California votes to replace the CCPA with the CPRA

The U.S. Presidential election has left voters grasping for certainty when it comes to executive leadership. What is clear is that voters in California have overwhelmingly approved Proposition 24, also known as the CPRA (California Privacy Rights Act). The CPRA effectively replaces the CCPA (California Consumer Privacy Act) and bolsters privacy protections for California consumers.

We reported on the CPRA in May, when early support indicated that the new law was increasingly likely to appear on California ballots. The measure has passed, with voter support hovering around 56% of the electorate.

It is crucial that businesses understand the distinctions between the CCPA and the CPRA in order to know if their regulatory exposure under this law has shifted. Below we discuss some of the major differences.

CPRA key changes

The CPRA proposes the following:

  • Exempting more small businesses by raising the threshold for what defines a ‘business’ processing personal information – section 1798.140(c) of the statute was amended.
    • As a result, a ‘business’ must be collecting the personal information of 100,000 (not 50,000) consumers or households in order to be subject to the law.
  • Extending current one-year exemptions for certain employee and business-to-business data.
    • This subdivision of the statute remains inoperative until January 1, 2023.
  • Carving out a separate, sub-definition of ‘sensitive personal information,’ which includes things like a consumer’s Social Security, driver’s license, state identification card, or passport number; a consumer’s account login, financial account, debit card, or credit card number in combination with any required security or access code; a consumer’s precise geolocation; a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s mail, email, and text messages; genetic and biometric data; health data; and information concerning sex life or sexual orientation.
    • New, separate requirements would apply to this subset of data. For example, see section 1798.121, which gives consumers a new right to limit the use and disclosure of ‘sensitive personal information.’
  • A new right to data minimization with retention requirements related to personal data. Businesses that collect personal information will need to explain the collection, use, retention, and sharing of such information.
  • A right to know, access, and receive personal information collected before the 12-month lookback period for data collected on or after January 1, 2022. Seesection 1798.130(2)(B).
  • New definitions and obligations related to cross-context behavioral advertising.
  • Amending breach liability to focus on breaches that include an email address in combination with a password or security question and answer (aligned to existing state breach notification laws in California and other states).
  • Establishing a new regulatory enforcement body: the California Privacy Protection Agency. As seen on the California Attorney General’s website, this new unit will enforce state and federal privacy laws and advise the Attorney General on privacy matters.

IT Governance USA resources

Our team is working around the clock to capture the latest legislative information and updates from California. As news breaks, we will advise clients and release more updates to our wider readership. For more information, and a detailed breakdown of the CPRA, register for our webinar on Tuesday, December 1.

san francisco