By ballot initiative, California residents recently approved Proposition 24, or the California Privacy Rights Act (CPRA), with approximately 56 percent voting in favor. CPRA significantly amends the CCPA by expanding individual rights, introducing new GDPR-style governance measures, and establishing a new enforcement agency (among other things). Importantly, CPRA does not replace or repeal CCPA, but rather augments it. Further, no new private right of action will be added by CPRA. The substantive provisions of CPRA do not take effect until January 1, 2023.
How did we get here?
The CPRA was backed by the non-profit “Californians for Consumer Privacy.” This is the same organization that was behind the 2018 ballot initiative. Last-minute, the 2018 initiative was pulled from the ballot in exchange for enactment of the CCPA. CPRA was introduced in late 2019 given concerns that amendments to the CCPA had gutted the key provisions. The final text of the CPRA was published November 13, 2019. In late June 2020, the Secretary of State confirmed that the initiative had received enough valid signatures to appear on the November ballot.
What are some of the key provisions?
- Scope. The thresholds to qualify as a “business” under CCPA has been revised to: (i) clarify the revenue threshold is based on previous year’s activities, (ii) increase the processing to 100,000 consumers or households (from 50,000 currently under CCPA), and (iii) require that entities sharing common control and common branding must also share personal information.
- Employee / B2B Exemption. CPRA retains the CCPA’s exceptions for personal information collected in the employment and business-to-business contexts and extends their sunset provisions to January 1, 2023.
- Governance concepts. CPRA introduces a new storage limitation requirement. Personal information is not to be retained for longer than is “reasonably necessary” for the specific, disclosed purposes. A data minimization principle is also included. Collection, use, retention, and sharing of personal information should be limited to what is “reasonably necessary” to achieve the specified purposes.
- Individual Rights. Among some modifications to the right to know, deletion, and do-not-sell rights, CRPA includes a new right to “correction.” There are also certain rights for “sensitive personal information” (a new category of information introduced).
- Enforcement. A new California Privacy Protection Agency would replace the attorney general’s office as the regulator implementing CPRA rules and enforcing its requirements against violators. Enforcement will begin on July 1, 2023 and applies to violations occurring on or after that date.
Putting it Into Practice. While 2023 may seem far away, the passage of CPRA serves as another reminder of the benefit of establishing overarching principles-based privacy programs – that can expand and grow as laws change. We will be monitoring developments of CPRA; we expect that additional regulations may also be promulgated.