CPRA vs CCPA: What does it mean?
What is CPRA?
The California Privacy Rights Act (CPRA) is a new state-wide data privacy bill passed into law on November 3, 2020.
The CPRA is more accurately described as an amendment of the CCPA, in which the Attorney General vests all of the power to enforce.
The California Privacy Rights Act (CPRA) takes effect on January 1, 2023 and becomes fully enforceable on July 1, 2023 – with a lookback period from January 1, 2022.
What is the CCPA?
The California Consumer Privacy Act (CCPA), signed into law on June 28, 2018, creates an array of consumer privacy rights and business obligations with regard to the collection and sale of personal information.
What does CPRA / CCPA mean for consumers?
- The right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom;
- the right to delete personal information collected from the consumer;
- the right to opt-out of the sale of personal information (if applicable);
- the right to opt-in to the sale of personal information of consumers under the age of 16 (if applicable);
- the right to non-discriminatory treatment for exercising any rights; and
- the right to initiate a private cause of action for data breaches.
What does the CPRA add to these original CCPA rights?
- the right to correct inaccurate personal information; and
- the right to limit use and disclosure of sensitive personal information.
What personal information is deemed ‘personal’?
- a consumer’s social security, driver’s license, state identification card, or passport number;
- a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- a consumer’s precise geolocation;
- a consumer‘s racial or ethnic origin, religious or philosophical beliefs, or union membership;
- the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;
- a consumer’s genetic data.
Are Signable e-Signatures compliant with CCPA vs CRPA?
Yes! We use 256-bit SSL encryption on our app and desktop platform. SSL encryption means we cannot share or tamper with any of your personal information that you provide us with.
We have an extensive guide on our Data Security & Compliance here. For this reason, we are compliant with both the old CCPA and new CRPA regulations.
We have an extensive page outlining eSignatures & their legality in the US. Find our US eSign & UETA Act page here.
What are we doing to prepare for CPRA and CCPA?
Data mapping: The Signable infrastructure is scanned on a daily basis against the OWASP top 10 security issues and any issues highlighted to the Signable development team to identify and document what PI will fall under the scope of the CPRA.
Updating privacy notices: we are constantly monitoring and updating our existing privacy notices and webpages to make sure they reflect the most up to date privacy rights and related disclosure obligations.
Review downstream data-sharing practices: Your data, including names, address details, and the documents themselves, are never exposed to third parties. Where third party contractors are used, we heavily vet and regulate them, and if data is required for them to perform their role, sample data is provided.
Interested in reading more from us?
Read our previous blog post: