A lot has been asked of privacy professionals ove the last year, especially in keeping track of legislative changes across the globe. One such marked change was enacted in California where a new ballot measure has brought forward changes in privacy compliance for all businesses operating in California.
The newly proposed “California Privacy Rights Act” (CPRA) is set to come into force on the 1st of January 2023 which will undoubtedly give new cause for businesses to be anxious about the compliance deadline. This article, explores some of the noteworthy changes CPRA is set to bring to the existing California Consumer Privacy Act (CCPA).
In a statewide survey of California voters conducted by Goodwin Simon Strategic Research, it was found that 88% of Californians would support a ballot measure expanding privacy protections for consumers’ personal information. Proposition 24(CPRA) was put forward with the aim of preventing companies from undermining the rights provided by the CCPA in the protection of personal data rights of Californian residents. In the November 2020 ballot, more than 9 million voters agreed to the need for more transparency and expansion of consumer rights provided by the CCPA which prompted the introduction of CPRA.
The California Privacy Rights Act (CPRA) introduces specific and significant changes to it’s existing privacy framework which makes it the strongest state law and not to dissimilar from it’s European counterpart, GDPR (read our article on GDPR).
So what’s in the CPRA?
Although in common parlance the phrase “made available to the general public” can be an open-ended category referring to the public as a whole, a legal thought on this definition forces us to believe that it does not refer to information that individuals share on their social media which is limited to certain audiences. Hence, dubieties on the definition continues to exist and must be handled with considerable care in lines of precedence on the subject. Additionally, biometric information collected without the customers’ knowledge (for instance, information collected in public places) cannot be considered as information publicly made available by the customer as stated in the CCPA.
- Allows the Correction of Personal data
Customers are granted the right to request for correction of inaccurate information held by the businesses. This right is granted in addition to the right of access and erasure to individuals. CPRA ensure that business gather and store only such information which is necessary for the purposes stated in the privacy notices (data minimization) and that the customer maintains a control over their data to include only what is accurate.
- Modify provisions on sale and sharing of personal data
The CPRA requires businesses to provide customers with “opt-out” right to limit the sale and sharing of their personal information to third parties. The bill specifies that consideration is not a mandatory requirement in such cross-context data transfers and that the customers will have a right to limit such transfers if they wish to. A business is required to provide a link, reasonably accessible to the consumer, titled “Do not sell or share my personal information” to opt out of the sale of their personal information. A customer must also have access to a link titled “Limit the use of my sensitive personal information” enabling them to limit the use or disclosure of their data for certain controlled purposes as per the Bill.
- Establish a Data Protection agency and create stringent punitive measures
The Bill triples the fine amount for data breaches involving personal information of children under the age of 16, if businesses had reasonable knowledge about the age of the consumer. The bill also strikes out the 30-day cure period extended to violations of the Bill provisions (originally CCPA). The Bill effectively establishes the “California Privacy Protection Agency” as a body to enforce the Bill provisions through administrative practices. The Attorney General of California continues to hold the “rule-making” power until 1st of July 2021 or six months after the Agency notifies CA Ag that it is prepared for rule-making.
California has always been at the forefront of privacy developments in the US and the California Consumer Privacy Act has heralded a sea change for privacy bills across the states in US. The new Bill is expected to create stronger laws with tightened authoritative enforcement procedures to effectively implement it in the state. California Privacy Right Act 2020 is believed to bring out stronger online privacy rights to protect sensitive and personal data of consumers especially that of children.
- Goodwin Simon Strategic Research results on California Privacy Survey(Accessed on March 2, 2021):
- Find Proposition 24 original text here(Accessed on March 3, 2021):
- What is Proposition 24? (Accessed on February 12, 2021)
- Activist Behind California’s New Privacy Law Already Wants to Improve It (Accessed on February 26, 2021):