November 9, 2020
California voters cast their ballots for more than elected officials on Election Night. In a ballot initiative titled Proposition 24, Californians voted “yes” to strengthen existing data privacy laws with the implementation of the California Privacy Rights Act (CPRA). The CPRA is intended to strengthen the existing California Consumer Privacy Act (CCPA), which was passed in November 2018 and went into effect on January 1, 2020.
The CPRA’s purpose is to reinforce and redefine sections of the CCPA, adding necessary clarifications and improvements to the first major data privacy legislation passed in this country. The CPRA gives Californians the ability to forbid businesses from using certain categories of their sensitive information, including race, health, religion, location, sexual orientation, and biometrics. The Act provides more clarity on vague CCPA provisions such as “do not sell my personal information,” which now includes data shared between companies. The “right to know,” recently established by the CCPA, has also been modified. Under the CCPA, the “right to know” allows consumers the right to obtain a copy of all the personal information a business has collected on them for the twelve-month period preceding the request. The CPRA extends this to include all of a consumer’s personal information collected by a business from January 1, 2022 onward. The CPRA triples fines for violations if the affected consumer is younger than 16 years old. The new measure makes it very difficult to weaken the law through additional amendments, though any amendments that strengthen will pass by a simple majority vote. Finally, it provides funding for a Privacy Protection Agency that will be charged with enforcing privacy laws.
The substantive provisions of the CPRA will not take effect until January 1, 2023. This delay provides covered businesses with valuable time to ensure they are in compliance. The CPRA also authorizes the rulemaking process to begin during that same period. Notably, however, the CPRA’s expansion of the “right to know” applies to personal information collected on or after January 1, 2022. Businesses will have to track personal information gathered during this time so they are prepared to respond to consumer demands after the CPRA takes effect. In the interim, businesses still have to comply with the dictates of the CCPA.
Ensuring that your company complies with the CCPA and CPRA is crucial, but trying to navigate it alone can be risky. Renzulli Law Firm data protection team is working with clients around the world to ensure compliance with the data privacy laws. If you have any questions about data privacy laws and the potential impact on your business, contact John F. Renzulli or Christopher Renzulli today.