California Voters Approve the California Privacy Rights Act of 2020, More Privacy Changes to Come

On November 3, 2020, California voters decisively approved the California Privacy Rights Act of 2020 (“CPRA”), which appeared on the ballot as Proposition 24. Its passage makes significant amendments to the state’s existing consumer privacy law, the California Consumer Privacy Act of 2018 (“CCPA”), which is already generally considered the most comprehensive privacy law in the United States. Some experts believe that the CPRA will set the bar for privacy rights for the rest of the country and serve as an example for future federal laws. The CPRA will not go into effect until January 1, 2023, leaving time for businesses to implement related compliance efforts.

The CPRA includes many amendments to the CCPA, ranging from relatively minor changes to new and burdensome obligations for businesses. In general, the CPRA expands the protection of a consumer’s personal information and privacy rights. Some of the changes under the CPRA include the following:

  1. extending the CCPA exemptions related to employee-related personal data and personal data in the context of a business-to-business relationship until January 1, 2023.
  2. introducing and regulating the concept of “sharing” personal information, which is defined broadly to include disclosing, making available, or otherwise communicating a consumer’s personal information to a third party for cross-context behavioral advertising, whether or not for consideration. The CPRA places similar obligations on sharing as selling, including the right to opt-out.
  3. regulating a new category of personal information known as “sensitive personal information” and implementing heightened requirements for such personal information to give consumers greater control over this information.
  4. establishing the right for consumers to correct inaccurate personal information.
  5. increasing penalties for violations involving consumers whom a business knows are under 16.

Businesses that are currently subject to the CCPA should review the CPRA and make a plan for compliance. If you would like assistance with, or have any questions about, complying with the CCPA or the CPRA, or need assistance reviewing your data privacy practices, please contact one of our cybersecurity & data privacy attorneys.