CCPA vs CPRA: What’s the Difference?

---

IN THIS ARTICLE

What are the CCPA and CPRA?

---

Who enforces the CCPA and CPRA?

---

What rights are granted to consumers?

---

Who must comply with the CCPA and CPRA?

---

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), a ballot measure approved by California voters in November 2020, are having a profound impact on the privacy and data security landscape. As the first comprehensive consumer privacy legislation in the U.S., the CCPA and CPRA are a potential model for other states and are changing the way companies do business.

Below we provide answers to many of the most common questions about the CCPA and CPRA, covering enforcement, the rights provided to consumers, and who must comply.

[Take advantge of Bloomberg Law’s resources, innovations, and unmatched expertise to prepare for the CPRA. Request a demo.]

What are the CCPA and CPRA?

The California Consumer Privacy Act (CCPA), signed into law on June 28, 2018, creates an array of consumer privacy rights and business obligations with regard to the collection and sale of personal information. The CCPA went into effect Jan. 1. 2020.

The California Privacy Rights Act (CPRA), also known as Proposition 24, is a ballot measure that was approved by California voters on Nov. 3, 2020. It significantly amends and expands the CCPA, and it is sometimes referred to as “CCPA 2.0.”

Compare the consumer rights provided by both the CCPA and CPRA. Explore why these two laws are having a profound impact on the privacy and data security landscape and how they’re changing the way companies do business.

Where is the CCPA codified?

The CCPA is codified at Cal. Civ. Code § 1798.100 et seq.

Are there accompanying regulations?

Yes, the regulations are found at 11 CCR §§ 7000 et seq. The CCPA authorizes the California Attorney General to adopt regulations pursuant to Cal. Civ. Code § 1798.185.

When did the CPRA take effect?

The CPRA took effect on Dec. 16, 2020, but most of the provisions revising the CCPA didn’t become “operative” until Jan. 1, 2023.

Does the CPRA replace the CCPA?

Not exactly. The CPRA is more accurately described as an amendment of the CCPA. The CPRA specifically states that it “amends” existing provisions of Title 1.81.5 of the California Civil Code (currently known as the CCPA) and “adds” new provisions (related to the establishment of the California Privacy Protection Agency).

[Download our Privacy Law FAQs for a side-by-side breakdown of the newest state consumer privacy laws, including key requirements and how they compare to GDPR.]

Who enforces the CCPA and CPRA?

The CCPA vests the California Attorney General with enforcement authority. Although the CPRA grants the California Privacy Protection Agency “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA, the Attorney General still retains enforcement powers. Cal. Civ. Code § 1798.199.90 provides that the California Privacy Protection Agency “may not limit the authority of the Attorney General to enforce this title.”

When will enforcement of the CPRA begin?

Enforcement of the CPRA will not begin until July 1, 2023, and enforcement will apply only to violations occurring on or after that date. It should be noted, however, that the CCPA’s provisions remain in effect and enforceable until that date. The first enforcement action of the CCPA was announced in August 2022.

What is the California Privacy Protection Agency?

The California Privacy Protection Agency is a new agency, created by the CPRA, which is vested with “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA.

When does the California Privacy Protection Agency assume rulemaking authority?

The CPRA transferred rulemaking authority from the California Attorney General to the California Privacy Protection Agency effective April 21, 2022. Final CPRA regulations were originally due by July 1, 2022, but that deadline was extended. The formal rulemaking process has continued into 2023.

What rights are granted to consumers?

Who is a ‘consumer’?

A consumer is natural person who is a California resident, as defined in the state’s tax regulations.

What rights do consumers have?

The CCPA creates six specific rights for consumers:

1. the right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom;

2. the right to delete personal information collected from the consumer;

3. the right to opt-out of the sale of personal information (if applicable);

4. the right to opt-in to the sale of personal information of consumers under the age of 16 (if applicable);

5. the right to non-discriminatory treatment for exercising any rights; and

6. the right to initiate a private cause of action for data breaches.

The CPRA creates two additional rights:

7. the right to correct inaccurate personal information; and

8. the right to limit use and disclosure of sensitive personal information.

