CPRA: California Privacy Rights Act
California votes passed ballot Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”) on November 3, 2020. The CPRA makes changes to the 2018 California Consumer Privacy Act (“CCPA”), which sets regulations for companies that conduct business in California. It goes into effect on January 1, 2023 and only applies to personal data collected on or after January 1, 2022 (with limited exceptions). The CPRA was a ballot initiative, which can be changed by voter action and the legislature’s power to change or repeal it is limited. As outlined in the key highlights below, the CPRA increases privacy obligations and adds additional rights, specifically the CPRA:
- Eliminates the 30-day cure period established by the CCPA. It allows for enforcement immediately following non-compliance, while the CCPA previously stated actions could be brought by the Attorney General’s Office 30 days after notification of non-compliance if the business had not cured the non-compliance. However, the 30-day cure period is retained for private claims regarding data breaches.
- Creates the rights for consumers to correct any inaccurate personal information, to opt out of the use of personal data for automated decision making, and to request personal data be transmitted to another entity.
- Expands upon the right to prevent businesses selling of personal information, by allowing consumers to prevent the “sharing” of personal information. Sharing is newly defined in the CPRA and relates to “cross-context behavioral advertising.”
- Extends the expiration date of the “business-to-business” exception of the CCPA to January 1, 2023.
- Creates a new category of “sensitive personal information” which includes information such as social security number, racial or ethnic origin, biometric information, and sexual orientation. The CPRA allows consumers to limit the use and disclosure of this category of personal information.
- Adds onto the private right of action in the CCPA by allowing an action in the case of unauthorized access or disclosure of email and password or security question/answer.
- Requires businesses to have binding agreements with service providers and contractors regarding the treatment of personal information. The CPRA adds the new category of “contractor” and new requirements for both service providers and contractors.
- Requires that personal information cannot be retained for longer than “reasonably necessary” and requires companies to publish retention periods for certain personal data they capture.
- Creates the California Privacy Protection Agency (“CPPA”), a new state agency which replaces the California Attorney General’s Office in enforcing the CCPA and CPRA.
As always in the case of new privacy legislation, we recommend you first reach out to your legal counsel to understand the details as well as the steps you should take to ensure you are in compliance with the new standards.
More Activate Blog Posts
Whether we would like to admit it or not, consumer behavior has changed as a result of the pandemic. Marketing playbooks are shifting. We find ourselves still zooming and flooded with promotional emails talking to us about “these uncertain times.” While we hope to move out of the current situation quickly, things aren’t going to…Read More
A/B Testing has been used by marketers for almost a century. According to a Harvard Business Review article, it originated when the statistician and biologist, Ronald Fisher, discovered some of the basics of running an A/B test and randomized controlled experiments. These testing models were then applied to agriculture, medicine, and later marketing. At Omeda, we believe in the importance of testing,…Read More
by the Subscription Management Team With audit and interim issues quickly approaching, the Subscription Management Team wanted to remind you of a few things: Before Your Audited Issue: If you’re using our OEC tool, be sure to work on any uncoded responses so that the records will process prior to the issue. It is a good…Read More