CPRA: California Privacy Rights Act
California votes passed ballot Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”) on November 3, 2020. The CPRA makes changes to the 2018 California Consumer Privacy Act (“CCPA”), which sets regulations for companies that conduct business in California. It goes into effect on January 1, 2023 and only applies to personal data collected on or after January 1, 2022 (with limited exceptions). The CPRA was a ballot initiative, which can be changed by voter action and the legislature’s power to change or repeal it is limited. As outlined in the key highlights below, the CPRA increases privacy obligations and adds additional rights, specifically the CPRA:
- Eliminates the 30-day cure period established by the CCPA. It allows for enforcement immediately following non-compliance, while the CCPA previously stated actions could be brought by the Attorney General’s Office 30 days after notification of non-compliance if the business had not cured the non-compliance. However, the 30-day cure period is retained for private claims regarding data breaches.
- Creates the rights for consumers to correct any inaccurate personal information, to opt out of the use of personal data for automated decision making, and to request personal data be transmitted to another entity.
- Expands upon the right to prevent businesses selling of personal information, by allowing consumers to prevent the “sharing” of personal information. Sharing is newly defined in the CPRA and relates to “cross-context behavioral advertising.”
- Extends the expiration date of the “business-to-business” exception of the CCPA to January 1, 2023.
- Creates a new category of “sensitive personal information” which includes information such as social security number, racial or ethnic origin, biometric information, and sexual orientation. The CPRA allows consumers to limit the use and disclosure of this category of personal information.
- Adds onto the private right of action in the CCPA by allowing an action in the case of unauthorized access or disclosure of email and password or security question/answer.
- Requires businesses to have binding agreements with service providers and contractors regarding the treatment of personal information. The CPRA adds the new category of “contractor” and new requirements for both service providers and contractors.
- Requires that personal information cannot be retained for longer than “reasonably necessary” and requires companies to publish retention periods for certain personal data they capture.
- Creates the California Privacy Protection Agency (“CPPA”), a new state agency which replaces the California Attorney General’s Office in enforcing the CCPA and CPRA.
As always in the case of new privacy legislation, we recommend you first reach out to your legal counsel to understand the details as well as the steps you should take to ensure you are in compliance with the new standards.
More Activate Blog Posts
How are you developing integrated programs to drive new revenue? Are you utilizing evergreen materials? What is the ideal team structure? How are you preparing your sales team? Below is a list of do’s and don’ts we’ve collected from both our client community and some of our client success team on how they plan for…Read More
Earlier this year we published our initial Virtal Events Do’s and Don’ts insights. As virtual events have had time to evolve, we thought it would be timely to note some of the trends and best practices we have noticed and heard about from our client community. The late summer and fall seasons have been packed with virtual events,…Read More
As data privacy continues to change and evolve, and become more pertinent for every business, implementing a way to gain consent from your audience members will be necessary. Consent management platforms (CMPs) allow you to communicate with your audience and visitors and gather the consent and privacy requests that each audience member has. As you…Read More