Next up in our 2023 data privacy laws series is the California Privacy Rights Act or CPRA. CPRA amends the California Consumer Privacy Act (CCPA) to add protection for consumers. It was passed as a ballot initiative in November 2020 and took effect on January 1st, 2023. Enforcement is said to begin on July 1st of this year, but recent modifications to the draft regulations show that there may be some flexibility with early enforcement. The California Consumer Privacy Agency (CPPA), the body responsible for enforcing the CPRA, may take into account the time between the publication of the final regulations and the enforcement date, as well as “good faith efforts to comply with those requirements.”
California previously had a recent data privacy law known as CCPA, but CPRA expands the volume of data that falls within its scope. CPRA also expanded upon the data privacy rights that were in the CCPA. In addition to the right to know, the right to access, the right to deletion, the right to portability, and the right to opt-out of sale, CPRA will add the right to rectification and the right to opt-out of targeted advertising. A change that may catch some off-guard is that CPRA clarifies that a cookie banner is not an acceptable mechanism for handling opt-out requests for targeted advertising or data sales. Other meaningful changes made by CPRA are the significantly increased fines for data breaches of children’s data and breach liability for disclosure of credentials that could compromise a consumer’s account.
An addendum that CPRA brings to California’s data privacy landscape is the creation of a new privacy regulator in the California Privacy Protection Agency (CPPA). The CPPA will begin enforcement on July 1st and the sole mission will be to protect consumer privacy in accordance with California data privacy laws. However, they will have the additional charge of preparing new rules and regulations in the consumer data privacy space. The CPPA will be a well-funded and well-resourced agency for enforcing data privacy laws while taking some of the burdens off the office of the California Attorney General.
Comparatively, this means that CPRA will likely be the most comprehensive data privacy law in the US and will have teeth to back it up. Businesses that are subject to CPRA should already be preparing for enforcement to begin. An essential part of preparing for CPRA should be creating a data map and understanding what data you actually process. From there, you should conduct a gap analysis to find where to make changes to comply with CPRA data privacy mandates. Those subject to CCPA should already be familiar with the ability to opt out of the sale of personal information; However, they should now prepare to provide the ability to opt out of targeted advertising by sharing personal information with third parties. While it can be a heavy lift getting compliant with CPRA, doing so should bring businesses in compliance with other state data privacy laws and will be a solid foundation for future state or national data privacy laws.