The California Consumer Privacy Act (CCPA) is a law that was signed on June 28, 2018, that established and promoted the consumer privacy rights and business obligations concerning the collection and sales of personal information of citizens of California. The CCPA came into effect on January 1st, 2020. Soon after in November 2020, Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA) was introduced which is soon to replace the CCPA Compliance. CPRA is the updated version that expands the CCPA Compliance. The latest version can be more accurately described as an improvisation of the existing compliance framework with amendments and additions introduced in the provision. Explaining the amendments and new additions introduced, we have shared all the details of CCPA Compliance Vs CPRA Compliance in the article today. But before that let us learn and understand what exactly CPRA Compliance is.

1. CCPA Compliance
Vs CPRA Compliance
USA. SINGAPORE. INDIA. UK. MIDDLE EAST. CANADA.
An ISO27001 Certified Company, CERT-IN Empanelled, PCI QSA, PCI QPA and PCI SSFA
W: www.vistainfosec.com | E: info@vistainfosec.com
US Tel: +1-415-513-5261 | UK Tel: +442081333131 | SG Tel: +65-3129-0397
IN Tel: +91 73045 57744 | Dubai Tel: +971507323723

2. 03 04
Introduction
The California Consumer Privacy Act
(CCPA) is a law that was signed on June
28, 2018, that established and promoted
the consumer privacy rights and business
obligations concerning the collection and
sales of personal information of citizens of
California. The CCPA came into effect on
January 1st, 2020. Soon after in November
2020, Proposition 24, known as the Cali-
fornia Privacy Rights Act of 2020 (CPRA)
was introduced which is soon to replace
the CCPA Compliance. CPRA is the updat-
ed version that expands the CCPA Com-
pliance. The latest version can be more
accurately described as an improvisation
of the existing compliance framework
with amendments and additions intro-
duced in the provision. Explaining the
amendments and new additions intro-
duced, we have shared all the details of
CCPA Compliance Vs CPRA Compliance
in the article today. But before that let us
learn and understand what exactly CPRA
Compliance is.

3. 06
05
What is CPRA?
The California Privacy Rights Act is an
enhanced version of the CCPA Compliance. It is
set to go ef-fective on January 1, 2023, and is
said to improve the existing privacy rights of
citizens of California. The CPRA regulation
ensures maximum security and privacy of
consumers’ personal information. The regulation
applies to any business in California that collects,
and processes the personal informa-tion of
citizens of California. In case of Non-compli-ance,
civil penalties of up to $2,500 per violation, or
$7,500 in case of intentional violations. Fur-
ther, higher penalties may be charged for viola-
tions involving the information of children.
Broadly speaking, the new regulation is an updat-
ed version of the existing CCPA Compliance. It
amends the regulation, updates the data subject
rights, and introduced several new requirements
in CPRA Compliance. The below-given table is the
summary of changes introduced in the CPRA
Compliance.
What are the Key Changes
Introduced in CPRA?

4. 08
07
CCPA applies to businesses for selling per-
sonal data for monetary or other valuable
considerations.
CPRA applies to businesses for selling personal
data for monetary or other valuable consider-
ations. Further shared by a business to a third
party for cross-context behavioral advertising for
the benefit of a business where no money is ex-
changed.
Businesses for profit that collect and pro-
cess personal information of California resi-
dents and fall under the below-stated
thresh hold need to comply with CCPA
Compliance –
Gross annual revenue of over
$25 million;
Buy, receive, or sell the per-
sonal information of 50,000
or more California residents,
households, or devices; or
Businesses for profit that collect and process per-
sonal information of California residents and fall
under the below-stated thresh hold need to
comply with CCPA Compliance-
CCPA Compliance
Selling & Sharing
of Data
Applicability
Threshold
CCPA Compliance covers Personal informa-
tion which is an information that identifies,
relates to, describes, is reasonably capable
of being associated with, or could reason-
ably be linked, directly or indirectly, with a
particular consumer or household.
CPRA Compliance covers Personal information,
as well as “Sensitive Personal Information” which
includes information such as SSN, driver's license
numbers, biometric information, precise geo-lo-
cation, and racial and ethnic origin.
Covered Data
CPRA Compliance
Gross annual revenue of over $25
million;
Buy, sell, or share the personal information
of 100,000 or more California residents or
households; or
Derive 50% or more of their annual reve-
nue from selling or sharing California resi-
dents’ personal information.
Derive 50% or more of their
annual revenue from selling
California residents’ personal
information.

5. 10
09
CCPA Compliance CPRA Compliance
CCPA defines Third-party Service Provider
as an entity that processes personal infor-
mation on behalf of a business pursuant to
a written contract.
CPRA defines Third-party Service Provider as an
entity that processes personal information on
behalf of a business pursuant to a written con-
tract. This would also include Contractors to
whom a business makes available a consumer’s
personal information for a business purpose pur-
suant to a written contract with the business.
Third-Party
Service Provider
NA Businesses must only collect and retain what’s
“reasonably necessary” and “proportionate” to
the intended purpose.
Data Retention
& Minimization
1. Consumer Rights to Opt-Out of
Third-Party Sales - CCPA allows consumers
to opt out of businesses selling their data.
2. Right to Know: The CCPA requires that
businesses respond to consumer requests
to know personal information that was col-
lected within the prior 12 months.
1. Consumer Rights to Opt-Out of Third-Party
Sales and Sharing - CPRA expanded this right to
include the sharing of personal information, in
addition to selling.
2. Right to Know: CPRA extends the timeline for
businesses to respond to consumer requests to
know personal information that was collected
Consumer Rights
California Attorney General can pursue
a violation
Consumers have the right to action for
a breach of certain information.
Businesses have a 30-day cure period
before being fined for a violation by the
AG.
California Privacy Protection Agency (CPPA)
ensures enforcement and provides guid-
ance.
Enforcement
Consumers have the right to action for a
breach of certain information.
Businesses no longer have a 30-day cure
period before being fined for a violation by
the CPPA.

6. 12
11
CCPA Compliance CPRA Compliance
beyond the prior 12 month window under certain
circumstances.
3. Right to Delete - Under CCPA California
consumers can request businesses to
delete their personal information if it is no
longer needed to fulfill the purposes for
which it was collected.
4. Right to Data Portability: Under the
CCPA right to data portability consumers
have the right to receive a copy of their per-
sonal information by mail or electronically.
5. Opt-In Rights for Minors: CCPA requires
that businesses obtain opt-in consent to sell
the personal information of a California con-
sumer under 16 years of age
4. Right to Data Portability: Under CPRA con-
sumers have the right to receive a copy of their
personal information by mail or electronically
and further they can request to transfer specific
personal information to another entity “to the
extent technically feasible, in a structured, com-
monly used, machine-readable format.”
5. Opt-In Rights for Minors: CPRA requires that
businesses obtain opt-in consent to sell the per-
sonal information of a California consumer under
16 years of age. Further CPRA mandates busi-
nesses to wait 12 months before asking a minor
consumer for consent to selling or sharing their
personal information after the minor has de-
clined. It also states that the opt-in right must ex-
plicitly include the sharing of data for cross-con-
text behavioral advertising.
3. Right to Delete - Under CPRA California con-
sumers can request businesses to delete their
personal information if it is no longer needed to
fulfill the purposes for which it was collected. It
also requires businesses to send the request to
delete to third parties that have bought or re-
ceived the consumer’s personal information. This
way all parties having access to personal infor-
mation delete the data.

7. 14
13
CCPA Compliance CPRA Compliance
6. Right to Correct Information: A consumer has
the right to request that a business correct any
inaccurate personal information.
7. Right to Limit Use & Disclosure Sensitive
Data: The consumer has the right to limit the use
of their sensitive data to only what is necessary to
perform the services they requested and limit
disclosure of specific sensitive data.
8. Right to Access Information About Automat-
ed Decision Making: Consumer has the right to
request information about the logic involved in
the automated decision-making processes, and a
description of the likely outcome of the process
with respect to their personal data.
9. Right to Opt-Out of Automated Deci-
sion-Making Technology: Consumer has the
right to opt out of being subject to automated
decision-making processes, including profiling.
Under the CCPA, consumers can file a civil
suit against a business for damages or $100
to $750 in statutory damages (whichever is
higher) for failing to take reasonable and
appropriate security measures to protect
their unencrypted or unredacted personal
information from being subject to a breach
Under CPRA consumers can file a civil suit
against a business for damages for failing to take
reasonable and appropriate security measures
to protect their unencrypted or unredacted per-
sonal information from being subject to a
breach and further the categories of PI for which
they can sue have been increased to include,
email addresses in combination with a password
or security question and answer that would
permit access to the account.
Privacy Right
of Action

8. CCPA Compliance CPRA Compliance
Final Thought -
Fines for violations of the personal informa-
tion of minors are the same as the fines for
other types of personal information which
are $2,500 for each unintentional and
$7,500 for each intentional violation.
Under CPRA, a $7,500 fine for a violation involv-
ing the personal information of minors.
Penalties
N/A Under CPRA, an annual cyber security audit is re-
quired to be performed by businesses whose
processing presents a significant risk to con-
sumer privacy or security.
Cyber Security
Audits
N/A Under CPRA, a business whose processing pres-
ents a significant risk to consumer privacy or se-
curity must submit a regular risk assessment to
the CPPA
Risk Assessment
CPRA is said to take full effect by January 1, 2023. So, businesses in Califor-
nia that deal with the personal information of California residents should
kick-start groundwork for the upcoming CPRA compliance by 2022. Fur-
ther, for those businesses who are currently CCPA compliant, must now
work towards performing a gap assessment against the new CPRA. We
also recommend organizations to keep a tab on any latest updates intro-
duced regarding CPRA during the course of this year until January 2023.
Further, also recommend businesses to consult with compliance experts
like us at VISTA InfoSec who can guide you through the process of compli-
ance and help you meet the requirements of CPRA.
16
15

9. 17 18
Do write to us your feedback, comments and queries or, if you have any
requirements: info@vistainfosec.com
You can reach us on:
US Tel: +1-415-513-5261 | UK Tel: +442081333131 | SG Tel: +65-3129-0397
IN Tel: +91 73045 57744 | Dubai Tel: +971507323723