惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

SecWiki News
SecWiki News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
博客园 - 叶小钗
S
SegmentFault 最新的问题
IT之家
IT之家
大猫的无限游戏
大猫的无限游戏
博客园_首页
Apple Machine Learning Research
Apple Machine Learning Research
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
月光博客
月光博客
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
L
Lohrmann on Cybersecurity
量子位
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Tor Project blog
J
Java Code Geeks
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 三生石上(FineUI控件)
Attack and Defense Labs
Attack and Defense Labs
AI
AI
The Cloudflare Blog
T
Tailwind CSS Blog
S
Schneier on Security
爱范儿
爱范儿
PCI Perspectives
PCI Perspectives
Stack Overflow Blog
Stack Overflow Blog
S
Secure Thoughts
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
V2EX - 技术
V2EX - 技术
S
Securelist
P
Proofpoint News Feed
T
Threat Research - Cisco Blogs
Help Net Security
Help Net Security
C
Cisco Blogs
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
K
Kaspersky official blog
T
The Blog of Author Tim Ferriss
G
Google Developers Blog
S
Security Affairs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Simon Willison's Weblog
Simon Willison's Weblog

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines GDPR and fines: all there is to know Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Meta loses key privacy battle Google delays cookie phase-out once again Privacy Monthly April 2024 Web Analytics and Consent Cookies 101 Privacy Monthly March 2024 German authority cracks down on cookie banners Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 The Criteo case: a big deal for Big Tech Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know Mobile App Tracking Under Fire The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Direct Marketing under GDPR Road to 1 million ARR - August Update Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? When does the CCPA apply? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update What is PHI under HIPAA? Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Data Processing Agreements Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input Cookie banners: How to stay GDPR compliant? GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
CCPA vs CPRA: what is new?
Iron Brands · 2023-09-12 · via Blog of Simple Analytics

The California Privacy Rights Act (CPRA) is a California law and an amended version of the California Consumer Privacy Act (CCPA). In other words, it is a change to the pre-existing privacy law of California.

It is worth noting that the CPRA is the result of a ballot initiative. This shows that California residents are concerned with their privacy and that privacy regulations find substantial support in the State.

Lets dive in to learn more about the CPRA and how it changed Californian privacy law!

  1. How is the CPRA enforced?
  2. Why are all these acronyms so confusing?
  3. When did the CPRA come into effect?
  4. How did the CPRA change the CPPA?
  5. Data minimization
  6. Protecting sensitive information
  7. The right to opt out: “do not sell or share”
  8. The right to have information corrected
  9. The CPRA and Global Privacy Control
  10. The CPPA
  11. Conclusions

The UK Government chose Simple AnalyticsJoin them

How is the CPRA enforced?

The CPRA is enforced by the Advocate General of California . Starting 2024, it will also be enforced by the California Privacy Protection Agency (CPPA).

Additionally, the CPRA includes a private right of action for data breaches, allowing customers to sue businesses directly (but not their partners and service providers).

Why are all these acronyms so confusing?

We have no idea and we hate it too. Here is a handy reference:

  • the CCPA (California Consumers Privacy Act) is the old California privacy law from 2018
  • the CPRA (California Privacy Rights Act) is the new law from 2020
  • the CPPA (California Privacy Protection Agency) is the enforcement agency established by the CPRA.

When did the CPRA come into effect?

The CPRA came into effect on January 1 2023. However, some of the CPRA’s rules are vague and need to be fleshed out by the CPPA through its regulations. These regulations will only come into effect in March 2024 because of a recent court decision.

In practice, this means that the regulation as a whole is already in effect, but certain rules will only become enforceable next year.

How did the CPRA change the CPPA?

The CPRA brought important changes to the CPPA, including:

  • introducing the data minimization principle
  • introducing stronger protection for sensitive information
  • expanding the scope of the right to opt-out of the selling or sharing of personal information
  • introducing obligation to honor the consumer’s global privacy controls
  • introducing a right to have personal information corrected
  • establishing the California Privacy Protection agency

Data minimization

Under the CRPA, consumers' personal information can only be processed and retained when reasonably necessary and proportionate for the purpose of the processing, or for a different, disclosed, and compatible purpose.

