The California Consumer Privacy Act of 2018 (“CCPA”) was amended by the California Privacy Rights Act of 2020 (“CPRA”). Both statutes deal with the same issue: protecting the online data privacy of consumers in California. In practice, there is no difference between the two statutes since, as noted, the CPRA is the statute that amended the CCPA. The combined statutes create one regulatory framework and regime. For example, California has created one set of regulations to govern the enforcement of the two statutes, and enforcement of both is entrusted to the California Attorney General’s Office. Obviously, the two statutes were very different when enacted, and we will discuss some of those differences below.
That the two statutes continue to be differentiated — causing confusion — is likely because the CPRA was given a “statutory name” when it was enacted and also did not officially combine the statutes under one statutory name.
This might be an artifact of how the two statutes were passed. The CCPA was enacted by the California State Assembly and was subject to intensive lobbying efforts by both privacy advocacy groups and business interests. The CCPA was the first data privacy law to be enacted in the United States, and, given the intensive lobbying from all sides, it was an impressive step forward but, certainly, could have gone a lot further in protecting data privacy.
By contrast, the CPRA was placed on the ballot for voter approval in 2020. As such, there was no lobbying involved. The process of lobbying, the back-and-forth between interested parties and groups over words and phrases, tends to “solve” the problem of an amending statute having its own separate statutory name. In any event, California voters were apparently not happy with the limited nature of the CCPA and approved the CPRA in November 2020.
As noted, the CPRA went much further than the CCPA in protecting consumer data privacy. As one example, the CCPA applied to and was limited to regulating the “sale” of consumer data. The CPRA went much further and applied the regulatory regime to the “sharing” of data with a very expansive definition of “sharing” which included renting, releasing, disclosing, disseminating, making available, and transferring data “whether or not for monetary or other valuable consideration.”
Legal Differences Between the CCPA and the CPRA
While, as a matter of practice, the CCPA and the CPRA have created one regulatory regime, there are some important legal differences created by the fact that the two statutes were enacted at different times and had different effective dates. The CCPA took full effect on January 1, 2020, and the CPRA took full effect on January 1, 2023.
Note the three-year gap between the effective dates. During that gap, the rules of the CCPA will apply, including the key issue of different thresholds for applicability to businesses. The thresholds are not hugely different, but in any given case where violations are alleged, the difference could matter greatly.
The CCPA applied to any business meeting any of these thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000) …
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information
By contrast, the thresholds for the CPRA are somewhat different. See here. The CPRA applies — and will apply — to any business meeting any of these thresholds:
(A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year …
(B) Alone or in combination, annually buys, sells, or shares, the personal information of 100,000 or more consumers or, households
(C) Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information
As can be seen, under subsection (B), the CCPA actually has a lower threshold with a lower number and including “devices” along with consumers and households. Thus, it is possible that some businesses could be accused of violating the CCPA, but not violating the CPRA for similar behavior in subsequent years..
Contact The Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
