy law requires you to inform users about how their personal information is collected and shared, make it easy to opt-out of having data disclosed or sold to third parties, and ensure previously collected data is easily accessible and can be removed at any time.

Compared to the CCPA, CPRA expands the definition of personal information. It includes all “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

In other words, personal information under the new California privacy law includes:

1. personally identifiable information (PII)
2. data that isn’t specific to an individual but could be indirectly linked to someone (aka “extra-personal” or “household" data).

A new category for sensitive personal information (SPI) is included in the CPRA as well. This category, of course, has stricter regulations.

Another noteworthy change is the newly established government agency for CCPA and CPRA compliance enforcement. The new regulatory watchdog is called the California Privacy Protection Agency (CPPA). The CPPA's discretionary power officially takes effect on July 1, 2023 (six months after the CPRA becomes effective).

What Does the California Privacy Law Mean for Your Association?

What's the impact of the CPRA on associations? The privacy law technically applies to California residents. But it has much broader implications for any organization that collects personal information.

whether or not your association gathers information from members in California is irrelevant. Here's why:

• Most major associations, businesses, and organizations have members, clients, and web visitors in California.
• The CPRA makes organizations responsible for how third parties use, share or sell personal information.
• Sooner or later, similar legislation is coming to your state, and prior preparation can save you from numerous headaches.

So even if your organization isn’t physically located within California boundaries, the CPRA likely still applies to your website, as well as any of your other systems or applications that gather personal data.

Also, sensitive personal information like financial account information is at stake. So it's no wonder the public is demanding higher standards, more transparency, and tighter personal control over their own data. If data breaches can happen to large corporations, how vulnerable are local businesses and associations?

To maintain compliance, you can either align your global data protection practices with the CPRA or enact two completely different systems: one for California and one for the rest of the world. Given the cost and utter insensibility of maintaining dual policies, every association that collects personal data should implement stringent CPRA compliance practices that cover international privacy laws as well.

For example, go ahead and update your consent processes and disclosure notices. Put a visible, accessible button or link that clearly says “Do Not Sell My Personal Information.”

CCPA/CPRA vs. GDPR

The difference between the California privacy law and the General Data Protection Regulation (GDPR) is largely about opting out vs. consent.

Under the California privacy law, users must be able to opt-out of “personal information” collection activities. Under the European GDPR, users must give direct, informed consent to collect and use “personal data” for valid processing purposes.

The definition of personal information is also slightly different. Under the GDPR, personal data is “any information relating to an identified or identifiable natural person (data subject), directly or indirectly, in particular by reference to an identifier.” In other words, personal data is exclusively individual. The California privacy law, on the other hand, covers direct and indirect personal information.

Another difference is that the CPRA/CCPA protects California residents within and outside state lines. The GDPR, on the other hand, protects “data subjects,” not just EU residents or citizens, located inside the EU, including tourists and non-residents. A data subject is essentially any individual or organization who has data processed inside the EU by any organization offering services and/or products to the EU.

Similarities

The new CPRA California privacy law adds GDPR-like provisions to the CCPA. Both the GDPR and CCPA/CPRA regulatory regimes:

• regulate online data and protect personal information.
• mandate the right to access, correct, delete, and restrict their personal data.
• have a far-reaching, extraterritorial impact with considerable consequences for non-compliance.
• include exemptions for small businesses to prevent excessive compliance burdens.
• include a special category of sensitive personal information/data that can’t be processed unless specific requirements are met.

CCPA/CPRA vs. PIPL

Are any of your members or web visitors Chinese? Do you process their personal information?

If so, another individual privacy framework that your website may be subject to is China's new Personal Information Protection Law (PIPL). Since November 2021, the PIPL has required separate consent for high-risk processing activities (e.g. cross-border data transfers) that may impact a Chinese resident or multinational.

Similarities

Both the CCPA and PIPL:

• regulate online data and protect personal information.
• mandate the right to access, copy, correct and delete the personal information.
• have a broad scope with extraterritorial applications and the potential for substantial fines.
• protect California residents and Chinese residents, respectively, within and outside the relevant territory.
• include exemptions for small businesses to prevent excessive compliance burdens.
• defines personal information similarly.
• ambiguously defines sensitive personal information that's subject to additional requirements for data processing.
• deem anonymized information as outside the scope of the law (However, the PIPL's definition of anonymization is stricter).

Where to Go From Here

An important part of digital transformation is making sure your association handles the personal data it collects with the utmost care. This is not just about adhering to new laws; it’s about earning and keeping the trust of your members. And is about keeping pace with security trends and best practices to prevent costly breaches.

With the effective date for the new California privacy law approaching closer than we may like to think, we recommend getting prepared. Get your websites and apps compliant with the CPRA, as well as with privacy requirements across multiple countries and legislations. Any future that does not include a strict data policy, data governance framework, or even a full-on, transparent privacy culture is folly.

Have you taken the necessary steps for successful digital transformation, including the creation of a stricter data collection and use policy to meet the new California privacy law compliance requirements? If not, it's time you make a plan.

We'd love to help your organization achieve and maintain compliance. Drop us a line here.