What is the CCPA and what changes does the CPRA bring?

What is the CCPA and what changes does the CPRA bring?

California Consumer Protection Act the new US privacy law



First things first, what is the CCPA? The California Consumer Privacy Act, or CCPA, represented a giant step in the protection of personal data in the United States and, in particular, in the State of California. Approved in June 2018, it comes into force on January 1, 2020, establishing a whole new catalogue of rights for Californian consumers with the aim of giving them greater control over their data and a range of obligations for companies that intend to collect, process, transfer or sell their data

However, one of the main choices was the lack of precision regarding the processing of personal data itself, something that has given rise to the consequences of this processing being somewhat open to interpretation and, finally, leading to the approval and forthcoming entry into force of the CPRA in 2023 (California Privacy Rights Act). Innovative law that we will deal with later in the article analyzing all the reforms that it brings with it.

Without delving too deeply, since as we have anticipated, its content will soon be reformed, we can point out the most important elements of the CCPA:

With a state law nature, firstly its extraterritorial scope stands out, regulating the processing of data by any company, regardless of its location, of citizens residing in California.

 Shell define as “selling, renting, disseminating, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, electronically or otherwise, consumer personal information by the business to another business or third party for monetary value or other type of economic consideration”

Of course, it does not affect to all commercial business, but since they are the ones who determine why and how the data is processed, they should meet one of the following three alternate criteria for submission to the standard:

 Have an annual gross income of more than 25 million Dollars;

– Buy, sell, or receive personal information from more than 50,000 California residents, households, or devices; either

– Obtain more than 50% of its annual income from the sale of personal information of California residents.

For its part, in this first rule, a series of rights are granted to citizens residing in California -natural persons- that we can break down into the known:

Right of access: Means the right to know what data or categories of data a certain company has, its sources or categories of sources for obtaining them, the purposes of their use and the categories of data and third parties to which they are shares or sells such information to them.

Right of deletion: Enabling California residents to request the deletion of their personal data.

Right to opt out of the sale of your personal data to third parties: Once exercised, the company must cease its sale until the citizen again grants their consent to do so.

Similarly, they are complemented by the right to be notified of the processing of their data and the right to obtain the same services and prices without being discriminated for the exercise of their rights.

Regarding the definition of personal information, the CCPA establishes that it will be understood as such, all “information that identifies, relates, describes, can reasonably be associated with, or relate to, directly or indirectly, a particular consumer or a family unit” . Covering, with this broader conception, both direct and unique identifiers (real name, cookies…), biometric data, geolocation data, data that allows re-identification or deduction of identity, web activity and, of course, sensitive information (financial information, health, religion, etc.) excluding only public information provided by the government from this definition.

Of course, the sale of data relating to minors under 16 years of age is prohibited if they do not have the proper authorization. If the minor is under 13, the company must have the authorization of their parents or legal guardians. In addition, penalties of up to $7,500 are established for each of the offenses committed.

What news does the CPRA bring?

The California Privacy Rights Act (CPRA) builds on the provisions of the CCPA to deepen the protection of personal information of Californian residents, establishing new rights for consumers and greater requirements for companies that collect data from those subjects.

Approved by 56% of Californians on November 3, 2020, it will not enter into force until January 1, 2023, granting a grace period of 6 months for the adaptation of the different companies that are subject to its articles. Not without forgetting, of course, the validity and application of the CCPA during this period.

Now let’s review the key points:

The California Privacy Protection Agency is constituted, granting it full administrative and regulatory powers, sufficient authority and jurisdiction for the implementation, interpretation and application of data protection regulations. Administrative body led by a board of 5 members that, although it has not completely displaced the competent authority to date, the California General Attorney, becomes the first American regulatory authority to dedicate itself exclusively to information privacy issues. 

Continuing under the same concept of consumer as a natural person residing in California, the right to rectification, the right to data portability, the right to self-exclusion and access to information on automated decision-making and the right to limit the use and disclosure of sensitive personal information are added to the aforementioned list of rights. New concept, that of sensitive personal information introduced by the CPRA, and covers:

– A consumer’s social security number, driver’s license, passport number, or state identification number;

– Access data, financial data, credit or debit bank card numbers, in combination with the password, any type of access code or credential;

– Precise geolocation data;

– Ethnic, racial, religious or philosophical beliefs;

– The content of emails, physical or telephony messages;

– Genetic information of the consumer.

Also, principles of the RGPD are incorporated, such as data minimization, purpose limitation and storage limitation.

The criteria for subjection to the standard are reformed. With the CPRA, the number of residents on which a business buys, sells or shares personal data is increased to 100,000 (from the previous 50,000), and companies that obtain at least 50% of their income are added not only from the sale but also from the transmission of personal information of Californians.

Likewise, the requirements regarding the rights of notification and information of consumers are reinforced, detailing the retention time of the data (limiting the time reasonably necessary for the required commercial purpose), the sensitive data collected, the purpose and its conservation time; Minors under 16 years of age must be notified of the intention to sell or share their data, requiring their consent to do so and, in the event of a negative response, they must wait at least 1 year, or until the minor reaches the age of 16, to return to request your consent.

Regarding to privacy policies, the CPRA increases transparency requirements, and must indicate:

– The transfers of personal information, including the categories of data and to whom they are transferred;

– If sensitive personal information is processed, collected and transferred;

– The retention time of each category of data processed or, if its determination is not possible, the criteria used for it.

In the field of cybersecurity, the CPRA requires organizations to carry out periodic evaluations of the security of their data processing and, for those that by their nature may pose a significant risk to privacy or security, carry out annual cybersecurity audits. .

1 Comment
  • zoritoler imol

    January 25, 2023 at 3:36 pm Reply

    Some genuinely wonderful info , Glad I observed this. “If a child can’t learn the way we teach, maybe we should teach the way they learn.” by Ignacio Estrada.

Post a Comment

Skip to content