CPRA vs CCPA: Important Essentials Your Business Needs To Know

CPRA vs CCPA: Key differences
Share article
twitter linkedin medium facebook

If your business collects, stores, or transmits the personal data of customers who live in California then you’ve probably been searching for CPRA vs CCPA to find out what’s changing. You’ll no doubt be aware of the California Consumer Privacy Act of 2018 (CCPA) and will have heard that changes are on the way because of a new set of regulations called the California Privacy Rights Act 2020 (CPRA).

Googling CPRA vs CCPA will reveal that both sets of legislation profoundly shape your organization’s behaviors around the protection of customer information, with the new act adding to the first, but what’s really happening? Instead of sifting through a lot of information, read on to find out what the original act says, what the new act says, and how they change your organization’s data security obligations.

What is the CCPA?

Let’s begin with an overview. The CCPA came into effect at the beginning of January 2020 and was the first such law of its kind to enter the statute books in the United States. It is a consumer protection law created to regulate how companies collect and protect California customers’ personal information.

As with the EU’s General Data Protection Regulation (GDPR), which helped to inspire it, the CCPA can apply to businesses in other US states and countries overseas. Since California is only one state in one country this may seem surprising, but with 39 million people living within its borders, California is home to 12% of the United States population and boasts an economy that rivals those of some world nations.

Given that the state is so populous, is an economic powerhouse, and politically tends to lean toward championing individual rights, it’s easy to see why the CCPA (and now CPRA) have so much reach.

The state is so big that if you have customers in the United States, then the private information of Californians will probably be passing through your servers, and when that happens, the state’s legal apparatus may want to make sure that you treat its citizens’ data carefully.

What are the criteria for inclusion?

The word ‘may’ in the previous paragraph is there because there are thresholds. In contrast to the GDPR, which regulates all businesses that process the personal data of EU citizens, the CCPA sets the bar a little higher. The act applies to for-profit organizations doing business in California which also meet any of these three criteria:

  • They have an annual revenue that exceeds $25 million.
  • They receive, buy, or sell the personal data of 50,000 Californians, their households, or their devices.
  • They derive at least half of their annual revenue from selling Californians’ personal data.

The Four Main CCPA Rights

Here are the four main rights that the CCPA grants to California consumers:

The right to know

Residents have a right to know what personal information companies are collecting about them and what they are doing with it.

The right to delete

They can also ask that companies delete this personal information unless it falls under one of the act’s exemption clauses. These permit data to be kept where it’s needed to provide a service, to complete a transaction, or for legal reasons. Medical records and credit histories are examples of data that are exempt from the right to delete.

The right to opt out of data sales

Companies must respect the wishes of consumers who don’t want their personal information to be sold to a third party.

The right to non-discrimination and non-retaliation

When Californians exercise their CCPA rights, businesses aren’t allowed to discriminate against them. This means that they can’t ‘punish’ their customers who choose to withhold permissions by charging them higher prices for goods and services.

Civil Penalties

In cases of non-compliance, the California attorney general can bring a civil action lawsuit or injunction against the perpetrator. The penalty for each unintentional violation is $2,500, and for intentional ones, $7,500.

What counts as a violation?

Some examples of violations include:

  • not maintaining a CCPA-compliant Privacy Policy. 
  • not responding to consumers’ CCPA requests.
  • not giving sufficient notice when collecting personal information.
  • selling consumers’ personal information without giving them the chance to opt out.
  • discriminating against consumers who exercise their CCPA rights.

We can easily imagine (because we’ve seen this kind of thing happen) a real-world example where a misconfigured tracking pixel gathers data on the behavior of 50,000 of its users. Since they haven’t given their express permission to share it, this would qualify as a data breach, and under the CCPA it could cost the company up to 50,000 x $7,500: $37.5 million in civil penalties.

The right to private action

But that’s not all! The CCPA also gives Californian consumers the right to take their own private legal action against businesses (although note that they can only do so when their unencrypted or unredacted personal information is breached.) Each of the 50,000 users mentioned in our hypothetical case would be entitled to claim between $100 and $750 in statutory damages or actual damages from the court (plus costs), whichever is the greater amount. That means that the same company could also find itself paying out up to $37.5 million more. 