In a nutshell: 1) only process the data you need, and 2) only process them for the original purpose they were collected for, or for a compatible purpose the consumer knows about.

That’s the short, simplified version. The text of the rule has a lot more legal substance to it:

A business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes

Data minimization tries to achieve a lot with just one principle. In fact, CPRA data minimization covers two distinct GDPR principles- data minimization and purpose limitation. This is why the principle is so complicated.

Notably, the CPRA includes detailed rules on what counts as a compatible purpose. On the European side, the GDPR lacks such rules and leaves the notion open to interpretation.

Protecting sensitive information

The CPRA introduced a legal definition of sensitive information, as well as specific rules for processing this information.

Under CPRA, the notion of sensitive information covers:

  • precise geolocation data
  • religious beliefs
  • ethnic origin
  • contents of communication
  • genetic data
  • biometric information for the purposes of identification
  • health information
  • information about sex or sexual orientation
  • some other data that can be used for fraud or identity theft (social security number, access credentials, credit/debit card data, and so on)

Consumers have a right to request companies to limit the use and disclosure of their sensitive information to what is strictly necessary to provide the service. In other words, they can opt out of any non-essential use of their sensitive information.

We are not terribly fond of opt-out systems because they put the burden of privacy on the consumer as opposed to simply requiring good privacy practices from businesses. But the CPRA is still a step in the right direction because the CCPA featured no rules for sensitive data at all.

Under the CPRA, consumers have a right to opt out of the selling and sharing of their personal information. Under the CCPA consumers could opt out of the sale of personal information only. Therefore, the CPRA expands the scope of a pre-existing opt-out right.

This change was influenced by the debate within the legal community on the meaning of sale. A sale of personal information was defined in very broad terms under the CCPA: disclosing information in exchange of monetary or other valuable consideration, was considered to be a sale. The notion of valuable consideration was broad enough to cover cross-context behavioral advertising involving a third party (typically Google or Meta).

Nonetheless, some companies claimed that the use of analytics cookies was not a sale. So, the CPRA ended the debate once and for all: it expanded the scope of the right to opt-out to the selling and sharing of information, and clarified that the use of cookies for cross-context behavioral advertising is a form of data sharing.

Therefore, there is no doubt that consumers have a right to opt out from tracking for the purpose of contextual advertising under the CPRA!

Again, we are not fans of this opt-out system, but it is still good that consumers at least have the option to say “no thanks”.

The right to have information corrected

Oddly enough, the CCPA included a right to know and a right to erasure, but not a right to have personal information corrected. The CPRA filled this gap.

The right to correct largely works the same way as the rights to know and delete: businesses must comply within 45 days and may extend the deadline by another 45 days, provided that they inform the consumer.

The CPRA and Global Privacy Control

Global Privacy Control (GPC) is a technical standard embedded in browsers and plug-ins. GPC notifies websites of the privacy preferences of the consumer, including the refusal to have their information sold or shared. Under the CPRA, businesses must comply with GPC signals from the consumer’s browser.

As we said, most privacy rights in the CCPA/CPRA are opt-out rights. By streamlining the tedious process of opting-out, GPC can ease the burden on the consumer and make privacy rights easier to exercise. It will be interesting to see how widespread the use of GPC becomes and to what extent websites will comply.

You can learn more about GPC at https://globalprivacycontrol.org/.

The CPPA

As we explained, the CPRA established the California Privacy Protection Agency (CPPA). To some extent, you can think of the CPPA as the Californian equivalent of data protection authorities in Europe: the Agency is responsible for CCPA enforcement along with the Advocate General and can adopt regulations based on the CCPA.

The Agency is already at work, but because of a recent court decision, it will only be able to enforce its regulations in 2024.

Conclusions

We try to explain privacy laws in a simple way because we care about privacy. This is also why we build Simple Analytics: a lightweight, user-friendly analytics tool that provides you with all the insight you need while preserving user privacy.

If this sounds good to you, feel free to give us a try!