CCPA vs. CPRA: Key Differences and Compliance Requirements

*Updated on 10/15/24

With 1.145 trillion megabytes created daily, data has become one of the most valuable resources in the world. And with businesses collecting and utilizing that data to power better customer experiences and marketing strategies, it only makes sense that state and federal entities are imposing legislation on how all of it is collected, used, and disclosed.

One US state in particular, California, has set a precedent for protecting consumers’ privacy with regard to the collection and sale of personal information. In this article, we highlight what you need to know about California’s consumer privacy regulations. 

What is CCPA?

Signed into law on June 28, 2018, the California Consumer Privacy Act (CCPA) created an array of consumer privacy rights and business obligations regarding the collection and sale of personal information. When it passed, the CCPA became known as a landmark piece of consumer privacy rights legislation because it requires certain businesses to disclose the personal data they’ve collected on a consumer whenever that person requests it. The CCPA went into effect on January 1, 2020.

CCPA Timeline

  1. June 28, 2018: CCPA is enacted
  2. January 1, 2020: CCPA takes effect
  3. July 1, 2020: CCPA enforcement begins
  4. August 14, 2020: final CCPA regulations approved 

What is CPRA?

The California Privacy Rights Act (CPRA), also known as Proposition 24, is a data privacy law that expands upon the CCPA to enhance consumer privacy protections and introduces stricter regulations for businesses. Passed on November 3, 2020, the CPRA went into effect on January 1, 2023, with enforcement beginning on July 1, 2023. 

CPRA Timeline

  1. November 3, 2020: CPRA is approved by voters
  2. January 1, 2022: CPRA is established
  3. January 1, 2023: CPRA provisions take effect
  4. July 1, 2023: CPRA enforcement begins

Who Needs to Comply with CCPA and CPRA?

The CCPA and CPRA apply to any businesses that process the personal information of consumers in California. While technically the law applies to companies that do business in California, many out-of-state merchants still have to comply. Organizations that sell to Californians or display a website in the state must consider both the CCPA and CPRA.

The law states that those that meet at least one of the following criteria must comply:

  • Have annual gross revenue of at least $25 million a year
  • Annually buys, sells, receives, or shares personal information from at least 100,000 consumers, households, or devices
  • Makes over 50% of gross annual revenue from selling or sharing personal information

With these criteria, however, the term “personal information” is extremely broad. So, what’s included in the definition?

  • Name
  • Home address
  • Email address
  • Date of birth
  • Social security number or passport number
  • Biometric data
  • Geolocation and other location-specific data
  • Records of purchase history
  • Internet browsing history
  • Digital fingerprints
  • Inferences from other data that can be used to create preference and characteristic profiles 

Who Enforces CCPA and CPRA?

The enforcement of the CCPA and CPRA is handled by both the California Attorney General's Office and California Privacy Protection Agency (CPPA), with full investigative enforcement and rule-making authority. The Attorney General's Office used to lead the enforcement of the CPPA from July 1, 2020 to July 1, 2023 before the CPPA took over primary enforcement of the CPRA. The CPPA is now the primary enforcer of CPRA and has full authority to enforce both the CCPA and CPRA. 

Here’s how each entity is involved:

California Privacy Protection Agency (CPPA) key responsibilities: 

  • Investigating violations: conduct audits, issue violation notices, and investigate businesses for non-compliance.
  • Enforcing penalties: impose administrative fines of up to $2,500 per violation and $7,500 for intentional violations or misuse of children’s data.
  • Conducting audits: audit businesses proactively, even without a specific complaint, to ensure compliance.
  • Issuing guidance: provide educational resources and clarifications on CPRA and CCPA requirements for businesses.

California Attorney General's Office key responsibilities:

  • Legal enforcement in court: the Attorney General retains the authority to bring lawsuits against companies that violate the CCPA/CPRA, especially in cases of major data breaches or willful non-compliance.
  • Handling data breach cases: consumers can bring private lawsuits for data breaches, but the Attorney General can also pursue these cases on behalf of the public.

What Rights Does CCPA Provide to Consumers?

The CCPA created six specific rights for consumers, or “a natural person who is a California resident as defined in the state’s tax regulations:”

  1. The right to know (or request disclosure of) personal information collected by a business about the consumer including from whom it was collected, why it was collected, and if sold, to whom.
  2. The right to delete personal information collected from the consumer.
  3. The right to opt-out of the sale of personal information.
  4. The right to opt-in to the sale of personal information of consumers under the age of 16.
  5. The right to non-discriminatory treatment for exercising rights.
  6. The right to initiate a private cause of action for data breaches.

With the CPRA, two additional rights were created:

  1. The right to correct inaccurate personal information.
  2. The right to limit the use and disclosure of sensitive personal information.

Why is CCPA Important?

Both the CCPA and CPRA provide great benefits to consumers. They enable consumers to have control over their data in ways they previously couldn’t – and in ways some may have not thought possible.

In all, these privacy laws grant consumers in California greater transparency from companies, which now have to be upfront and honest about what information is collected and for what purpose. Additionally, personal information cannot be sold without the consent of the consumer, further protecting their right to privacy.

The CCPA and CPRA are also setting a precedent for other US states to follow suit. For example, Colorado, Connecticut, Texas, Utah, and Virginia have all enacted comprehensive consumer privacy laws in an effort to further preserve consumers’ privacy. These states even have several provisions in common with California’s CCPA, including the right to access and delete personal information as well as to opt-out of the sale of personal information. 

Do CCPA and CPRA Benefit Businesses?

Data privacy regulations have been and will continue to be a huge topic of debate in the US and across the globe. As consumers increasingly care about and demand transparency and privacy from businesses, they’ll gravitate toward those that provide it to them. And while businesses operating in California will be CCPA compliant, if they also operate in other states, their robust privacy measures may then provide a significant competitive advantage.

And because both pieces of legislation restrict the sale of consumers’ personal information between businesses, they’ll now have to rely more on first-party data, as opposed to third-party data. This means that businesses have to collect their own data on customers. Relying on first-party data greatly benefits them because they’ll know exactly where their information comes from, thereby ensuring its accuracy and reliability. 

How Can Americaneagle.com Help with CCPA Compliance?

Here at Americaneagle.com, we have data privacy experts who can perform an audit on both your website and your third-party integrations’ current CCPA compliance level as well as provide recommendations for further compliance. Through our comprehensive audit, we review all of your database collection systems, forms, and query strings, in addition to any third-party systems that may be collecting information from your consumers. From there, we recommend a custom suite of tools to help you navigate your consumers’ data.

Click here to learn more about our CCPA audit or contact us at [email protected] to get started.  

*The content herein is for informational purposes only and is not intended to be taken as legal advice. If you have any legal concerns, we encourage you to seek competent legal counsel for advice. 

About the Author

Taylor Karg

Taylor
Karg

Taylor Karg is Americaneagle.com’s Marketing Content Writer. She graduated from the University of Missouri with a bachelor’s degree in Journalism. Over the years, she’s gained experience writing for B2B brands across a variety of industries. Taylor prides herself on her ability to tell a story – and having fun while doing it. When not interviewing or writing, Taylor can be found eating tacos and watching the latest Netflix, Hulu or HBO series.