What is the CPRA?

The CPRA adds to some of the CCPA’s provisions, building on the consumer protection rights and requirements established by the initial act by introducing new privacy rights for consumers and new obligations for businesses.

It also creates a new state government agency, the California Privacy Protection Agency, which will put the law into practice and enforce it. It’s the first dedicated privacy regulator in the United States, and its creation should be taken as a strong signal of intent from the Golden State: that it is firmly on the side of consumers.

The way that the CCPA was originally written gave the impression that it was trying to balance the priorities of businesses and privacy advocates. While this pleased both, it meant that the act was inadequate. The CPRA’s purpose is to make the regulations clearer and more robust, and the aim of the California Privacy Protection Agency will be to police the way businesses handle customer information and punish those that don’t comply.

California residents can find comprehensive information about their rights under the new legislation via a wealth of resources on this new website.

CPRA vs CCPA: Additional Rights Under the CPRA

Right to Limit Use and Disclosure of Sensitive Personal Information

Californian consumers can ask businesses to limit the use and disclosure of their sensitive personal information (such as social security numbers, biometric data, precise geolocation, health information, and racial or ethnic origin) to certain purposes only.

Right to Rectification

Consumers can request that businesses correct any inaccurate personal information about them that they may be holding.

Right to Opt-out of Selling or Sharing

Consumers can opt out of allowing businesses to sell or share their personal information. In this context the definition of selling is clearcut. Sharing is also included to make sure that when data is shared without obvious compensation, consumers still have the choice to opt-out.

Right to Data Portability

Under the CCPA, consumers could already request businesses to provide them with their personal information in a ‘portable and readily usable format’. The CPRA extends this right so that now a business must send that data ‘directly to another entity at the consumer’s request’.

CPRA vs CCPA: How Are They Different?

Here are some key differences between the two:

Under 16s

Accidentally selling the data of under 16s without their express permission now attracts a penalty of $7500. It was previously $2500 under the CCPA.

Legal Thresholds

The CPRA increases the legal threshold that applies to businesses that buy, sell, or share personal information to 100,000 consumers or households, up from 50,000 under the original CCPA.

Sensitive Personal Information

The CPRA creates a new category of personal information, sensitive personal information, which is subject to stricter guidelines. It includes:

  • government identifiers, such as Social Security Numbers and driver’s license numbers.
  • account log-in information, such as financial account or credit card numbers along with their relevant access codes or passwords.
  • precise geolocation information.
  • racial or ethnic origin, religious or philosophical beliefs, or union membership.
  • content of physical mail, email, and text messages, unless the business is the intended recipient of these communications.
  • genetic data.
  • biometric information that uniquely identifies a consumer.
  • information about their sexual orientation, sex life, or health.

The level of security should be appropriate for the type of data, so SPI would need stronger protections. Also, under the CPRA, consumers can now request that organizations limit the use of their SPI.

Consumer Rights

The CPRA gives consumers opt-out rights, better access to their personal data, and more control over their sensitive personal information.

Sharing of Personal Information

As mentioned, the new act creates new legal requirements around how personal information is shared.  ‘Sharing’ is made distinct from ‘selling’ to cover every eventuality.


As we said, the CPRA created the California Privacy Protection Agency to offer guidance and implement enforcement. It seems clear that its stance will no longer be ambiguous, coming down firmly on the side of Californian consumers.

Under the CCPA, businesses found to be in breach of its regulations were allowed wiggle room. They had a 30-day window in which to rectify any areas of non-compliance and if they managed this, they could avoid a fine, but not anymore. The CPRA removes this ‘cure period’, putting the onus on businesses to get it right the first time if they want to avoid large penalties.

One Law

It’s important to remember that it isn’t really a question of CPRA vs CCPA because these are not two separate laws. There is one law, the CCPA, and the CPRA is a set of revisions that amends portions of the original act.

The removal of the 30-day window is one example of where the CPRA technically amends portions of the CCPA. Another point to keep in mind is that any elements of the CCPA that are not changed by the CPRA’s revisions will still apply.

In What Ways Are GDPR and the CPRA Similar?

Some of the similarities between the GDPR and the CPRA:

  • they both give people the right to access their personal data.
  • people have the right to ask for it to be erased.
  • both laws make organizations issue clear privacy notices.
  • they have similar approaches to data retention and collecting only what’s necessary.
  • they require consent to be freely given, specific, and informed.
  • they ban the use of tricks to gain user consent.
  • they oblige organizations to update written contracts with third parties, contractors, and service providers so that they also protect consumers’ data to the required standards.
  • they both define “sensitive personal information” and seek to limit its processing for non-essential purposes.
  • both give new rights to consumers to correct inaccurate information and to access the logic of any automated decision-making technology used by organizations (including profiling) and opt-out.

CPRA vs CCPA vs GDPR Summary table

RegulationScopePersonal Information DefinitionData Subject RightsPenalties
CCPAApplies to businesses that collect or sell personal information of California residents and have annual gross revenue of $25 million or more, or that buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices.Any information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household.Right to know what personal information is being collected, right to request deletion of personal information, right to opt-out of the sale of personal information, and right to non-discrimination.Up to $7,500 per violation.
CPRAApplies to businesses that collect or sell personal information of California residents and have annual gross revenue of $25 million or more, or that buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices.Any information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household.Right to know what personal information is being collected, right to request deletion of personal information, right to opt-out of the sale of personal information, right to correct inaccurate personal information, and right to limit the use of sensitive personal information.Up to $7,500 per deliberate violation or $2,500 per accidental violation.
GDPRApplies to businesses that process personal data of individuals in the European Union, regardless of the business’s location.Any information relating to an identified or identifiable natural person.Right to access personal data, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and right not to be subject to automated decision-making.Up to €20 million or 4% of the company’s global annual revenue, whichever is greater.

CPRA vs CCPA: How do the standards affect online businesses?

The CPRA has significant implications for online businesses. Here are some key points:

Increased Legal Threshold

The CPRA increases the legal threshold that applies to businesses that buy, sell, or share personal information to 100,000 consumers or households. This is an increase from the previous threshold of 50,000 under the original CCPA.

Introduction of Sensitive Personal Information

The CPRA introduces a new category of personal information, known as sensitive personal information, which is subject to stricter guidelines.


Businesses need to issue privacy notices to consumers that include information about the categories of personal information collected, the purposes for which the information is used, how long they will keep it, and the categories of third parties with whom the information is shared.

They also need to provide a separate privacy notice for employees and job applicants, which needs to be posted on their website and updated at least annually because the CPRA doesn’t just apply to consumers. It gives new data protection rights to employees and job applicants too.   

Consumer Expectations

The CPRA requires businesses to consider whether their collection, use, retention, and/or sharing of a consumer’s personal information is “reasonable, necessary, and proportionate,” to achieve the purposes of collection or processing, and if it is consistent with the “reasonable expectations of the consumer(s)”. In other words, they should make sure to only collect and keep what they need.

CPRA vs CCPA: How can Reflectiz help?

Reflectiz already helps online businesses to meet their data security obligations to their customers and the law(s). Our solution maps all the digital assets in your environment and then actively monitors their behaviors to ensure that they haven’t been compromised by malicious actors or inadvertently misconfigured through human error, alerting you at the first sign of trouble.

Our powerful but easy-to-use dashboard offers the kind of unprecedented oversight that simplifies security and maintains compliance with ever-changing data privacy regulations like the CPRA.

Now you can easily see how external apps access and track personal identifying information and other sensitive data. Easily send reports to your privacy and legal teams about who is accessing what data, how it’s being processed, and where it’s being sent. By keeping your customers’ data safe and giving you the tools to report on your regulatory compliance posture, Reflectiz significantly eases the burdens of security, compliance, and reporting. Sign up today and discover how we can make your compliance journey easier. 

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free