Understanding the Shift From CCPA to CPRA

The History of CCPA and CPRA

The California Consumer Privacy Act (CCPA), enacted in 2018, marked a significant milestone in US data protection legislation. It aimed to enhance privacy rights and consumer protection for residents of California, presenting a dramatic shift towards more stringent data privacy controls. The CCPA introduced novel concepts such as the “right to access,” “right to delete,” and “right to opt-out,” which gave consumers unprecedented control over their personal information.

Just two years after the CCPA’s inception, the California Privacy Rights Act (CPRA) was introduced in 2020 and approved in November of that year through a public ballot initiative. The CPRA became operative on January 1, 2023. This new law aims to expand and refine the provisions of its predecessor, introducing several critical amendments that further extend the protection of California residents’ personal data.

Who is Subject to the CCPA and CPRA

A business falls within the scope of the CCPA statute if one or more of the following applies:

• Gross revenue over $25 million
• Buys, receives, sells, or shares the personal data of 50,000 or more consumers
• Derives 50%or more of annual revenue from selling or sharing personal data

A business falls under its purview if it:

• Gross revenue over $25 million
• Buys, receives, sells, or shares the personal data of 100,000 or more consumers
• Derives 50%or more of annual revenue from selling or sharing personal data

Key Points of CCPA

The CCPA marked a sea-change in the American data privacy landscape. Key provisions include:

• Right to Know: Consumers have the right to request the categories and specific pieces of personal information a business has collected
• Right to Delete: Consumers can request a business to delete any personal information obtained from them
• Right to Opt-Out: Consumers can direct a business that sells personal information to stop this practice
• Non-Discrimination: Businesses can’t discriminate against consumers for exercising their CCPA rights

The CCPA applies to any business in California that collects consumers’ data, satisfies one or more of the thresholds specified in the legislation, and is for-profit.

How the CCPA Impacts Vendor Risk Management

Vendor risk management is the process of identifying, assessing, and mitigating the risks associated with third-party vendors that provide goods or services to a business. Under the CCPA, businesses are responsible for ensuring that their vendors comply with the law when they process personal information on their behalf. This means that businesses need to:

• Conduct due diligence to identify third parties that are involved in data processing and data collection that is subject to CCPA
• Understand the data privacy risks associated with existing third-party relationships by evaluating the controls an organization has in place to comply with data privacy regulations, the type of PII that is collected, how it is processed and stored, and who has access to the data. A detailed data privacy assessment can give organizations visibility into the data privacy risk associated with their third-parties
• Enter into written contracts with their vendors that specify the categories and purposes of personal information processed, and the obligations and restrictions on both parties to ensure that the data is processed in a manner that is compliant with CCPA
• Perform annual risk assessments and continuously monitor the security posture of vendors to ensure that vendors comply with the contract and the law

How the CPRA Differs from the CCPA and Impacts Vendor Risk Management

The CPRA introduces several new provisions to amplify consumer privacy rights relative to the CCPA. Beyond expanding consumer rights as it relates to opt-out requirements and consumer privacy requests, there are a few key developments in the CPRA that indicate that there will be an increased focus on enforcing compliance with data privacy laws.

• Establishment of the California Privacy Protection Agency (CPPA): The CPRA created the CPPA, the first agency dedicated to enforcing privacy laws in the US
• Increased Penalties: Penalties for mishandling children’s personal information have tripled to $7,500, up from $2,500 under the CCPA
• Grace period: organizations do not have a 30-day period to remediate before being fined for violations. Instead, the CPRA gives this responsibility to the CPPA agency, which has the discretionary power to provide the length of time to resolve the issue
• Contractual obligations: The CPRA requires contractual clauses and other safeguards to address supply chain security and privacy risks when data is shared with third parties, ensuring that supply chains are more dynamic and responsive
• Cybersecurity audits: Organizations storing data that could present a significant risk to consumer privacy and security must perform annual cybersecurity audits and submit them to the CPPA
• Risk Assessments: Regular risk assessments are required if processing PII presents a significant risk to consumer privacy and security

Organizations must have a strong vendor risk management system to truly understand their data privacy risk and conduct risk assessments and audits. Without visibility into the data privacy risk associated with third parties, it becomes impossible to accurately assess and mitigate potential data privacy risks given the significant risks that third parties pose as it relates to the privacy and security of consumer data.

Learn More

ProcessBolt provides organizations with an AI-driven, fully-integrated third-party risk management platform designed to address data protection risks effectively. Schedule a demo to learn more.