What is the California Privacy Rights Act (CPRA)?
The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, is a California ballot proposition that was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020.
This proposition expands California’s consumer privacy law and builds upon the California Consumer Privacy Act (CCPA) of 2018, which established a foundation for consumer privacy regulations.
CPRA History and Summary
The California Privacy Rights Act (CPRA) is a new state-wide data privacy bill passed into law on November 3, 2020.
It underscores California’s position as the US frontier in data privacy legislation, as it significantly expands upon the existing California Consumer Privacy Act (CCPA) that took effect on January 1, 2020.
In short, the California Privacy Rights Act (CPRA) works as an addendum to the CCPA – strengthening rights of California residents, tightening business regulations on the use of personal information (PI), and establishing a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA), among key changes to the Golden State’s data privacy regime.
The California Privacy Rights Act (CPRA) becomes fully effective on January 1, 2023. Enforcement is scheduled to begin on July 1, 2023 – with a so-called lookback period to January 1, 2022, meaning data collected from that date on is liable for compliance.
Timeline for California Privacy Rights Act (CPRA) –
- January 1, 2021 – California Privacy Rights Act (CPRA) goes into law and the California Privacy Protection Agency (CPPA) is established.
- July 1, 2021 – process for formulating and adopting CPRA regulations begin.
- January 1, 2022 – PI collection becomes liable under the CPRA’s one-year lookback period.
- July 1, 2022 – deadline for final CPRA regulations to be adopted by the CPPA.
- January 1, 2023 – CPRA enters into full force.
- July 1, 2023 – Enforcement of the CPRA begins under the CPPA.
How were companies got impacted by the CPRA?
The CPRA changed the definition of business to exclude smaller businesses and include bigger businesses that generate a large income from the collection, sharing and/or selling of Californians’ personal information (PI).
The CCPA imposes obligations on businesses, service providers, and third parties. The CPRA adds a fourth category: contractors.
How is a ‘business’ defined?
The CPRA defines a “business” as:
- a for-profit legal entity:
- that collects consumers’ personal information on its own or by others on its behalf
- that alone or jointly with others determines the purposes and means of the processing
- that “does business” in California
- and satisfies at least one of the following thresholds:
- has annual gross revenues in excess of $25 million
- annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices
- derives 50% or more of its annual revenues from selling consumers’ personal information
Overview of a Business Responsibilities to be CPRA Compliance
In order for a business to be CPRA compliant, a business must:
- provide notice of consumer rights
- honor consumer rights
- fulfill disclosure and retention obligations
- facilitate consumer requests
- implement security safeguards