Cyber Risk Advisory
The California Privacy Rights Act (CPRA)
This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free.
What is the CPRA?
The California Privacy Rights Act (CPRA) was passed in November by voters in California. Adding another entry to the alphabet soup that is privacy regulations, the CPRA (known as Proposition 24 when it was on the ballot) expands on the state’s landmark consumer privacy law, the California Consumer Privacy Act (CCPA). The CCPA formally came into effect on January 1, 2020, and the final text of the implementing regulations has been released by the California attorney general’s office. The CPRA both expands the protections put in place by the CCPA and makes it harder for businesses to sell or share personal information.
What is new in CPRA?
- The CPRA creates (and funds to the tune of $10 million) a California Privacy Protection Agency that will be in charge of enforcing California privacy laws. This agency takes over the responsibility that currently rests with the California attorney general’s office. The funding and establishment of the new Privacy Protection Agency will likely take place very soon.
- The fines for violations of the privacy protections around the data of children (those under the age of 16) have been tripled.
- The CPRA establishes a new category of “sensitive personal information” that is similar to the European GDPR’s (General Data Protection Regulation) sensitive information – including race, medical data, geolocation data, information about sexual orientation or sex life, biometrics, etc. Consumers will have the ability to tell businesses not to use categories of sensitive information about them. There are also additional notification obligations around the categories of sensitive personal data collected.
- The Act expands the right to opt-out of data sharing. This makes the “Do Not Sell My Data” even more explicit, so it is much closer to “Do Not Share.”
- Businesses will likely be required to respect a “global opt-out mechanism,” something that might look a lot like the recently proposed Global Privacy Control (essentially an updated Do-Not-Track).
- CPRA cuts “targeted ads” from the list of approved “business purposes.”
- It adds new requirements for data minimization and purpose limitation.
- It places limits on data retention.
- It calls for annual audits and risk assessments for “high-risk processing.”
When does the CPRA take effect?
The CPRA takes effect in January 2023. So, there is still some time before organizations have to be fully up to speed, but that groundwork should begin now. For any organizations that have already spent time getting ready for CCPA, that time has not been wasted. Becoming compliant with the CPRA will be a matter of adding some sophistication and a few more layers to privacy programs that are already in place.
The regulations making up exactly how the CPRA will be implemented will be released and iterated on (similar to the CCPA process) during 2021-2022. The new Privacy Protection Agency may begin exercising its rulemaking authority as early as July 1, 2021, or six months after the agency provides notice to the California attorney general that it is prepared to begin rulemaking. The final regulations must be adopted by July 1, 2022.
What about federal privacy legislation?
The CPRA passing in California once again raises the specter of national privacy legislation, an issue that has been quietly simmering for some time. We’ve seen drafts proposed from both sides of the aisle – two of the most recent are Sen. Wicker’s SAFE DATA Act proposed in September and Sen. Gillibrand’s Data Protection Act put forth in February. The two biggest sticking points seem to be: 1) whether to have a private right of action (meaning that individuals could sue companies for violations), and 2), whether a federal law would preempt state laws like California’s. It remains to be seen how much of an appetite the next congress will have for tackling this thorny issue.
In the meantime, states are continuing to tackle the issue of privacy regulation without waiting for action at the federal level. In addition to California’s CPRA, the Washington Privacy Act in Washington state is likely to be reintroduced in the next legislative session. Stay tuned – the Coalfire Privacy Team will continue to provide updates as we get them.