CPRA: California Privacy Rights Act
California votes passed ballot Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”) on November 3, 2020. The CPRA makes changes to the 2018 California Consumer Privacy Act (“CCPA”), which sets regulations for companies that conduct business in California. It goes into effect on January 1, 2023 and only applies to personal data collected on or after January 1, 2022 (with limited exceptions). The CPRA was a ballot initiative, which can be changed by voter action and the legislature’s power to change or repeal it is limited. As outlined in the key highlights below, the CPRA increases privacy obligations and adds additional rights, specifically the CPRA:
- Eliminates the 30-day cure period established by the CCPA. It allows for enforcement immediately following non-compliance, while the CCPA previously stated actions could be brought by the Attorney General’s Office 30 days after notification of non-compliance if the business had not cured the non-compliance. However, the 30-day cure period is retained for private claims regarding data breaches.
- Creates the rights for consumers to correct any inaccurate personal information, to opt out of the use of personal data for automated decision making, and to request personal data be transmitted to another entity.
- Expands upon the right to prevent businesses selling of personal information, by allowing consumers to prevent the “sharing” of personal information. Sharing is newly defined in the CPRA and relates to “cross-context behavioral advertising.”
- Extends the expiration date of the “business-to-business” exception of the CCPA to January 1, 2023.
- Creates a new category of “sensitive personal information” which includes information such as social security number, racial or ethnic origin, biometric information, and sexual orientation. The CPRA allows consumers to limit the use and disclosure of this category of personal information.
- Adds onto the private right of action in the CCPA by allowing an action in the case of unauthorized access or disclosure of email and password or security question/answer.
- Requires businesses to have binding agreements with service providers and contractors regarding the treatment of personal information. The CPRA adds the new category of “contractor” and new requirements for both service providers and contractors.
- Requires that personal information cannot be retained for longer than “reasonably necessary” and requires companies to publish retention periods for certain personal data they capture.
- Creates the California Privacy Protection Agency (“CPPA”), a new state agency which replaces the California Attorney General’s Office in enforcing the CCPA and CPRA.
As always in the case of new privacy legislation, we recommend you first reach out to your legal counsel to understand the details as well as the steps you should take to ensure you are in compliance with the new standards.
More Activate Blog Posts
Last week, we released a blog sharing our firsthand findings on how Apple’s mail privacy protection release is going to impact email marketing. Since Apple has made this announcement, we’ve received many questions and concerns from our clients on the best way to approach these changes. Omeda can help manage these challenges – watch the…Read More
There are so many reasons to purchase a customer data platform (CDP). From the 360-degree customer profile, to the automatic integration of rich behavioral data into your audience database, to endless personalization opportunities, it’s hard to understand why a business wouldn’t want one. But before you dive in, consider these 10 questions. Because in order…Read More
Apple made waves back in June when they announced Mail Privacy Protection (MPP) for their mail app on iOS 15, iPadOS 15, and macOS Monterey devices would be rolled out during the Fall of 2021. The News According to a press release following the announcement, Apple said “Mail Privacy Protection stops senders from using invisible pixels to collect information about…Read More