The California Consumer Privacy Act (CCPA) created groundbreaking new rules for how businesses must handle California consumers’ personal data and spurred proposals for similar legislation across the country. Among the rights the CCPA granted to consumers, which took effect Jan. 1, 2020, were (1) the right to notice before a business collects their personal data, (2) the right to know what has been collected, sold or disclosed, (3) the right to opt out of such sale, (4) the right to request deletion, and (5) the right to nondiscrimination for exercising these rights.
Less than one year later, on Nov. 3, 2020, California voters approved Proposition 24, which passed an amendment to the CCPA dubbed the California Privacy Rights Act of 2020 (CPRA) (full text available here). Proponents of the CPRA argue that it is intended to protect Californians’ privacy rights from legislative amendments and close loopholes that were being exploited by data companies.
Notable changes implemented by the CPRA include:
With the creation of the Agency, which is funded in part by the fines it collects, businesses should expect greater scrutiny of their compliance with California’s privacy laws. Although the CPRA does not take full effect until Jan. 1, 2023, the existing law under the CCPA will be enforced until then.
Companies should be mindful of the timeline of important dates for the CPRA: