CPRA: California Privacy Rights Act
California votes passed ballot Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”) on November 3, 2020. The CPRA makes changes to the 2018 California Consumer Privacy Act (“CCPA”), which sets regulations for companies that conduct business in California. It goes into effect on January 1, 2023 and only applies to personal data collected on or after January 1, 2022 (with limited exceptions). The CPRA was a ballot initiative, which can be changed by voter action and the legislature’s power to change or repeal it is limited. As outlined in the key highlights below, the CPRA increases privacy obligations and adds additional rights, specifically the CPRA:
- Eliminates the 30-day cure period established by the CCPA. It allows for enforcement immediately following non-compliance, while the CCPA previously stated actions could be brought by the Attorney General’s Office 30 days after notification of non-compliance if the business had not cured the non-compliance. However, the 30-day cure period is retained for private claims regarding data breaches.
- Creates the rights for consumers to correct any inaccurate personal information, to opt out of the use of personal data for automated decision making, and to request personal data be transmitted to another entity.
- Expands upon the right to prevent businesses selling of personal information, by allowing consumers to prevent the “sharing” of personal information. Sharing is newly defined in the CPRA and relates to “cross-context behavioral advertising.”
- Extends the expiration date of the “business-to-business” exception of the CCPA to January 1, 2023.
- Creates a new category of “sensitive personal information” which includes information such as social security number, racial or ethnic origin, biometric information, and sexual orientation. The CPRA allows consumers to limit the use and disclosure of this category of personal information.
- Adds onto the private right of action in the CCPA by allowing an action in the case of unauthorized access or disclosure of email and password or security question/answer.
- Requires businesses to have binding agreements with service providers and contractors regarding the treatment of personal information. The CPRA adds the new category of “contractor” and new requirements for both service providers and contractors.
- Requires that personal information cannot be retained for longer than “reasonably necessary” and requires companies to publish retention periods for certain personal data they capture.
- Creates the California Privacy Protection Agency (“CPPA”), a new state agency which replaces the California Attorney General’s Office in enforcing the CCPA and CPRA.
As always in the case of new privacy legislation, we recommend you first reach out to your legal counsel to understand the details as well as the steps you should take to ensure you are in compliance with the new standards.
More Activate Blog Posts
Web tracking is a powerful and useful element of audience marketing. Omeda’s web tracking script, is something that is often set up, but never utilized at its full potential. Understanding the actionable data web tracking brings combined with your first-party data can lead to great opportunities to further your audience communication and engagement. You may wonder, what exactly can it do? By…Read More
While this holiday season will be different due to the pandemic, there will still be a flurry of promotional emails into your audiences’ inboxes. During this time of increased volume, creating a strategy to achieve the strongest inbox placement is important. The volume coming through in November and December is significantly more than any other time of…Read More
Growing your audience is always top of mind for brand and marketing professionals. Whether growth is driven by adding new names to your database or asking current members to update their information – both are extremely valuable. Another important goal for the audience development team – which relates to growing your audience – is making sure…Read More