CALIFORNIA CONSUMER PRIVACY ACT (CCPA) AND CALIFORNIA PRIVACY RIGHTS ACT (CPRA)

Additionally, if a consumer requests information, the company must disclose the requested information. 

Consumers can request data collected up to 12 months prior to the date of their request, and the company typically has 45 days from the request to provide the requested information.

If a business or entity is in violation of CCPA, they will receive a notification and will have 30 days to correct the violation. If the company does not take steps to achieve compliance, the company can be fined $2,500 per violation. If the violation is deemed willful, the company can be fined $7,500 per violation. Additionally, any consumer affected by a data breach is entitled to damages ranging from $100 to $750 per person.

The California Privacy Rights Act (CPRA) will come into effect in 2023 and will enhance California’s current data privacy laws.

This Act does not replace the CCPA but is an addition to the existing laws. The CPRA adds four additional consumer rights to the data privacy rights granted by the CCPA. These rights are the right to:

• Correction
• Restrict sensitive personal information
• Opt-out of Automated Decision-making Technology
• Access information about Automated Decision-making

In addition, it expands or modifies five existing consumer rights. In general, consumer consent takes on a larger role under the CPRA. However, information that is publicly available is not considered under CPRA, including unrestricted information a consumer distributes on social media. The CPRA also grants employees, full-time, contractors, and applicants; the same rights as regular consumers.

All company thresholds established in the CCPA have also been modified in the CPRA. The changes are bolded below:

• Exceeds $25 million annual gross revenues of the preceding calendar year
• Receives, buys, or sells the personal information of 100,000 or more consumers or households 
• Earns more than 50 percent of its annual revenue from the sharing or sale of consumers’ personal information
Commonly controlled entities and joint ventures will be required to comply with CPRA.

One of the most important changes

is that companies must inform consumers “at or before the point of collection” as to:

• If personal information is sold or shared
• Information about the collection, processing, and disclosure of “sensitive personal information”
• “The length of time the company intends to retain each category of personal information” or “the criteria used to determine such period”
 
In addition, how companies use consumer information with third parties will be further restricted under CPRA.

If a company or entity fails to adequately protect consumers’ data from unauthorized access such as breaches and theft, it will be easier for consumers to sue. Additionally, the CPRA eliminates the 30-day corrective time companies were afforded under CCPA. Violations involving minors under the age of 16 will now be fined $7,500 per violation. The newly created California Privacy Protection Agency (CPPA) will oversee and have broad jurisdiction of personal data protection.


Privacy laws are constantly evolving. It is important to be compliant with the CCPA and make sure you adhere to CPRA before it takes effect. If you have questions about your data privacy practice and want to see if you are compliant with the CCPA and CPRA, contact us at Whitcomb, Selinsky, P.C. Our expert legal team of data/cybersecurity/privacy specialists will review your current procedures and suggest additional processes as needed.

If you have received a CCPA violation notice

we will examine your violation, advise on corrective actions to resolve your violation, and work with the necessary officials if needed to ensure the violation is rectified. It is our job to know the laws so you can get back to business. If you need legal help with California Privacy Law, call us at (303)-534-1958 or fill out the form below. We are here to help you today.