CCPA vs. CPRA: Key Differences In California Privacy Laws Explained

August 12, 2021 - Jeff Edwards


As the General Data Protection Regulation (GDPR) generates record-breaking fines against companies and organizations violating the privacy rights of individuals in Europe, data privacy regulations are also trending upwards in the U.S. The California Consumer Privacy Act (CCPA) went into effect in 2020, and regulators have been enforcing the law judiciously.

In many ways, the CCPA set the standard as the strongest privacy law in the United States, with follow-up laws in Virginia and Colorado taking a softer approach.

But while the CCPA sets the stage for serious fines against companies that violate the privacy rights of consumers when handling personally identifiable information (PII), the California Privacy Rights Act (CPRA), which goes into effect in 2022, will have an even bigger bite.

The CPRA expands upon some aspects of the CCPA and supersedes others, with a host of changes and expansions on the original law. In this article, we’ll break down the key differences between the CCPA and the upcoming CPRA.

A Bigger Bite: How the CPRA Increases Enforcement of Consumer Privacy Rights

Key provisions of the CPRA are intended to improve California’s compliance enforcement capabilities, including the creation of an agency dedicated to finding violators.

Businesses will also lose the 30-day “heal” period, which the CCPA allots to give organizations time to mitigate violations that are discovered before being fined. It will also be illegal to share personal information with third parties unless the involved individuals elect to opt-in. Previously, CCPA only made it illegal to sell personal information.

How The CPRA Expands The Scope of The CCPA

As we discussed in a past blog, the CCPA controls and limits what businesses and organizations can do with the data they collect belonging to California residents. With many organizations across the U.S. and the world serving California citizens, the act impacts a large number of businesses and can potentially levy crippling penalties for non-compliance and data leakage.

The CPRA will expand the scope of CCPA—giving consumers more power over how their data is used. For example, CCPA currently gives consumers the right to know which information businesses store as well as the right to access and delete their information. Businesses must also give them the choice to opt-out of any plans to sell their information, and organizations cannot discriminate against customers because of their personal data.


[Download our CCPA: Why ‘Out of Sight, Out of Mind’ Won’t Cut it When it Comes  to Preventing Data Leakage Whitepaper]


The CPRA will include all these rights and more. It gives consumers the right to correct any inaccurate personal information and limit the disclosure of their personal information. In other words, in addition to getting their permission to sell their information, businesses will also need permission to share information. The CPRA also makes it illegal to store data longer than necessary.

Changes to Third Parties Rules, Fines, and Thresholds

The combination of CCPA and CPRA means businesses are now firmly responsible not only for what they do with customer data but also for what third-party partners do with the data. For example, if you post website ads from a third party, you must ensure they do not store customer data. The same requirement extends to services such as trackers, telemetry, online assistants, and shopping carts. You will need to monitor and control all data flows with third parties, and you will be responsible for any data leakage.

From a fine standpoint, the base penalties for violations do not change between CCPA and CRPA—$2,500 for each unintentional and $7,500 for each intentional violation. But CRPA does add automatic fines ($7,500) for each violation involving the personal information of minors.

CRPA also maintains two of the three thresholds established by CCPA while modifying the third threshold. Both regulations pertain to for-profit businesses that have annual revenue over $25 million or generate 50% or more of their revenue from selling or sharing the personal information of California residents. The third threshold now states that any entity buying, selling, or sharing the personal information of 100,000 or more California residents must now comply. This is up from 50,000 as stipulated by CCPA. If your organization meets any one of these three criteria, you are subject to CRPA regulations.

Going Beyond Compliance to Solidify Customer Relationships

The CPRA emerged because it would have been difficult to enforce CCPA and prosecute cases with limited government resources. The emergence of the new act demonstrates just how seriously California is taking data privacy and protection and sends a clear message that businesses and organizations will be penalized for lack of compliance.

It’s clear CPRA will change the game—mainly by creating a new government agency to strictly enforce privacy compliance. Within the next few years, more and more organizations will likely be penalized for non-compliance.

Given that other U.S. states are launching similar initiatives and the major impact GDPR is having on entities that conduct business in Europe, it’s clear companies and organizations also need to take data privacy and protection just as seriously. In addition to avoiding the potential fines and negative publicity that come with violations, implementing data privacy measures is a wise business decision. It demonstrates to your customers just how seriously you take their privacy. And that will help you build stronger, longer-lasting customer relationships.

How Ensighten Can Help

 The CPRA goes into effect in January 2023 and will apply to information collected starting in January 2022. But the time to act is now as data privacy and protection initiatives require time to deploy correctly and to ensure websites, portals, internal systems and, third-party relationships are compliant with complete visibility into customer data flows. 

To stay compliant with these laws, you can't rely on vendors that offer nominal compliance or privacy management through simple workflow mechanisms that rely on connections to additional systems, to enact any policy put in place and greatly aggravate data leakage vulnerabilities. Ensighten's comprehensive solution enforces privacy preferences and requests in real-time without the need to interact with any other supply chain technology, therefore eliminating the risk of data leakage. 

With Ensighten Consent Management Plus (CMP+), you can set up opt-out of sale links for California consumers and give your customers a clear-cut choice on how their data is used, or whether it is collected. And our low-code, zero-integration deployment means Ensighten CMP+ is easy to use. A simple line of code added to your website is all you need to stop data from being collected before your customers give their consent, allowing real-time enforcement of customer consent regardless of tag management systems or 3rd party tags.

Request a demo to see how Ensighten can help your organization meet compliance with the Colorado Privacy Act.

Want to know more about CCPA/CPRA? Check out these resources:

- 15 Minute Guide to CCPA Compliance

- Webinar: The CCPA and Your Business

Jeff Edwards

Jeff Edwards

Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now