The California Privacy Rights Act of 2020 (“CPRA”) was approved during the California Statewide General Election as Proposition 24 on November 3, 2020. This means the California Consumer Privacy Act (“CCPA”) will be amended to the California Privacy Rights Act, which includes the establishment of a new privacy enforcement agency, new definitions for sensitive data with limits on use and sharing, and expanded breach liability.
The CPRA will enter into force on January 1, 2023 and, apart from the right to access, will apply to personal information collected by businesses back to January 1, 2022. The California Constitution states ballot initiatives "approved by a statewide general election take effect the fifth day after the Secretary of State certifies the election results" and "On the fifth day after certification," five provisions of the CPRA will become law, likely in mid-December.
The five provisions include extensions of the employee exception and business-to-business exception to January 1, 2023; the establishment of a Consumer Privacy Fund; direction for the California attorney general "to adopt regulations and the mechanisms to transfer regulatory authority" to the state's new enforcement agency, the California Privacy Protection Agency (“CPPA”); creation of the CPPA, "vested with full administrative power, authority and jurisdiction to implement and enforce the CCPA, as amended by the CPRA"; and designation of funds for the CPPA, which are expected to be approximately $10 million.
The CPPA will be composed of five board members. Two of these seats (including the chair) will be appointed by the governor, and each of the remaining seats is appointed by the attorney general, Senate Rules Committee, and Speaker of the Assembly.
Beginning on July 1, 2021, or six months after the new agency provides notice to the California Attorney General that it is prepared to begin rulemaking activity, whichever is later, the authority assigned to the California Attorney General to adopt regulations under the CPRA shall be transferred to the new CPPA. The final regulations under CPRA must be adopted by July 1, 2022.
On January 1, 2023, the remainder of CPRA will become fully operational, which includes:
- Modifying the definition of covered “businesses” by doubling the CCPA's threshold number of consumers or households from 50,000 to 100,000, expanding applicability to businesses that generate most revenue from sharing personal information, not just selling it, and extending the definition to joint ventures or partnerships composed of businesses that each have at least a 40% interest.
- Creating a new category of sensitive personal information and gives consumers the right to opt out of certain uses and disclosures of that information.
- Expansion of the requirements for notice at collection.
- Imposing a purpose limitation on the collection, use, retention, and sharing of consumers' personal information.
- Allowing consumers to prevent businesses from sharing their personal information for cross-context behavioral advertising, request correction of inaccurate personal information, opt out of the use of automated decision making, including profiling, and request information about automated decision making.
- Expanding contract requirements with third parties, service providers and “contractors.”
- Imposing “reasonable security” obligations.
- Authorizing specified civil penalties for theft of consumer login information.
- Enhancing children's privacy by tripling fines for violations of the CCPA's opt-in to sale right and creates a new requirement to obtain opt-in consent to sell or share data from consumers under the age of 16.
Civil and administrative enforcement of the obligations added by the CPRA cannot begin until July 1, 2023 and can only apply to violations occurring on or after that date.
Tandy is counsel in the Litigation, Discovery, and Privacy & Data Security groups. She specializes in information management issues, including privacy and data security. Tandy uses her experience to help clients understand their ...
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.
Data Points: Privacy & Data Security Blog Updates
- The Consumer Financial Protection Bureau Stakes Out Its Enforcement Authority Over Unfair Information Security Practices
- Maryland Amendments to Data Security and Breach Notification Law
- The Devil Really is in the Details: The SEC Proposed Rule on Cybersecurity Risk Management for Investment Advisors, Registered Investment Companies and BDCs
- Will the U.S. Finally Pass Comprehensive Data Privacy Legislation?