California Privacy Rights Act (CPRA) – Key Points

The California Privacy Rights Act (CPRA) is a privacy law that was approved by California voters in November 2020, and it is set to take effect on January 1, 2023, with enforcement beginning on July 1, 2023. The CPRA builds on the California Consumer Privacy Act (CCPA), which was enacted in 2018, and further enhances privacy protections for California residents. Here are some key provisions and enhancements introduced by the CPRA:

1. Creation of the California Privacy Protection Agency (CPPA): The CPRA establishes a new state agency, the California Privacy Protection Agency, to enforce the law, and issue regulations and guidance.
2. Expanded Rights of Consumers: CPRA expands the existing rights under CCPA and introduces new rights for consumers, such as the right to correct inaccurate personal information, and a broader right to opt-out of not only the sale but also the sharing of personal information for advertising and marketing purposes.
3. Sensitive Personal Information: The CPRA introduces a new category called “sensitive personal information” which includes precise geolocation, race, religion, biometric data, health information, and more. Consumers have the right to limit the use and disclosure of sensitive personal information.
4. Data Minimization and Purpose Limitation: Businesses are required to limit the collection of personal information to what is necessary for the purposes for which it was collected and must specify the purpose for collecting or using personal information.
5. Risk Assessments and Audits: Certain businesses must conduct regular risk assessments and submit cybersecurity audits regarding their processing of consumers’ personal information.
6. Increased Penalties for Violations Involving Children’s Data: The CPRA increases penalties for violations of the law that involve the personal information of minors.
7. Expanded Breach Liability: CPRA expands the private right of action for data breaches to include unauthorized access or disclosure of an individual’s email address combined with a password or security question and answer that would permit access to an account.
8. Service Providers and Contractors: CPRA imposes new obligations on service providers and contractors and requires specific contractual provisions when businesses share personal information with these parties.
9. Exemptions: The CPRA extends certain exemptions, such as those for business-to-business (B2B) and employee data, but they are subject to conditions.
10. International Data Transfers: The CPRA hints at future regulation regarding restrictions on cross-border data transfers, but the specifics have not yet been developed.

Businesses that fall within the scope of the CPRA need to ensure compliance by reviewing and updating their data protection policies, practices, and contracts. Consumers should be aware of their enhanced rights under this law and know how to exercise them.