On November 4, 2020, California voters approved of the ballot initiative Proposition 24, more commonly known as the California Privacy Rights Act (the “CPRA”). The CPRA goes into effect on January 1, 2023, and will expand several of the existing protections in the California Consumer Privacy Act (the “CCPA”).
As background, the original CCPA emerged in 2018 as a compromise between legislators and the advocacy group, Californians for Consumer Privacy, which had secured a ballot measure vote for its proposed privacy law. Californians for Consumer Privacy withdrew the ballot measure upon the passing of the CCPA. However, the group became concerned that amendments to the CCPA resulted in diluted privacy protections, and it thereafter secured a spot on the 2020 ballot for California citizens to vote on the CPRA.
As mentioned in our prior posts, the CPRA creates some of the following new rights and requirements:
- Right to restrict use of “sensitive personal information”;
- Right to correct data;
- Storage limitation: right to prevent companies from storing information longer than necessary and right to know the length of time a business intends to retain each category of personal information;
- Data minimization: right to prevent companies from collecting more information than necessary;
- Right to opt out of advertisers using precise geolocation (< than 1/3 mile);
- Penalties if email address and email password are stolen due to negligence;
- Restrictions on onward transfers of personal information;
- Establishes California Privacy Protection Agency to protect consumers;
- Requires high risk data processors to perform regular cybersecurity audits and risk assessments; and
- Requires the appointment of a chief auditor with power to audit businesses’ data practices.
The CPRA mandates a minimum of $10 million in annual funding to the newly created Privacy Protection Agency. The Privacy Protection Agency has the power to draft additional regulations, which may provide further clarity or raise new questions on the CPRA’s scope. Businesses will therefore need to stay apprised of changes over the coming months and years in order to fully understand their compliance obligations.