The California Privacy Rights Act
In November 2020, Californians voted in favor of Proposition 24, the California Privacy Rights Act of 2020 (CPRA), which will provide California residents with stronger privacy protections. The operative date of the CPRA is January 1, 2023, although the following provisions have a January 1, 2021 effective date:
- Employee and Business-to-Business Exemptions. As amended by the governor in October 2019, the CCPA contains exemptions for employee, job applicant and contractor personal information and personal information exchanged in business to business relationships. The CPRA extends the expiration date for these exemptions to January 1, 2023.
- CPPA. The CPRA establishes the California Privacy Protection Agency (CPPA) within the state government as of January 1, 2021. The CPPA will be vested with full administrative power, authority, and jurisdiction to implement and enforce the CPRA.
- Rulemakings. The CPRA requires the CPPA to initiate rulemakings and develop regulations on 20+ topics relating to definitions, exemptions, technical specifications for opt-out preference signals, automated decision-making, cybersecurity audits and risk assessments, and monetary thresholds for “business” eligibility, and that final regulations be adopted by July 1, 2022. The effective date of these rulemaking provisions would be January 1, 2021, to ensure guidance is provided before CalPRA becomes fully operative in 2023.
The CPRA is an expansion of the California Consumer Privacy Act (CCPA), which came into effect on Jan. 1, 2020. CPRA seeks to protect more types of privacy information, provide additional rights for consumers, establish an oversight entity, and detail rights specific to minors. Some of the key changes include:
- A definition for sensitive personal information (SPI) and SPI compliance obligations
- Additional limitations on tracking
- Broadens legal recourse rights for consumers
- Specific protections for minors
- Provides consumers a “right of correction”
- Requires consumers be informed of the length of time a business intends to retain each category of personal information
- Eliminates the 30 day cure period for general violations of the law