Webinar Recap: What the California Privacy Rights Act Means for Your Business
- Chris Achatz
- November 17, 2020
The California Privacy Rights Act (CPRA), which clarifies and expands the California Consumer Privacy Act (CCPA), was passed by ballot initiative in the Nov. 3 General Election.
The CPRA will amend the California Consumer Privacy Act of 2018 (the “CCPA”). Because of its significant expansion of the CCPA obligations, the CPRA has been deemed “CCPA 2.0.” The substantive provisions of the CPRA are set to take effect on January 1, 2023, and, except for the right to access personal information, the CPRA would apply only to personal information collected after January 1, 2022.
KO’s data privacy team, which includes data privacy experts Chris Achatz and Erin Locker hosted a webinar on Nov. 16 about the new consumer rights and potential business liabilities the CPRA creates. The attorneys are both Certified Information Privacy Professionals (CIPP/US) through the International Association of Privacy Professionals (IAPP).
Watch the webinar replay.
Top 10 CPRA Changes:
- New Enforcement Agency. The CPPA is the first regulatory agency in the U.S. that is exclusively dedicated to privacy.
- New Scope of Covered Entities
- Additional Rights for California consumers
- “Sensitive Personal Information” Requirements
- Private Right of Action for Data Breaches
- Updated Contractual Requirements
- Heightened Penalties for Children’s Information
- Extended Exemption for B2B & Employee Personal Information until January 1, 2023
- CCPA Exemptions Clarified and Expanded
The CCPA was passed by the California legislature in 2018 to avoid a stringent privacy law planned for California’s November 2018 ballot by the same proponents of the CPRA. The CPRA is intended to “further protect [California] consumers’ rights, including the constitutional right of privacy” under California’s constitution. It will take effect Jan. 1, 2021, and the existing enforcement of the CCPA will remain in effect in the interim.
Several democratic representatives in California came out in support of Prop 24 along with several unions and organizations, including the NAACP and Consumer Watchdog. The Republican, Libertarian, and Green Parties were opposed to Prop 24, along with various unions and organizations, including the ACLU and Consumer Action. Some cited concerns that the CPRA did not go far enough to protect consumer privacy.
The CPPA may bring regulatory actions beginning July 1, 2023. After 30 days’ prior notice to the business of the alleged violation, the CPPA may make a determination of probable cause that the CPRA has been violated. The CPRA also comes with steeper penalties for violations. The revised regulations clarify what types of business, service providers and third parties and independent contractors that must comply.