top of page

Demystifying CCPA to CPRA - Scope of Compliance and key differences

Updated: Jun 24, 2022

In the year 2018, the state of California passed the California Consumer Privacy Act (CCPA) which is considered a landmark piece of legislation. Within a year after the CCPA took effect, another consumer privacy law CPRA passed. We can say that the CPRA is more of a comprehensive version of the CCPA which has some extending rules and stipulations in order to increase the rights of California consumers.

In this article, we take you through the key differences between the two legislations, highlights, and key differences




Applicable thresholds

A business must comply if it meets any of the following:

(i) Gross annual revenue- Over $25 million.

(ii) Collects, buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or

(iii) Obtains 50% or more of annual revenue from

selling California residents’ personal information.

A business must comply if it meets any of the following:

(i) Gross annual revenue- Over $25 million.

(ii) The CPRA has increased the threshold to double from CCPA. Now in order to be applicable, the number of consumers or households whose information must be collected should be 100,000.

(iii) This threshold has remained the same. In order to be applicable, a business must obtain 50% or more of their annual revenue from

selling or sharing California residents’ personal


Rights of Consumer

CCPA extends the following rights to consumers:

· Right to Know/Access

· Right to Delete

· Right to Opt-out of Sale

· Right to Non-Discrimination

CPRA affords all the rights under the CCPA and additionally the following rights:

· Right to Rectification

· Right to Limit Use and Disclosure of Sensitive Personal


Personal Information

“Personal-information” means information that identifies,relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household

Personal information, as well as “Sensitive Personal Information” which includes the following information:

· Social Security Numbers

· Racial and ethnic origins

· Biometric information

· Driver license numbers,

Exact geolocations

Limitation of use, retention, and collection of personal information


Personal information should be collected, retained, and used only to the extent of its necessity to provide goods or services.

Profiling and automated decision making


The CPRA has authorised regulations that enable consumers to opt out of the use of automated decision-making technology. This includes “profiling” or any form of processing of personal information that is automated in nature and executed with the intention of evaluating personal aspects pertaining to individuals, such as health, performance etc.

Submission of risk assessments and cybersecurity audits


Routine risk assessments must be submitted to the CPPA by those businesses whose processing poses considerably high risk to consumer privacy or security.

Such businesses (i.e., those who process information that presents a significant risk to consumer privacy or security) must conduct annual cybersecurity audit.


Violations by businesses are pursued by the Attorney General and consumers have a private right of action for a breach of certain information.

Businesses are allowed a 30-day period to cure the defects before being fined for a violation.

California Privacy Protection Agency has been established under the CPRA, for

enforcement and guidance.

Consumers have a private right of action for a breach of

certain information

Businesses do not have a 30-day cure period before

being fined for a violation by the CPPA

Violations involving minors’ personal information


Any violation pertaining to the personal information of minors will be automatically fined $7,500.

Private Right of Action

Private right of action is available under CCPA when there has been a breach because of a lack of maintenance of reasonable security measures where unredacted or unencrypted

personal information has been breached.

Under the CPRA, even beyond unredacted and unencrypted personal information, a private right of action is available when the breach has been caused because of the credentials of email address and password or security question that would allow access to an email account.


Sell v. Share

Under the CCPA, the provision pertains to businesses that “sell” Personal Information of customers for monetary or other-valuable consideration.

Under the CPRA, the provisions pertain to sharing data as well, in addition to selling. This includes sharing of data by a business in the absence of monetary or other valuable considerations to a third party for cross context behavioural advertising for business advantage.

Sharanya Mukherjee is a licensed lawyer, passionate about data protection, privacy, cybersecurity, and the law in general. In her role as an attorney at Allendevaux and Company, Sharanya provides organisations with data protection services and implements data prote

ction programs. She can be contacted at:

60 views0 comments


bottom of page