As you may recall, Proposition 24 appeared on California’s 2020 ballot for the general election. On November 23, 2020, California voters approved Proposition 24, or officially the California Privacy Rights Act of 2020 (CPRA).
The United States has followed a so-called “sectoral” approach in regulating privacy issues, with federal laws directed only to specific industries and state laws that further address data protection practices and personal information security regulation on a local level. Guaranteeing privacy as “an inalienable right” in the constitution and being home to world-class computer technologies, California continues to spearhead the transformation and management of consumer privacy protection, especially privacy protection of online communications and other electronic data.
For consumer privacy protection, California currently has the California Consumer Privacy Act (CCPA), which generally applies to big companies and data brokers and went into effect on January 1, 2020. The CPRA updates and strengthens the CCPA by giving consumers more control over how companies use consumer data, establishing a new enforcement agency, creating a new category of sensitive data, expanding consumers’ opt-out rights to include information sharing, requiring businesses to provide additional mechanisms for individuals to access, correct, or delete data, with a particular focus on data used by automated decision-making systems, and imposing additional compliance requirements for businesses. Overall, the CPRA pushes California privacy practices yet another step closer to European Union (EU) privacy legislation and particularly the EU General Data Protection Regulation (GDPR).
We present below some of the key changes, amendments and/or additions introduced by the CPRA to the existing privacy law in California:
Though the CPRA will not enter into force until January 2023, plenty of preparations are required in the near-term and over the next two years. Companies doing business in the state of California or using data of California residents should take appropriate measures to ensure compliance with the CPRA requirements. Importantly, with all the obligations imposed by the CPRA, businesses in the next two years need to seek compliance wisely and strategically, focusing on internal practices of data collection, use, retention, and categorization. Moreover, businesses should continue to have an up-to-date privacy notice that is properly enforced, a dedicated team that is responsible for privacy operation and management, and technical and administrative measures necessary to achieve effective consumer privacy protection. We are here to help!