With 72% of the vote in, 56.1% of Californians have voted in favor of Proposition 24, making it likely that the California Privacy Rights Act of 2020 (CPRA) will pass. The CPRA – a ballot initiative – will usher in material amendments to the existing California Consumer Privacy Act (CCPA). Proponents have argued that the CPRA could form the baseline for future federal U.S. privacy legislation, or even grounds for EU adequacy status for California.
The CCPA will remain in full force and effect until the CPRA becomes effective on Jan. 1, 2023. Like the CCPA, there will be a six-month delay between the CPRA’s effective date and enforcement of the Act, with enforcement actions commencing on July 1, 2023. With the exception of the right to access, the CPRA will only apply to personal information collected by a business on or after Jan. 1, 2022.
However, the following CPRA provisions have a Jan. 1, 2021 effective date:
- Employee and Business-to-Business Exemptions. As amended in October 2019, the CCPA contains partial exemptions for the personal information (PI) of employees, job applicants, and contractors, as well as PI exchanged in business-to-business relationships. The CPRA extends the current Jan. 1, 2021 expiration date for these exemptions until Jan. 1, 2023.
- CPPA. The California Privacy Protection Agency (CPPA), a dedicated, five-member privacy regulatory body with full administrative power and jurisdiction, will be established to enforce the Golden State’s consumer privacy laws and impose fines.
- Rulemakings. The CPRA requires the CPPA to initiate rulemakings and develop regulations on 20+ topics relating to definitions, exemptions, technical specifications for opt-out preference signals, automated decision-making, cybersecurity audits and risk assessments, and monetary thresholds for “business” eligibility. Final regulations must be adopted by July 1, 2022.
The CPRA modifies the CCPA in potentially impactful ways for in-scope entities that do business in California, regardless of where such businesses are physically established, have employees, or embed company infrastructure.
Notable highlights of the CPRA include:
- Cure Period Limited to Breaches. Whereas under the CCPA, a business may avoid enforcement generally if it remedies a curable violation within 30 days of being so notified, the CPRA removes this provision. Instead, it allows a 30-day cure period only in relation to preventing statutory damages (not pecuniary damages) as part of a data breach-related private right of action. The law also confirms that implementing reasonable security measures following a breach will not constitute a business’s cure with respect to that breach.
- Expanded Private Right Action. Consumers have a broadened private right of action to sue a business if an email address in combination with a password or security question and answer is subjected to unauthorized access as a result of the business’s unreasonable security procedures.
- Advertising. Consumers can opt out of sharing their PI – whether or not for monetary or other valuable consideration – for “cross context behavioral advertising,” which is explicitly excluded from the definition of “business purpose,” thereby likely creating further operational complications for site/app publishers and ad tech companies in relation to programmatic digital advertising activities.
- Revised Scope to Exclude More SMEs. If a business does not meet the $25 million revenue threshold, it must either annually buy, sell, or share for cross-context behavioral advertising the PI of 100,000 or more consumers or households – up from 50,000 under the CCPA, or derive more than 50% of its revenue from selling or sharing for cross-context behavioral advertising PI.
- Children’s PI. The maximum penalties for a business’s violations concerning consumers under age 16 is tripled to $7,500 per intentional violation.
- Sensitive PI. Consumers can limit businesses’ use and/or disclosure of “sensitive personal information,” a new category and definition that includes precise geolocation (i.e., within a radius of 1,850 feet), private communications (e.g., mail, email, and text messages), ethnicity, religion, genetic data, sexual orientation, and specified health information. This includes heightened notice requirements for businesses and new site and app opt-out links that must be displayed to consumers.
- Retention Periods & Storage Limitation. Taking a cue from the EU’s General Data Protection Regulation (GDPR), the CPRA prohibits businesses from retaining PI for longer than necessary for the purpose of the collection. Businesses must also inform consumers of the length of time they retain each category of PI.
- Additional Consumer Rights. In addition to the rights noted above ‒ to restrict a business’s use of sensitive PI and to know the length of data retention ‒ consumers also have the right to correct inaccurate PI. The CPRA also extends the right to access to beyond the 12-month period (unless doing so would be impossible) and requires businesses to inform their service providers and the third parties with whom they shared a consumer’s PI of a consumer’s deletion request.
- Contractual Requirements. The CPRA requires businesses that share PI with services providers, newly defined “contractors,” and third parties to enter into contracts extending the CPRA requirements to these entities’ handling of such PI, and requires service providers to have similar contracts in place with any sub-service providers.
- Difficulty of Amendment. Of note to lobbyists and industry groups hoping to lessen some of the law’s more burdensome provisions, the CPRA, by its text, is difficult to weaken, as any legislative amendment to it “shall be null and void” unless it is “consistent with and furthers the purpose and intent” of the CPRA.
For more information about the CPRA, please visit and bookmark GT’s CPRA page.