Is your organization ready for California’s latest privacy rights law, enacted at the end of 2020 – the CPRA? This article addresses some key considerations to help you determine whether your organization may be subject to the CPRA.
With the enactment of the California Privacy Rights Act (Proposition 24) (“CPRA”) on December 16, 2020, businesses will now need to ensure that their protection of consumer data not only complies with the California Consumer Privacy Act, Cal. Civ. Code § 1798.100-1798.199 (“CCPA”), but also with the CPRA. The CPRA extends some of the rights already provided by the CCPA, and it also further defines some of the existing definitions and provisions in the CCPA.
Most of the CPRA’s provisions are not operative until January 1, 2023. Final CPRA regulations are to be adopted by July 1, 2022.
The CPRA creates a new California agency for the protection of consumers’ personal information and privacy – the California Privacy Protection Agency. Initially, the Attorney General of California will be responsible for creating regulations under the CPRA, but the Agency will take over the rulemaking responsibilities by July 1, 2021.
Violations of the CPRA are similar to those for violations of the CCPA. For unintentional violations, there is a fine of $2,500 per violation, and for intentional violations, there is a fine of $7,500 per violation.
The definition of “business” under the CPRA is similar to the definition under the CCPA, but there is greater clarity in the CPRA with regard to some of the grey areas in the CCPA. For example, the CPRA provides that the $25 million annual gross revenue provision applies to the preceding calendar year. Additionally, the CPRA clarifies that the threshold for buying, selling or sharing personal information applies annually, and it doubles the number of consumers or households from 50,000 in the CCPA to 100,000 in the CPRA. Additionally, the threshold for businesses that derive 50% of their annual revenue with regard to selling consumers’ personal information is broadened to include also the “sharing” of information under the CPRA.
Some key provisions of the CPRA include the following:
California continues to lead the way in the U.S. for the protection of personal data and privacy. We expect other states to start following California’s lead with similar versions applicable to each state. Or, with the new administration in effect as of January 20, 2021, we may finally see a federal data protection and privacy law passed.
If your organization is subject to compliance with the CCPA, it may very well have to comply with the CPRA, as well. Your organization should consider consulting with legal counsel regarding potential compliance with the CPRA and approving a budget for any additional privacy compliance efforts that may be needed.