The California Privacy Rights Act (CPRA) is a recent addition to the state's data protection laws that came into effect earlier this year. This legislation builds upon the California Consumer Privacy Act (CCPA), which was implemented in January 2020. Additionally, it is equally important for your business to adhere to the guidelines outlined by the General Data Protection Regulation (GDPR), a comprehensive data and privacy law applicable in the European Union (EU). If your business operates in or conducts business in California or the EU, it is crucial to ensure that you are compliant with these laws.
In this article, we will go over each law, who each law applies to, the main differences, and how you can ensure you are in compliance with the law.
The California Consumer Privacy Act, or CCPA, was passed back in 2018. This act gave consumers more rights over which personal information businesses could collect from them. It also provided regulations and guidances for businesses to follow to be in compliance with the act.
This act gave consumers the right to:
In short, this act allowed consumers to have more control over which information businesses could collect about them and how they could use that information.
The CCPA applies to your business if you are a for-profit business that does business in California, or you meet any of the following requirements:
If your business meets any of these criteria, you are expected to meet the standards set in the CCPA.
In 2020, the California Privacy Rights Act, or CPRA, was passed, and it amended the CCPA and added a few new protections to the list. These new protections went into effect in January of 2023.
The additions allowed the consumers the right to:
If your business is subject to these changes, you have a responsibility to allow your consumers to exercise these rights, and to comply with these regulations by giving consumers notices about how your business is using their information.
The CPRA applies to your business if you are a for-profit business that does business in California, or you meet any of the following requirements:
If your business meets any of these criteria, you are expected to meet the standards set in the CPRA.
The General Data Protection Regulation, or GDPR, is a law passed in Europe in 2018 that provides European citizens with protection over the data that is collected about them by businesses. This law applied to all businesses that operated in the EU and to any outside businesses with operations or sales in the EU.
The GDPR offers the following protections:
Overall, these regulations offer consumers the right to keep their data protected and safe from storage, and unlawful use, and it requires businesses to be fully transparent with how they are using consumers' personal information.
The GDPR applies to both citizens and non-citizens of the European Economic Area (EEA) and the EU. Any businesses that operate or conduct business in the EU are required to follow GDPR guidelines. It applies to all 27 countries in the EU and EEA including. but not limited to:
As of 2021, the UK is no longer a part of the EU and is not subject to the GDPR. Switzerland is also an exception to this rule because they have adopted their own privacy legislation.
The main difference between the CCPA, CPRA, and GDPR is the locations in which they are in effect. The CCPA and CPRA are California laws that have an effect on any business that operates within California, has California employees, or sells products and services to residents of California. The GDPR is similar, except that it is in effect for businesses and residents of the EU.
Another main distinction is that the CPRA is not a standalone law, but it is an amendment to the CCPA.
All three of these legislations have a bigger impact on businesses and residents that live or operate within California and the EU. If your business operates within these areas, you want to make sure that you are in compliance with these laws to avoid any legal troubles.
If your business operates in, has employees in, or sells products or services to consumers in California or the EU, your business must be in compliance with these laws. You will want to audit all of the personal data your company has collected to make sure it follows the guidelines of each law. While this will take some time, it will cover all of your bases and save you from any legal hassles in the future.
If you work with any service providers, you will also want to make sure that they are following the regulations set by each law. If your service providers aren't in compliance, it can be a huge risk for your company. Review any agreements that you have with your service providers who process data, and be sure to sign any data processing agreements.
This checklist is a good baseline to make sure that your business is in compliance with the CCPA. To ensure you are also in compliance with the GDPR, you can use this checklist provided by the EU government.
Besides California, there are several other states that also have stringent data security and privacy laws. Virginia, Connecticut, Colorado, and Utah also have laws in place to protect their consumers with eight other states following their lead.
There are also bills being proposed in Indiana, Iowa, Kentucky, Mississippi, New York, Oklahoma, Oregon, and Tennessee. However, these laws will slightly differ in how they regulate and implement data protection rights.
Check your state's rules and regulations to make sure that you are in compliance with any data laws that they have passed, and keep an eye out for any proposed bills that could affect the way your business handles data.