While most of us have been understandably focused on the presidential election, the State of California has passed significant new privacy legislation that may have a substantive impact on your business. Specifically, Californians voted to pass Proposition 24, the California Privacy Rights Act of 2020 (CPRA). The CPRA will replace the California Consumer Privacy Act (CCPA) beginning January 1, 2023. While many may be quick to label this as "CCPA 2.0," the CPRA has a much broader set of rights and obligations than the CCPA, which may create new compliance hurdles for covered businesses. This alert will summarize several of the provisions of the CPRA that all covered businesses need to consider.
The CPRA takes effect on January 1, 2023. However, it will have a "look back" period to January 2022, meaning that personal information collected by businesses starting January 1, 2022 will be subject to the CPRA's requirements. Until that time, the CCPA remains in force. We have previously provided guidance on key considerations for complying with the CCPA, and now that enforcement of the CCPA has begun, companies must ensure they remain compliant.
The CPRA appears to be moving California's privacy regulations even closer to the requirements of the European Union's General Data Privacy Regulation (GDPR). The CCPA was already the most significant privacy legislation in the United States, and with the passage of the CPRA, the requirements companies will face are now further heightened. Some of the CPRA's key provisions include:
In addition to these provisions, the CPRA contains additional requirements with respect to the sharing of information, adds additional consumer rights (such as the creation of a new right of correction and expansion of the right to deletion), limits the CCPA's 30-day opportunity to cure provisions, expands the CCPA's anti-retaliation provisions, and includes new personal data retention requirements. Notably, the CPRA also extends the current CCPA exemption for personnel/applicant data until January 1, 2023.
With the CPRA, California has taken the nation's toughest privacy law – the CCPA – and expanded it to make it more comparable to Europe's GDPR. Companies need to review their current CCPA compliance plans and prepare to revamp those plans to address the numerous additional requirements imposed by the CPRA. This will involve, among other things, revision of privacy notices, retention schedules, privacy practices and disclosures. The consequences for failing to do so are only heightened by the creation of the CPPA, whose charge will be to focus on protecting the privacy of California consumers by enforcing the CPRA.