As data privacy continues to be discussed hotly the world over, and as countries bring in a slew of newer and newer legislations to counter the threat of data breaches and unauthorized targeting, the state of California in the USA is in the process of implementing the CPRA, and this promises to introduce several new aspects to the field of data privacy and data protection.
But California already had a data privacy bill, right? Well, yes. The CCPA, or the California Consumer Privacy Act was passed in 2018, and was the first of its kind in the United States Of America. This brought in sweeping sanctions and restrictions on the manner in which data was collected and processed. It also allowed for penalties against violations.
Being one of the forerunners in this field, California decided to update the provisions of the act, and introduced the CPRA. The California Privacy Rights Act was passed by the state legislature, and was implemented in late 2020 itself, but in practice, most of the provisions of this act wouldn’t be enforced until early 2023.
Now, let us take a look at some of the factors that differentiate the CPRA from the CCPA, before moving on to the exemptions that were revoked by the implementation of the CPRA.
The differentiating factors.
There are certain factors that differentiate the CCPA from the CPRA, and we will be discussing a brief overview regarding the same here.
- The CPRA redefined the criteria that one needs to adhere to qualify as a business. It specifies that an entity, in order to qualify as a business, must be a legal entity that operates with a profit motive, collects consumer data in the state of California, determines and processes personal information, and must either have a gross revenue of $25 million in the previous calendar year, or deals in the PI of 100,000 or more consumers or households, or earns 50% or more of its revenue by processing or sharing customer data. The difference lies in the fact that the CPRA modifies the criteria when it comes to the number of households required, raising it from the previously stipulated figure of 50,000, while modifying the sections that the CCPA specified about the revenue earned.
- Taking after the GDPR, which can easily be termed as the benchmark when it comes to data protection regulations, the CPRA will integrate a new category of data that they would be referring to as the Sensitive Personal Information. Companies would need to adopt special techniques and procedures while dealing with such data sets. Some of the newer requirements that the law stipulates regarding these sets are updated disclosure requirements, limitation requirements, opt-out and opt-in requirements.
- The CPRA has allowed for expansion of the consumer privacy rights as well, when compared to what the CCPA allowed. Once the regulations are implemented in all its glory, one would be protected by all these regulations.
- As we have already mentioned, the GDPR is the trendsetter when it comes to data privacy regulations around the world, and the CPRA has borrowed and adopted a number of regulations that were conceptualized by the GDPR. Features like data minimization, purpose limitation, etc. were first enshrined in the GDPR, and has made its way into the CPRA as well.
- In this day and age, data breaches have become a significant threat, and hackers are always on the watch for any data sets that they can steal to use for their own benefit. The CPRA allows a person to take legal action against a company that may have leaked their non-encrypted data through negligence. This is a major protection that the CPRA allows to the users that fall under its ambit.
- A major step that the CPRA has taken to ensure data privacy is the establishment of the California Privacy Protection Agency. The CPPA can investigate complaints, enforce laws, and enjoys certain rulemaking powers as well.
These are some of the major differences that the CPRA holds over the CCPA. Although this brings a whole new set of laws to the table, and thus, a new dynamic as well, the CPRA is technically an amendment to the previous CCPA act.
According to the CPRA, there are certain exemptions that would be revoked, something that was allowed for by the CCPA. According to the CPRA, the employees of a firm would possess a clear idea of the information that their employers possess about them. This is something that the CCPA exempted from, but not anymore. It also grants them the right to delete any information that may have been gathered from them by their employers. Besides these, and other employee exemptions that are revoked by the CPRA, B2B businesses have been influenced as well. According to the CPRA, the exemptions that were granted to B2B businesses regarding data collection from their clients, would also be revoked. This would affect the manner in which businesses are carried out in California.
The CPRA regulations can be particularly difficult to navigate, especially in the absence of specialized tools and equipment. Automated systems like CMP, DSAR, etc. can help businesses understand the CPRA structure, and comply with them as well.
Also read know about ibommanews