The California Privacy Rights Act (CPRA) is a significant piece of privacy legislation that was passed by California voters in November 2020. It amends and expands upon the California Consumer Privacy Act (CCPA), which was the first major state privacy law in the United States. The CPRA is sometimes referred to as "CCPA 2.0" because it builds upon the CCPA's foundation. Here are some key aspects of the CPRA:
Creation of a Dedicated Privacy Agency: The CPRA establishes the California Privacy Protection Agency (CPPA), which is responsible for implementing and enforcing the law. This agency is the first of its kind in the United States dedicated solely to privacy.
Expanded Consumer Rights: The CPRA introduces new rights for California residents, including the right to correct personal information, the right to limit the use and disclosure of sensitive personal information, and the right to opt-out of automated decision-making technology.
Greater Protections for Sensitive Personal Information: The CPRA introduces additional protections for sensitive personal information, such as precise geolocation, race, ethnicity, religious beliefs, union membership, personal communications, genetic data, sexual orientation, and specified health information.
Strengthened Requirements for Businesses: The CPRA imposes stricter requirements on businesses that handle personal information. This includes obligations related to data minimization, purpose limitation, and storage limitation. Businesses must also conduct regular risk assessments and cybersecurity audits for certain processing activities.
Increased Fines for Violations Involving Children's Data: The CPRA imposes higher fines for violations involving the personal information of consumers under the age of 16.
Extended Scope and Clarifications: The CPRA clarifies certain ambiguous provisions of the CCPA and extends the scope to cover new categories of data and processing activities.
Effective and Enforcement Dates: While the CPRA was passed in 2020, most of its provisions will take effect on January 1, 2023. Enforcement of the new provisions will begin on July 1, 2023, and will apply to personal information collected by businesses on or after January 1, 2022.