As readers know, on November 3, 2020, California State voters passed Proposition 24, better known as the California Privacy Rights Act ("CPRA"). The CPRA significantly changes California's privacy landscape, which was still developing after the recent enactment of the California Consumer Privacy Act of 2018 ("CCPA"). While the CPRA's history mirrors that of the CCPA, the CPRA law should be seen as a significant expansion of the privacy rights set out under the CCPA.
What is the History of the CPRA Law?
The CPRA Law Creates a Stricter Compliance Regime
The CCPA was originally envisioned as an initiative to be added to the 2018 ballot in California. Fearing that such an initiative would result in unclear obligations, various industries opposed the ballot initiative, and ultimately compromised with privacy advocacy groups to pass the CCPA into law. Although the CCPA has since seen several amendments, privacy rights proponents were disappointed by what they perceived to be weak consumer protections found in the now effective version of the CCPA. To address these issues, privacy rights advocates introduced, lobbied for, and recently passed the CPRA law through a ballot initiative.
How Does the CPRA Law Differ From the CCPA?
The CPRA law creates numerous new obligations for businesses regarding the collection, use, sale, and sharing of personal information. For example, the CPRA law creates a new regulated category of data, referred to as "sensitive personal information," which includes, inter alia, biometric data, precise geolocation, and government identifiers, such as Social Security Numbers and drivers' license numbers. Consumers will be able to prescribe how businesses use their sensitive personal information, including prohibiting the disclosure of sensitive personal information to third parties under certain circumstances.
The CPRA law also affords consumers the right to request that a business correct any inaccurate personal information held by that business. In addition, the CPRA law allows consumers to access a company's information regarding automated decision-making technology, which may include a business's efforts to profile a consumer's habits, interests, or economic activity. Critically, the CPRA law allows consumers to opt out of a business's automated decision-making technology altogether.
The CPRA law also creates a new enforcement authority, which will be known as the California Privacy Protection Agency ("CPPA"). The CPPA will have investigative, enforcement, and rulemaking powers relating to the CPRA. With the creation of the CPPA as a new, dedicated agency, many observers anticipate an increase in enforcement. This is particularly significant because the CPRA removes the thirty (30) day cure period that currently exists under the CCPA. This means that businesses will no longer have the opportunity to avoid liability by rectifying alleged violations after being formally notified by the State's Attorney General.
Less than two years after the CCPA completely overhauled consumer privacy rights in California and, by extension, the United States, the CPRA law has again introduced massive compliance challenges for many businesses that hold the personal information of California consumers. Indeed, this blog merely scratches the surface of relevant changes. Please note that the CPRA law will become operative on January 1, 2023 and apply to consumer information collected on or after January 1, 2022. Accordingly, businesses need to work quickly to ensure they are ready by 2022.
Similar Blog Posts:
The New CCPA has Passed into Law. Now When Does it Take Effect?
CCPA 2.0 on California's November Ballot
How Does the CPRA Compare to the GDPR? Ask a CPRA Lawyer
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.