Posted by Stephen Stein
Proposition 24, the California Privacy Rights Act (or “CPRA”), was passed by California voters on November 3.
Both modifying and enhancing aspects of the California Consumer Privacy Protection Act (“CCPA”) which became effective January 1 of 2020, the CPRA provisions will go into effect on January 1, 2023.
Why a new Act passed so soon after CCPA? Proponents felt that in many respects CCPA did not go far enough toward protecting personal data. Proponents successfully argued that the state should adopt privacy protections comparable to those found in the European General Data Protection Regulation (“GDPR”).
What’s New? Key provisions of the CPRA include:
- New Enforcement Agency: CPRA creates the California Privacy Protection Agency (beginning July 2023) which will take over responsibility from the state attorney general for enforcement of privacy obligations. In theory, this will allow greater resources to be dedicated to privacy enforcement.
- Liability for Violations by Service Providers: Collectors of Data who share a resident’s data will be responsible for compliance by any service providers with whom they share data.
- CCPA Clarifications: CPRA would clarify some of the issues raised with CCPA, including, (i) confirming that loyalty and discount programs would not be prohibited under CPRA, (ii) extending the moratorium on B2B and employee data, and (iii) removing “devices” from the determination of the thresholds of when a business would be subject to CPRA.
- Sensitive Personal Information: Consistent with GDPR, sensitive personal information is now defined and subject to more rigorous security requirements.
- New Consumer Rights: Consumers will have the right to update personal information already collected by companies.
Why Should I Care?
- As with the CCPA, companies that collect data on California residents (including via a website accessible to a California resident) will be subject to the law.
- California has been the bellwether state for a number of laws in the past. California privacy law, including the CPRA, can be expected to influence other states considering privacy legislation.
- Texas is among those states considering consumer data privacy legislation (see the September 2020 Report of the Texas Privacy Protection Advisory Council here. While aiming to meet public expectations concerning data privacy, the Legislature is also likely to seek to avoid some of the costly results of the CCRA and the GDPR. Progress on these matters may, however, be delayed by limitations on the scope of what the Legislature will undertake in a session constrained by COVID-19.
Is this still relevant for today? Or have things changed? What I'm curious about is how this will carry out, like what will the trend be for this type of stuff?
Posted by: Roger Peterson | November 06, 2020 at 07:10 AM