The California Privacy Rights Act (“CPRA”), also known as Proposition 24, became effective on January 1, 2023. Rather than acting as a complete overhaul of the California Consumer Privacy Act (“CCPA”), the CPRA further strengthens and expands upon the data privacy rights of Californian consumers established by the CCPA. The CPRA seeks to give consumers greater control over their personal information, for example, by granting them the ability to limit the use and disclosure of sensitive personal information.
Amendments and Evolution from the CCPA
The CPRA applies to a somewhat narrower set of businesses compared to the CCPA, as the CPRA doubled the CCPA's consumer and household data processing thresholds. It retains the extraterritorial scope, affecting not only businesses within California but also those interacting with Californian residents' data, unless that interaction takes place wholly outside of California. Below are a few other notable differences between the CPRA and the CCPA:
- California Privacy Protection Agency: The CPRA established the California Privacy Protection Agency (“CPPA”), an independent regulatory body responsible for enforcing the CPRA and ensuring compliance.
- Sensitive Personal Information: The CPRA introduces the concept of "Sensitive Personal Information," including data like Social Security numbers, financial account information, precise geolocation, and health-related information. While such data is "personal information" under the CCPA, the CPRA introduces new consumer choice and disclosure requirements for certain uses of Sensitive Personal Information.
- Data Retention Periods: Businesses under the CPRA are obligated to provide consumers with specific retention periods for each category of personal information collected (or at least the criteria used to determine retention), providing transparency about data retention.
B2B and Employee Data; Impact on Investment Advisers, Broker-Dealers and Other Financial Professionals
Previously, the CCPA generally exempted “personal information” (i.e., information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular person) about a business’s employees or business-to-business contacts, but those exemptions are no longer available. As a result, investment advisers, broker-dealers, fund managers, and other financial institutions subject to the CCPA that have employees in California may be subject to new compliance obligations under the CCPA. Similarly, subject to the exceptions described below, financial businesses that have clients, investors, or prospective clients or investors in California are subject to these same new obligations.
The CCPA still exempts non-public information that is subject to the Gramm-Leach-Bliley Act or California Financial Information Privacy Act, which address privacy concerns for financial institutions. While certain information collected by investment advisers, broker-dealers and fund managers may fall within those exemptions, they should analyze the CCPA's applicability to their operations.
The CPRA became effective on January 1, 2023, and the regulations implemented by the CPPA were set to become enforceable on July 1, 2023. However, on June 30, 2023, a California state court judge issued an injunction delaying enforcement of the regulations until March 29, 2024, one year after the first set of regulations were finalized. While enforcement of the regulations is postponed, the statute itself is still effective and enforceable.
The CPRA signals a shift towards more focused regulations and enforcement of data privacy practices in furtherance of an ongoing commitment to protecting consumers in the digital age. By expanding the scope of the CCPA, introducing new concepts, and establishing the CPPA, the CPRA sets higher standards for data protection and transparency. As financial professionals and businesses navigate the evolving landscape of data privacy, understanding the nuances of the CPRA is vital. Businesses operating in or interacting with Californian data (which is almost any financial professional or business with a practice that touches California in any way) should prioritize compliance efforts to navigate the evolving regulatory landscape.
 See Cal. Chamber of Comm. V. Cal. Privacy Protection Agency, 34-2023-80004106-CU-WM-GDS (Cal. Sup. Ct. June 30, 2023).