In a busy election season, and with many ballot initiatives to take up room, the California Consumer Privacy Rights Act (CPRA) passed with a 56% majority, ushering in a new wave of privacy requirements for companies doing business with Californians. The CPRA received plenty of attention from big tech firms as well as consumer groups, and rightfully so. Alistair MacTaggart and his organization Californians for Consumer Privacy hardly let the paint dry on the California Consumer Privacy Act (“CCPA”) before introducing the CPRA with a goal of ensuring the privacy protections provided to Californians under the CCPA could not be gutted by lobbyists and looking to ensure the conversation surrounding federal privacy legislation stays alive and well. By taking the CPRA directly to Californians, Alistair and team removed the middleman and gave the power to the people of California to decide on their data privacy rights.
The CPRA aligns California privacy law closely with the General Data Protection Regulation
(GDPR) and provides additional rights to consumers while also placing more obligations, and some clarity, on businesses surrounding their responsibilities. We have a chart below that outlines the differences between the CCPA and CPRA as well as a digestible timeline for what will be happening now that the CPRA has passed. Therefore, let’s focus on some key updates and the potential operational impact of the CPRA.
The California Privacy Protection Agency will take over enforcement from the Attorney General’s (AG) office. During the early days of the CCPA, the California AG did not appear to be exactly what you would call excited about being tasked with enforcing the CCPA. Between favoring the private right of action and mentioning that the office has many responsibilities and limited resources, valid questions existed about the prioritization of CCPA enforcement. The formation of an agency responsible for the rule making and enforcement will put any questions of enforcement of the CPRA to bed and organizations can no longer take a “wait and see” approach towards data privacy. The California Privacy Protection Agency will have plenty of incentive to enforce the CPRA and it will be interesting to see what it can do, even with a starting budget of $10 million.
Under the CCPA, consumers currently have the right to know as well as delete (with exceptions of course) the personal information that businesses have about them. Under the CPRA, these rights are expanded to include:
- Right to Correct
- Right to Accuracy
- Right to Restrict
- Right to Data Portability
- Right to Opt-Out of Automated Decision Making
- Right to Minimization
- Right to Storage Limitation
Correction and accuracy are straight forward and are often rights that organizations are already honoring, even if informally. Others will be familiar to those who have solved for GDPR, while storage limitation and minimization put the onus on the organization to justify and ensure they are only collecting personal information for legitimate reasons and securely deleting personal information after that legitimate reason expires.
Check out our comparison chart and timeline by downloading it below.