California voters passed the California Privacy Rights Act (CPRA) in November 2020. An expansion of the CCPA, it broadens the existing consumer privacy law and establishes a new state agency – the California Privacy Protection Agency – to enforce and oversee it.

The agency will deliver significant changes to how state privacy laws are enforced. Previously the state’s attorney general was responsible for consumer privacy issues, whereas now a dedicated agency handles them. The agency also has a $10 million budget which will be supplemented with the fines and settlements it receives from businesses that break state privacy law.

To avoid ending up on the wrong side of the CPRA, you need to know what’s required of you and your business. Continue reading to find out.

What does the CPRA require of businesses?

• Businesses need to track a new category of data known as ‘sensitive personal information.’ This category includes financial information, health status, biometric data, geolocation, government-provided identifiers, the contents of emails or texts, and race or ethnicity.
• Businesses must ensure any partners or providers with which they share data also comply with the CPRA.
• Businesses must provide customers with the option to opt out of having their data shared with third parties. Previously, an opt-out option was only required for sales of data.
  
  

What does the CPRA mean for customers?

• Customers now have the right to restrict the use and disclosure of ‘sensitive personal information.’
• Customers have the right to request that a business update incorrect personal information. This new right is in addition to the existing rights to request access and deletion of personal information.
• Customers are no longer required to prove a breach of their personal information harmed them. A breach occurring is considered harmful enough to bring a lawsuit against that business.
  
  

When does the CPRA become enforceable?

The CPRA goes into effect on the first of January 2023. It becomes enforceable six months later. However, the new agency created under the CPRA is likely to get to work straight away, enforcing those laws already in place. So, it’s essential to be across existing CCPA requirements while working on your roadmap to CPRA compliance.

Related