Eleven months after the California Consumer Privacy Act (CCPA) took effect, voters in the state passed the California Privacy Rights Act (CPRA).
The CCPA gave California residents access to and more control over personal data businesses collect about them, while the newly approved CPRA takes effect in 2023, and will effectively replace the CCPA.
The CPRA revises and expands the CCPA to create new industry requirements, consumer privacy rights, and enforcement mechanisms, according to JD Supra. It requires that, before 2023, the state establish a new privacy agency charged with creating implementation regulations.
The CPRA changes the scope of the CCPA’s definition of "business." This, in effect, both limits and expands which companies need to comply. With the CCPA, companies based anywhere that handle personal information of 50,000 or more Californians are subject to the regulations. The number goes up to 100,000 under the CPRA.
Where the CCPA included companies that receive personal information, the new law only includes companies that buy, sell, or share the personal information of California residents. As a result, some small- and medium-sized companies may not have to comply with the CPRA.
The CPRA limits the definition of personal information to "publicly available" information, including anything published by an individual on social media sites, and "truthful information that is a matter of public concern" are excluded from the new regulations.
Despite those limitations, other consumer privacy rights are expanded under the CPRA. For instance:
- Consumers will have the right to opt out of allowing companies to share their personal information;
- They will have right to request companies correct inaccurate personal information; and
- Consumers will be able to request companies limit the use of "sensitive" personal information for purposes other than providing requested goods or services, or other specific business purposes.
Further, some existing consumer privacy rights under the CCPA will be modified under the new regulations. They include the "right to delete," under which companies will have to notify service providers of a consumer’s request to delete personal information, which is not mandated under the CCPA; and the "right to know." The CCPA allows consumers to request access to the past 12 months of collected data, but the CPRA will allow them to request any information collected after Jan. 1, 2022.
As previously noted, the CPRA requires a new privacy agency be established, known as the California Privacy Protection Agency, which will investigate and enforce regulations. The agency will be a five-member board appointed by the governor, attorney general, state senate, and the assembly speaker.
For more on the CCPA, GDPR and other data privacy laws and issues, please visit LRN’s resource page here.