What is a consumer’s ‘personal information’?

The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

What is a consumer’s ‘sensitive personal information’?

SPI is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals:

• a consumer’s social security, driver’s license, state identification card, or passport number
• a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
• a consumer’s precise geolocation
• a consumer‘s racial or ethnic origin, religious or philosophical beliefs, or union membership
• the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication
• a consumer’s genetic data

[Learn about biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA), and how other state biometric privacy statutes compare.]

What constitutes a ‘sale’ of personal information?

The CCPA defines a “sale” as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

What does ‘sharing’ personal information mean?

The CPRA defines “sharing” as renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

[Track the status of state-by-state consumer privacy legislation with our interactive state privacy legislation map.]

---

Mitigate Risk in Privacy and Data Security

Plan your privacy and data security strategy with Bloomberg Law’s essential news, expert analysis, and practice tools.

---

Who must comply with the CCPA and CPRA?

The CCPA imposes obligations on businesses, service providers, and third parties. The CPRA adds a fourth category: contractors.

Compliance for businesses

How is a ‘business’ defined?

The CPRA defines a “business” as:

• a for-profit legal entity:
  • that collects consumers’ personal information on its own or by others on its behalf
  • that alone or jointly with others determines the purposes and means of the processing
  • that “does business” in California
  • and satisfies at least one of the following thresholds:

i. has annual gross revenues in excess of $25 million

ii. annually buys, receives, sells, or shares the personal information of 100,000 or more consumers or households

iii. derives 50% or more of its annual revenues from selling consumers’ personal information

What are the principal obligations of a business?

A business must:

• provide notice of consumer rights
• honor consumer rights
• fulfill disclosure and retention obligations
• facilitate consumer requests
• implement security safeguards

Compliance for service providers

How is ‘service provider’ defined?

A “service provider” is an entity that receives personal information from or on behalf of a business and processes that personal information on behalf of a business pursuant to a written contract that prohibits any retention, use, or disclosure of the personal information other than as specified in the contract.

What are the principal obligations of a service provider?

A service provider must:

• use personal information only to perform services on behalf of a business as specified in a contract
• comply with the terms of that contract
• implement security safeguards
• not combine personal information received from a given business with any personal information received from others
• notify the business regarding their use of subcontractors, and those subcontractors must be contractually bound to the same terms as the service provider

Compliance for contractors

How is ‘contractor’ defined?

Newly defined in the CPRA, a contractor is akin to a service provider, inasmuch as it is bound by the terms of a written contract that sets forth certain restrictions and prohibitions on the use of personal information. Unlike a service provider, however, the contractor includes a “certification” that it understands all of those restrictions and prohibitions and that it will comply with them.

What are the principal obligations of a contractor?

A contractor must:

• use personal information only to perform services on behalf of a business as specified in a contract
• comply with the terms of the contract
• implement security safeguards
• not combine personal information received from a given business with any personal information received from others
• notify the business regarding their use of subcontractors, and those subcontractors must be contractually bound to the same terms as the contractors

Compliance for third parties

How is ‘third party’ defined?

The CCPA defines a third party as a legal entity who does not meet the characteristics of a service provider or contractor and who receives personal information from the business.

What are the obligations of a third party?

A third party must:

• use personal information consistent with promises made at receipt
• provide consumers notice of any new or changed practices
• provide consumers with explicit notice of an additional sales of personal information and provide consumers with the opportunity to opt out

What are the consequences for non-compliance?

The CCPA provides for the following options for imposing liability in the event of non-compliance:

• Civil Penalties – In actions by the California Attorney General, businesses can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation (but there is an opportunity to cure any alleged violation within 30 days after receiving notice of the alleged violation)
• Damages – In actions brought by consumers for security breach violations, consumers may recover statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. In actions for statutory damages, consumers must first provide businesses with written notice and an opportunity to cure
• Non-Monetary Relief – In actions brought by consumers for security breach violations, consumers may seek injunctive or declaratory relief, as well as any other relief the court deems proper
• Businesses may also be subject to an injunction in actions brought by the Attorney General

[For additional information, see our Glossary of Terms for Decoding CCPA/CPRA.]