The CCPA’s core requirements can be grouped broadly into three categories: (1) rights owed by businesses to Californians concerning their personal data, (2) data security breach risks and obligations, and (3) vendor management.
The CPRA expanded the scope of the first category – i.e., the rights conferred upon Californians concerning their personal data. Under the CPRA, Californians will have the right to fix errors concerning their personal information, to opt out of behavioral advertising, to object to the use of sensitive information, and to object to automated decision making and profiling. In addition, the CPRA created two additional categories of core requirements: (1) the ability to process and retain data, which requires a company to have a record retention policy and minimize data collected, and (2) business accountability and governance, in which companies will be required to conduct security risk assessments and privacy risk assessments and appoint an employee responsible for privacy compliance.
The following chart compares the main obligations imposed by the CPRA to those that had been imposed by the CCPA: