The California Privacy Rights Act (CPRA) is a recent addition to the state's data protection laws that came into effect earlier this year. This legislation builds upon the California Consumer Privacy Act (CCPA), which was implemented in January 2020. Additionally, it is equally important for your business to adhere to the guidelines outlined by the General Data Protection Regulation (GDPR), a comprehensive data and privacy law applicable in the European Union (EU). If your business operates in or conducts business in California or the EU, it is crucial to ensure that you are compliant with these laws.
In this article, we will go over each law, who each law applies to, the main differences, and how you can ensure you are in compliance with the law.
California Consumer Privacy Act, (CCPA)
Went into effect: Jan. 1, 2020
The California Consumer Privacy Act, or CCPA, was passed back in 2018. This act gave consumers more rights over which personal information businesses could collect from them. It also provided regulations and guidances for businesses to follow to be in compliance with the act.
This act gave consumers the right to:
- Know which information was being collected about them and how a business was using and sharing it.
- Deleted personal information that businesses collected from them (with exceptions).
- Opt-out of having their information sold or shared.
- Non-discrimination for exercising these rights.
In short, this act allowed consumers to have more control over which information businesses could collect about them and how they could use that information.
Who This Applies To
The CCPA applies to your business if you are a for-profit business that does business in California, or you meet any of the following requirements:
- Your annual gross revenue is over $25 million.
- You buy, sell, or share the personal information of 100,000 or more California residents, households, or devices.
- You derive 50% of your annual revenue from selling California residents' personal information.
If your business meets any of these criteria, you are expected to meet the standards set in the CCPA.
California Privacy Rights Act (CPRA)
Went into effect: Jan. 1, 2023
In 2020, the California Privacy Rights Act, or CPRA, was passed, and it amended the CCPA and added a few new protections to the list. These new protections went into effect in January of 2023.
The additions allowed the consumers the right to:
- Correct inaccurate information that a business had collected from them.
- Limit the use of the information and require disclosure of sensitive information that had been collected about them.
If your business is subject to these changes, you have a responsibility to allow your consumers to exercise these rights, and to comply with these regulations by giving consumers notices about how your business is using their information.
Who This Applies To
The CPRA applies to your business if you are a for-profit business that does business in California, or you meet any of the following requirements:
- Your annual gross revenue is over $25 million.
- You buy, sell, or share the personal information of 100,000 or more California residents, households, or devices.
- You derive 50% of your annual revenue from selling California residents' personal information.
If your business meets any of these criteria, you are expected to meet the standards set in the CPRA.
General Data Protection Regulation (GDPR)
Went into effect: May 25, 2018
The General Data Protection Regulation, or GDPR, is a law passed in Europe in 2018 that provides European citizens with protection over the data that is collected about them by businesses. This law applied to all businesses that operated in the EU and to any outside businesses with operations or sales in the EU.
The GDPR offers the following protections:
- Personal data must be processed lawfully, fairly, and transparently by businesses that are collecting your data.
- Data that is collected cannot be used for any reasons that are not archiving in the public interest, scientific or historical research, or statistical purposes.
- Collected data is limited to what is necessary in relation to the business.
- Data must be accurate, up-to-date, and must be erased when no longer needed.
- Data cannot be kept longer than necessary for the purpose for which it was originally collected.
- Data must be processed in a way that allows the consumer to have complete security over their information, and unlawful use, accidental loss, or destruction/damage to the data is prohibited.
Overall, these regulations offer consumers the right to keep their data protected and safe from storage, and unlawful use, and it requires businesses to be fully transparent with how they are using consumers' personal information.
Who This Applies To
The GDPR applies to both citizens and non-citizens of the European Economic Area (EEA) and the EU. Any businesses that operate or conduct business in the EU are required to follow GDPR guidelines. It applies to all 27 countries in the EU and EEA including. but not limited to:
- Iceland
- Norway
- Liechtenstein
As of 2021, the UK is no longer a part of the EU and is not subject to the GDPR. Switzerland is also an exception to this rule because they have adopted their own privacy legislation.
Differences Between the CCPA, CPRA, and GDPR
The main difference between the CCPA, CPRA, and GDPR is the locations in which they are in effect. The CCPA and CPRA are California laws that have an effect on any business that operates within California, has California employees, or sells products and services to residents of California. The GDPR is similar, except that it is in effect for businesses and residents of the EU.
Another main distinction is that the CPRA is not a standalone law, but it is an amendment to the CCPA.
All three of these legislations have a bigger impact on businesses and residents that live or operate within California and the EU. If your business operates within these areas, you want to make sure that you are in compliance with these laws to avoid any legal troubles.
How This Affects Your Business
If your business operates in, has employees in, or sells products or services to consumers in California or the EU, your business must be in compliance with these laws. You will want to audit all of the personal data your company has collected to make sure it follows the guidelines of each law. While this will take some time, it will cover all of your bases and save you from any legal hassles in the future.
If you work with any service providers, you will also want to make sure that they are following the regulations set by each law. If your service providers aren't in compliance, it can be a huge risk for your company. Review any agreements that you have with your service providers who process data, and be sure to sign any data processing agreements.
This checklist is a good baseline to make sure that your business is in compliance with the CCPA. To ensure you are also in compliance with the GDPR, you can use this checklist provided by the EU government.
Other States With Privacy Laws
Besides California, there are several other states that also have stringent data security and privacy laws. Virginia, Connecticut, Colorado, and Utah also have laws in place to protect their consumers with eight other states following their lead.
There are also bills being proposed in Indiana, Iowa, Kentucky, Mississippi, New York, Oklahoma, Oregon, and Tennessee. However, these laws will slightly differ in how they regulate and implement data protection rights.
Check your state's rules and regulations to make sure that you are in compliance with any data laws that they have passed, and keep an eye out for any proposed bills that could affect the way your business handles data.
