Less than a year after the California Consumer Privacy Act (CCPA) took effect, California voters approved a ballot initiative to revise and supersede the CCPA significantly. The initiative (known as the California Privacy Rights Act (CPRA) builds on the CCPA but modifies—and extends—it in important ways.

One of the more immediately noticeable results of the CPRA will be the creation of a brand new regulatory agency—the California Privacy Protection Agency—that will replace the California Attorney General’s Office and have responsibility for implementing and enforcing the CPRA (and, until the CPRA takes effect, the CCPA). The agency, which will have five members as well as supporting staff, is to be created within the next 90 days and will take over rulemaking and administrative enforcement responsibilities.

Although the regulator will be established quickly, many of the substantive provisions will not take effect until January 1, 2023, leaving businesses with time to adjust their operations to comply with the law. Until then, the CCPA will remain in force. However, many of the key details of the new law will be defined by future regulations adopted by the new California Privacy Protection Agency, requiring that affected businesses remain vigilant.

Among other more important changes made by the CPRA are:

1. A redefinition of businesses to which it applies. The CPRA will apply to a “business” in California that also satisfies one or more of the following:

  • Annual gross revenues of $25 million in the preceding year (a slight clarification of the CCPA);
  • Annually buys, sells, or shares the personal information of 100,000 or more consumers or households (raising the threshold from 50,000 in the CCPA); or
  • Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information; or
  • A person that does business in California but does not meet either of the preceding criteria, but voluntarily certifies to the California Privacy Protection Agency that it agrees to comply with the CPRA.
  • Moreover, the CPRA will require that business entities sharing common control and common branding must also share personal information. This was a gray area under the CCPA that may impact consumer-facing businesses with a substantial number of affiliates with common ownership that may separately interact with consumers.
2. New Individual Right to Correction: The CPRA creates a new right to correct inaccurate personal information, taking into account the nature and purposes of the processing of that information.
3. Creates a new category of “sensitive personal information” (e.g., Social Security Numbers, account log-in and financial data, precise geolocation, race, religion, union membership, email contents) and grants consumers a specific right to limit businesses’ use to that “necessary to perform the services or provide the goods reasonably expected” by an average consumer.
4. Establishes a new “purpose” limitation on the collection, use, and disclosure of personal information, and storage/data minimization limitations so that personal information is not retained longer than is “reasonably necessary” for specific, disclosed purposes. In short, the goal is to prevent the collection of personal information without a clear reason for doing so, and for only so long as “reasonably necessary.”
5. To ensure that the law reaches beyond just “sales” and “selling” of personal information, the CPRA generally adds the word “shares” throughout to reach other types of disclosure, regardless of whether the sharing is with or without consideration. Arguably many instances of “sharing” were already covered by the CCPA, but this provides clarification.
6. Amends the required “Do Not Sell” notice on the home page to read “Do Not Sell or Share” (businesses can implement this provision in several ways) and adds a “Limit the Use of My Sensitive Personal Information” link.
7. Allows consumers to opt-out of behavioral advertising and the profiling of consumers for targeted marketing and imposes disclosure obligations on businesses that engage in behavioral advertising.
8. Adds a specific definition of “consent” to require that it be freely given, specific, informed, and unambiguous.
9. Clarifies that the personal information of persons at least 13 and less than 16 cannot be sold or shared without affirmative consent.
10. Adds a new category of “contractor” in addition to the CCPA’s categories of “service providers” and “third parties” and establishes applicable requirements. The differences between “contractors” and “service providers” are likely to be defined in a future California rulemaking.

Consistent with a recent amendment to the CCPA, the CPRA also exempts the personal information of job applicants, employees, and independent contractors from the law until January 1, 2023.

Although the CPRA will take effect on January 1, 2023, some of its consumer rights provisions will “look back” to personal information collected by businesses up to a year before, so data systems need to be in operation by January 1, 2022.
Coming into compliance with the CPRA will require a business to:
  • Review how it collects and uses consumer personal data and identify the purpose for doing so;
  • Confirm or, if necessary, modify its practices so that it retains only personal information that is “necessary and proportionate” for processing;
  • Identify what “sensitive personal information” (including precise geolocation data) it possesses and treat it appropriately;
  • Possibly revise its IT system to implement the new obligations, including the new “right to correct”;
  • Provide additional information in its website privacy policy and mailed/published privacy notices to conform to new requirements specified in the CPRA;
  • Negotiate written contracts with nearly every business to which it sells or shares consumer personal information;
  • Review its arrangements with digital marketing providers to assess their ability to comply with the opt-out of targeted marketing based on personal profiles;
  • Review and as needed strengthen their data security.

Businesses that have already reviewed and modified their operations to come into compliance with the CCPA will still need to make some changes, but the CPRA does not require them to discard what they have already done. Businesses opening in California will have to make more substantial adjustments, but if an entity has already acted to come into compliance with the European Unions General Data Protection Regulation it will find much of the CPRA to be familiar. Businesses should consider a timetable now for establishing their compliance and ensure that they have the resources available to do so.

To learn more about the issues raised by this client bulletin, please contact William Baker at wbaker@potomaclaw.comDouglas G. Bonner at dbonner@potomaclaw.com, or Gregory Ewing at gewing@potomaclaw.com.

Note: This publication is distributed with the understanding that the author, publisher and distributor of this publication and/or any linked publication are not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.

Media Contact

Marlene Laro

Practice Areas

Recent News

Jump to Page

By using this site, you agree to our updated Privacy Policy and our Terms of Use