California votes passed ballot Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”) on November 3, 2020. The CPRA makes changes to the 2018 California Consumer Privacy Act (“CCPA”), which sets regulations for companies that conduct business in California. It goes into effect on January 1, 2023 and only applies to personal data collected on or after January 1, 2022 (with limited exceptions). The CPRA was a ballot initiative, which can be changed by voter action and the legislature’s power to change or repeal it is limited. As outlined in the key highlights below, the CPRA increases privacy obligations and adds additional rights, specifically the CPRA: 

  • Eliminates the 30-day cure period established by the CCPA. It allows for enforcement immediately following non-compliance, while the CCPA previously stated actions could be brought by the Attorney General’s Office 30 days after notification of non-compliance if the business had not cured the non-compliance. However, the 30-day cure period is retained for private claims regarding data breaches. 
  • Creates the rights for consumers to correct any inaccurate personal information, to opt out of the use of personal data for automated decision making, and to request personal data be transmitted to another entity. 
  • Expands upon the right to prevent businesses selling of personal information, by allowing consumers to prevent the “sharing” of personal information. Sharing is newly defined in the CPRA and relates to “cross-context behavioral advertising.” 
  • Extends the expiration date of the “business-to-business” exception of the CCPA to January 1, 2023. 
  • Creates a new category of “sensitive personal information” which includes information such as social security number, racial or ethnic origin, biometric information, and sexual orientation. The CPRA allows consumers to limit the use and disclosure of this category of personal information.
  • Adds onto the private right of action in the CCPA by allowing an action in the case of unauthorized access or disclosure of email and password or security question/answer. 
  • Requires businesses to have binding agreements with service providers and contractors regarding the treatment of personal information. The CPRA adds the new category of “contractor” and new requirements for both service providers and contractors. 
  • Requires that personal information cannot be retained for longer than “reasonably necessary” and requires companies to publish retention periods for certain personal data they capture. 
  • Creates the California Privacy Protection Agency (“CPPA”), a new state agency which replaces the California Attorney General’s Office in enforcing the CCPA and CPRA.

While there hasn’t been too much additional info out in the marketplace, we’ve seen good summaries from AdWeek, Digiday, and the IAPP.

As always in the case of new privacy legislation, we recommend you first reach out to your legal counsel to understand the details as well as the steps you should take to ensure you are in compliance with the new standards.