On Election Day, November 3, 2020, California voters overwhelmingly voted in favor of Proposition 24—a ballot measure that creates the California Privacy Rights Act (CPRA). The CPRA revises and expands the California Consumer Privacy Act (CCPA), creating new industry requirements, consumer privacy rights, and enforcement mechanisms. The CPRA's new obligations for businesses will come into effect on January 1, 2023. At that time, the CPRA will effectively replace the CCPA. In the meantime, the CPRA requires that a new California privacy agency be established and that it adopts implementing regulations.
The CPRA modifies the CCPA's definition of "business," both limiting and expanding the types of companies that will have to comply with the law. The definition doubles the CCPA's threshold to companies that handle the personal information (PI) of 100,000 or more California1 consumers or households (under the CCPA, the number was 50,000).2 In addition, whereas the CCPA definition of "business" included companies that receive the PI of 50,000 or more Californians for a commercial purpose, the CPRA only brings in scope companies that buy, sell, or "share" Californians' PI. This change to the definition of business may result in some small- to medium-sized businesses not having to comply with the CPRA, where they previously had to comply with the CCPA.
The definition of business was also extended to joint ventures and partnerships composed of businesses in which each business has a 40 percent share. The definition now clarifies that a company's parent or subsidiaries are only brought in-scope if the company shares PI with the parent or subsidiary (in addition to the CCPA requirement that the entities share common branding).
In addition, the CPRA limits the definition of "personal information" by excluding "publicly available" information, including information published by individuals on social media sites and "truthful information that is a matter of public concern."
New Industry Requirements
Additional Privacy Disclosures to Consumers
Businesses that control the collection of consumers' PI need to make additional disclosures to those consumers. For example, the CPRA establishes a new category of "sensitive personal information" and requires that businesses provide disclosures regarding the collection, use, selling, and sharing of such information in the business's privacy notice. "Sensitive personal information" includes: 1) Social Security Number, driver's license, or state identification card number, or passport number; 2) financial account information; 3) precise geolocation; 4) race, ethnicity, religion, union membership; 5) a consumer's mail, email, and text messages (unless the business is the intended recipient of the communication); 6) genetic data and biometric information; 7) information concerning a consumer's health; and 8) information about a consumer's sex life or sexual orientation. Businesses will also need to tell consumers about their new privacy rights related to sensitive PI (described below).
Data Retention and Minimization
The CPRA also adopts some General Data Protection Regulation (GDPR)-like principles, including data minimization and purpose limitation. Further, businesses will be required to tell consumers the length of time the business retains each category of PI collected. This requirement may necessitate revisiting or creating a data retention and destruction policy that addresses each category of PI collected from a California resident.
Service Providers and Contractors
The CPRA will require businesses to update their agreements with third parties and service providers to whom they disclose consumers' PI to include specific terms outlined in the CPRA. Further, the CPRA clarifies that service providers and contractors3 are not entitled to:
The CPRA also requires service providers to notify businesses when they employ a subcontractor, and that subcontractor agreement must bind the parties to the same CPRA terms in the business-service provider agreement.
New Consumer Privacy Rights
Businesses will need to implement new processes to address expanded and modified consumer rights under the CPRA, including:
The CPRA modifies and clarifies other existing CCPA consumer rights:
New California Privacy Agency and Enforcement Mechanisms
The CPRA will establish the California Privacy Protection Agency (CPPA), which is tasked with investigating and enforcing the CPRA and promulgating regulations. The five-member board will be appointed by the governor, attorney general, state senate, and speaker of the assembly. The California attorney general also has the authority to investigate and enforce CPRA violations.
The CPRA does away with the CCPA's 30-day right to cure period for privacy violations. It also allows the CPPA to extract a civil penalty of $2,500/violation and increases the penalties to $7,500 for intentional violations and certain violations involving children.
Notably, like the CCPA, the CPRA does not include a private right of action for failure to comply with the law's privacy obligations. However, it retains the CCPA's private right of action for data breaches involving certain types of personal information and resulting from a failure to implement reasonable security measures.
 The CPRA resolves an ambiguity from the CCPA, making clear that this threshold applies only to California consumers and households.
 The other two thresholds remain the same: Companies that have $25 million or more in annual revenues, or that make 50 percent or more of the revenues from monetizing personal information, still qualify as “businesses” if they are doing business in the State of California, regardless of the number of Californians’ data they process. The CPRA also clarifies that the $25 million threshold is to be calculated on January 1 of each year using the business’s revenue from the preceding year, thus removing the possibility of reaching the threshold mid-year.
 The term “contractor” was added to the CPRA but does not materially differ from a service provider in practice. While a service provider receives and processes PI on behalf of a business, a business “makes available” personal information to a contractor. The requirements for contractors and service providers are the same under the CPRA.