While Washington is advancing a new proposed federal privacy bill¹, California is preparing for implementation of the California Privacy Rights Act (CPRA) at the start of 2023. CPRA builds on the state’s existing California Consumer Privacy Act (CCPA), the first privacy law of its kind in the US. Companies currently subject to CCPA will want to note these five key points of difference between the existing and new law.

CPRA is not a replacement, but an extension. Businesses are still required to follow the regulations established by CCPA, which took effect on Jan. 1, 2020. CPRA expands on these regulations, providing additional rights to consumers while also closing what some critics claim are loopholes in the existing regulations. CCPA gives consumers the right to see the information that companies retain about them, the right to have their data deleted upon request, and the right to opt out of sharing their information. CPRA adds two new rights: the right to limit how their information is used and disclosed, and the right to request the correction of inaccurate information.

Implementation and enforcement dates are different. While CPRA has an effective date of Jan. 1, 2023, the state indicated that enforcement won’t officially begin until July 1, 2023. However, some of its provisions will retroactively apply to personal information collected from Jan. 1, 2022, so some data collected before CPRA takes effect is still liable for compliance.

Businesses that believe they’re exempt might not be. CPRA generally applies to California businesses with $25 million in revenue, or businesses that sell, buy or share personal data from 100,000 or more California consumers (an increase from the 50,000 required under CCPA), or businesses that earn 50% or more of their revenues from sharing or selling personal information. While the increase to 100,000 California consumers may see some businesses exempt from CPRA compliance, the addition of “sharing” personal information – in addition to selling personal information – likely will see other businesses now required to comply with the new privacy law.

Enforcement is shifting between state agencies. CCPA is enforced by the California Attorney General. Under CPRA, a new state agency will be formed to handle enforcement – the California Privacy Protection Agency. The Attorney General will be one member of a five-member board appointed by the governor to oversee the new agency. Consumers will retain the private right of action² first afforded under CCPA, although this right is expanded to include not only data breaches, but also the unauthorized access of email addresses, passwords and security questions.

Expanded consumer rights bring expanded obligations for businesses. Compliance with CPRA will require businesses processing consumers’ personal information to perform an annual cybersecurity audit, as well as submit to the new enforcement agency a risk assessment on a regular basis.

In many ways, CPRA echoes many of the provisions of the EU’s General Data Protection Regulation (GDPR), so global organizations in compliance with GDPR may have a head start. Other companies should begin planning for expanded data mapping, updated privacy policies and contracts, and required website updates. If the U.S. government ultimately passes a federal privacy law, businesses in compliance with CPRA will be one step ahead.

‍

----------------------

1. https://www.natlawreview.com/article/congress-releases-draft-federal-privacy-law-potential-traction-to-pass
2. https://legal.thomsonreuters.com/en/insights/articles/understanding-california-consumer-privacy-act

While Washington is advancing a new proposed federal privacy bill¹, California is preparing for implementation of the California Privacy Rights Act (CPRA) at the start of 2023. CPRA builds on the state’s existing California Consumer Privacy Act (CCPA), the first privacy law of its kind in the US. Companies currently subject to CCPA will want to note these five key points of difference between the existing and new law.

CPRA is not a replacement, but an extension. Businesses are still required to follow the regulations established by CCPA, which took effect on Jan. 1, 2020. CPRA expands on these regulations, providing additional rights to consumers while also closing what some critics claim are loopholes in the existing regulations. CCPA gives consumers the right to see the information that companies retain about them, the right to have their data deleted upon request, and the right to opt out of sharing their information. CPRA adds two new rights: the right to limit how their information is used and disclosed, and the right to request the correction of inaccurate information.

Implementation and enforcement dates are different. While CPRA has an effective date of Jan. 1, 2023, the state indicated that enforcement won’t officially begin until July 1, 2023. However, some of its provisions will retroactively apply to personal information collected from Jan. 1, 2022, so some data collected before CPRA takes effect is still liable for compliance.

Businesses that believe they’re exempt might not be. CPRA generally applies to California businesses with $25 million in revenue, or businesses that sell, buy or share personal data from 100,000 or more California consumers (an increase from the 50,000 required under CCPA), or businesses that earn 50% or more of their revenues from sharing or selling personal information. While the increase to 100,000 California consumers may see some businesses exempt from CPRA compliance, the addition of “sharing” personal information – in addition to selling personal information – likely will see other businesses now required to comply with the new privacy law.

Enforcement is shifting between state agencies. CCPA is enforced by the California Attorney General. Under CPRA, a new state agency will be formed to handle enforcement – the California Privacy Protection Agency. The Attorney General will be one member of a five-member board appointed by the governor to oversee the new agency. Consumers will retain the private right of action² first afforded under CCPA, although this right is expanded to include not only data breaches, but also the unauthorized access of email addresses, passwords and security questions.

Expanded consumer rights bring expanded obligations for businesses. Compliance with CPRA will require businesses processing consumers’ personal information to perform an annual cybersecurity audit, as well as submit to the new enforcement agency a risk assessment on a regular basis.

In many ways, CPRA echoes many of the provisions of the EU’s General Data Protection Regulation (GDPR), so global organizations in compliance with GDPR may have a head start. Other companies should begin planning for expanded data mapping, updated privacy policies and contracts, and required website updates. If the U.S. government ultimately passes a federal privacy law, businesses in compliance with CPRA will be one step ahead.

‍

----------------------

1. https://www.natlawreview.com/article/congress-releases-draft-federal-privacy-law-potential-traction-to-pass
2. https://legal.thomsonreuters.com/en/insights/articles/understanding-california-consumer-privacy-act