Difference between CCPA, CPRA and GDPR

When it was approved in 2018, the CCPA law marked a turning point for the privacy and protection of data. It was the first substantial piece of legislation that gave Californian customers the right to privacy that they deserved in the twenty-first century. However, looking back, it is obvious that there is potential for growth, particularly following the CPRA's approval less than a year later. The CPRA may be viewed as a more complete version of the CCPA, which is the best way to define it.

It enhances the CCPA's provisions in a few crucial areas. Both these laws have a common derivative, which is the General Data Protection Regulation (GDPR). The GDPR, issued by the European Union (EU), is the most extensive law ever made addressing consumer data privacy. It was inevitable that the GDPR and the CCPA/CPRA would be compared in all subsequent laws on the issue in Europe and internationally.

S. No.	Basis for differentiation	General Data Protection Regulation (GDPR)	California Consumer Privacy Act (CCPA)	California Privacy Rights Act (CPRA)
1	Right of Customers	The necessity for opt-in vs. opt-out permission, which  means that businesses must comply with the GDPR in order to process any kind of customer data by obtaining consent and then only the data subjects must opt-in to the processing, is arguably the largest distinction between GDPR and CCPA/CPRA. Contrarily, under the CCPA/CPRA, companies may process customer personal data for any reason they want, unless the consumer exercises a right to prevent the sale or sharing of such data with third parties.	All Californians are entitled, under the CCPA, to the right to equal services and prices without discrimination, the right to be informed about data collection and rights, the right to have compiled information disclosed, the right to have compiled information deleted, and the right to opt-out of third-party data sales.	All Californians have the right to restrict how a company uses and discloses their sensitive information under the CPRA, and how they retain the authority to instruct the company to utilise such information when it is absolutely essential. Other than that, all companies are required to include a prominent banner on the front page of their websites, along with a suitable link to a page that would enable customers to limit the usage of their personal data on their websites.
2	Scope	The organisations covered by the GDPR include both for-profit and charity organisations, as well as governmental authorities, that handle the personal data of individuals inside the EU. The GDPR covers almost all forms of personal data and is not restricted in including data such as medical information, clinical trial information, financial information, or personal confidential details, and is far more comprehensive than CCPA requirements in obligating companies to notify customers when their data is being collected, sold, or revealed.	The CCPA applies solely to businesses that are for profit and also defines what counts as a business. While the GDPR mandates that this information be provided to users within one month and mandates that consumers be informed of whether the business has their data and how it was acquired,  the CCPA has a 12-month requirement and it only compels all third parties to notify users of whether they have got their information and not how they got it.	The definition of what comes under "business" and "sharing" has been modified by the CPRA  for  a widened scope of application of the Act, and has also  created a brand-new kind of protected data called Sensitive Personal Information (SPI). The CPRA, unlike the CCPA, has also accepted requirements from the GDPR that pertain to data reduction, purpose limitation, the right to request that a company's website limit how it uses their sensitive personal information, and storage restrictions.
3	Enforcement Agency	The Information Commissioner's Office (ICO) has served as the key enforcement authority since the EU-wide regulations went into effect in May 2018. In spite of the United Kingdom's choice to exit the EU, it was declared in 2019 that the ICO would continue to enforce GDPR legislation throughout the UK.	The California Office of the Attorney General (OAG) is responsible for enforcing the CCPA. When an organisation is determined to be in breach of CCPA guidelines, the Attorney General's office is in charge of imposing the proper fines and penalties.	The CPRA established a brand-new agency in charge of enforcing it. The California Privacy Protection Agency (CPPA), which has complete investigative and enforcement authority, is responsible for enforcing the CPRA.
4	Penalties	GDPR imposes fines for non-compliance and data breaches that can exceed 20 million euros or 4% of the offending company's annual global revenue, whichever is larger. Unintentional violations of the CCPA/CPRA are punishable by administrative fines of $2500, and intended offences are punishable by a penalty of $7500.	The CCPA only imposes fines once a breach takes place. There is absolutely no penalty for non-compliance. The penalty for violations of CCPA is $2,500. For intentional violations, it is $7,500. $100 - $750 in damages in civil court may also be claimed by the aggrieved	The same punishments as the CCPA specifies are laid down under the CPRA, as well as a further $7,500 penalty if a minor's consumer privacy rights are abused. If businesses address and fix the problems within 30 days after being alerted by the Attorney General, they can escape the penalty.

Implications of CPRA's Enforcement

The CPRA came into effect on January 1, 2023, amending the CCPA. However, enforcement of the CPRA's provisions has been delayed until July 1, 2023. This delay offers businesses some respite as they refine their compliance programs and avoid penalties.

During the enforcement delay, regulators cannot penalize businesses for violations that occurred before July 1, 2023, under the CPRA's new or amended obligations. Nonetheless, businesses must still adhere to the CPRA's substantive requirements, including new consumer rights and changes in vendor contracting. Final CPRA regulations, initially due earlier, are still pending, adding to compliance challenges.

To prepare for the eventual enforcement, businesses should prioritize compliance efforts, such as data mapping�an inventory of data processing activities to determine applicable requirements. Penalties for CPRA noncompliance, starting from July 1, 2023, can be significant, with each violation costing up to $2,500 ($7,500 for intentional or child-related violations).

While awaiting CPRA enforcement, businesses should also remember that the CCPA, in effect since 2020, remains enforceable, now covering additional data types. Furthermore, other state privacy laws, such as the Virginia Consumer Data Protection Act, pose compliance hurdles. In conclusion, businesses should refine their compliance programs to meet CPRA requirements before the July 1 enforcement deadline. Despite the enforcement delay, adherence to the CPRA's substantive obligations is essential. Compliance with the enforceable CCPA and awareness of other state privacy laws remain crucial.

Conclusion
The California Privacy Rights Act (CPRA), a new state-wide data privacy law, was signed into law. Due to its major expansions over the current California Consumer Privacy Act (CCPA), it further establishes California's position as the U.S. frontier in data privacy regulation. The California Privacy Rights Act (CPRA) essentially functions as an addendum to the CCPA, strengthening resident rights, tightening business regulations on the use of private data, and creating a new regulating authority for state-wide data privacy enforcement named the California Privacy Protection Agency (CPPA), among other significant changes to the data privacy regime in the Golden State. The Act makes data gathered by companies after the threshold date subject to compliance.

While the California Privacy Rights Act merits consideration on its own terms, we regret that the ballot proposal fails to take advantage of significant changes to make the CCPA more palatable for consumers. By integrating strong data minimization language that restricts data collection, use, and disclosure to only what is necessary to deliver the service the customer has requested, a better model would respect consumer privacy by default. Stronger laws that California has already established are a superior replacement for the cumbersome opt-out procedures under the California Privacy Rights Act. Additionally, the California Privacy Rights Act might have prevented discrimination against or increased charges for customers who exercise their right to privacy.

It is clear that while the California Privacy Rights Act delivers significant short-term incremental changes, its long-term effects are unclear and may even be detrimental. Strong pro-privacy polling, however, reveals that customers are willing to have their privacy protected, if only there were effective regulations to allow them to do so. Appropriate implementation mechanisms for this act can do wonders for its sustenance and relevance in California.

Frequently Asked Questions (FAQs):
What is the California Privacy Rights Act (CPRA)?
On January 1, 2023, the California Privacy Rights Act (CPRA), the legislation governing data privacy, came into force. It strengthens California's current privacy rules, such as the California Consumer Privacy Act (CCPA). Businesses that gather personal information about California residents must comply with the CPRA. Its privacy regulations are comparable to the General Data Protection Regulation (GDPR) in the EU.

Is the CCPA supplanted by the CPRA?
Not quite. It would be more correct to refer to the CPRA as a modification of the CCPA. The California Public Records Act (CPRA) clearly indicates that it "adds" new provisions and "amends" existing sections of the CCPA.

Which enforcement agency is in charge of protecting the privacy rights under the CPRA?
The California Privacy Rights Act established a new agency called the California Privacy Protection Agency, which has complete executive authority and jurisdiction to execute and enforce the CCPA.

When did the California Privacy Protection Agency assume rulemaking authority?
The Attorney General's CCPA regulation power was officially passed to the Agency on April 21, 2022. On April 21, 2022, the newly established California Privacy Protection Agency officially received rulemaking authority under the California Consumer Privacy Act (CCPA), as mandated by the California Privacy Rights Act of 2020. This marked an important new chapter for the California Privacy Protection Agency.

How does the CPPA enforce the CPRA?
The establishment of a new body charged with regulating and enforcing the CCPA as revised by the CPRA is one of the most important structural changes to privacy administration that the CPRA brings. The CCPA as amended by the CPRA will be administered, implemented, and enforced by the California Privacy Protection Agency, a new administrative organisation governed by a five-person board of privacy and technology experts. The CPRA allocates $5 million for the Agency's first year of operation and $10 million for each fiscal year after that.

Who is subjected to the CPRA?
The companies that purchase, sell, or share the personal information of 100,000 or more consumers or households in a year; or exceed the gross revenue of $25 million in the preceding calendar year as of January 1 of the present calendar year; or derive not less than 50% of their annual revenue from selling or sharing consumers' data, are "businesses" under the CPRA and have to comply with the CPRA provisions.

How does the CPRA affect businesses?
Similar to the CCPA, regulations have to be used to fill in the gaps in the CPRA's major provisions, such as those governing the right of rectification, technical specifications for opt-outs, and data usage agreements for service providers and the freshly designated "contractor" businesses. The CPRA mandates that final regulations must be adopted by July 1, 2022, thus the new Agency has its job cut out for it over the next 18 months to give time for feedback, amendment, and implementation. However, these have only come into effect on 1 January 2023, and some of the provisions even got delayed to 1 July 2023.

How has the CPRA modified the CCPA's application to companies handling California citizens' personal information?
The CPRA alters the CCPA's application by altering what is meant by a "business" which comes under the applicability domain of this Act. The definition of "business" under the CPRA determines the sorts of entities that are covered, and consequently the reach and applicability of the legislation. The two business categories listed in the CCPA are modified by the CPRA, and two further categories are added to account for new company kinds.

How does the notice of collection obligations of the CCPA get expanded by the CPRA?
According to the CCPA, a covered firm must warn customers "at or before the time of collection" of the types of personal information that will be gathered and the uses to which it will be put.

This need is expanded upon by the CPRA, which calls for notification of:

• Whether the data will be shared or sold;
• How long the data will be retained; and
• Further disclosures about the acquisition and use of "sensitive personal information".

Do the CCPA's employee and B2B exemptions continue to exist in the CRPA?
The CPRA extends the CCPA's employee and B2B exemption expiry dates from January 1, 2021, to January 1, 2023. They are no longer applicable post the January 1, 2023 cutoff date.


References:

• https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf
• https://ccpa-info.com/california-consumer-privacy-act-full-text/
• https://www.itgovernanceusa.com/california-consumer-privacy
• https://www.mondaq.com/unitedstates/privacy-protection/1192382/from-ccpa-to-cpra-what-are-the-key-takeaways
• https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california-consumer-privacy-act-ccpa/
• https://www.itgovernanceusa.com/california-consumer-privacy
• https://www.mwe.com/insights/california-privacy-rights-act-takes-effectsort-of/

Written By: Tejaswini Kaushal, A Student At Dr. Ram Manohar Lohiya National Law University, Lucknow.