This week, DataGrail released the Simple Guide to the CPRA, untangling how the California Privacy Rights Act impacts businesses and consumers. In November 2020, data privacy advocates and experts watched closely to see how consumers would vote on Proposition 24. Despite concerns from privacy advocates, Prop 24 passed, turning the CPRA into law.. The new regulations will go into effect in January of 2023, with a lookback period tracing back to January 2022.
In DataGrail’s Simple Guide, we give our opinion on what businesses should be thinking about.
Here are five of the high level takeaways:
1. The CPRA takes effect in 2023, but organizations should start planning now
- Due to the complex requirements encompassed by the CPRA, companies need to spend 2021 making sure their data privacy compliance programs will be ready to comply with CPRA
2. The new law aligns closely with similar regulation in the EU, the GDPR.
- It incorporates more requirements and definitions similar to the GDPR that extend beyond the current California Consumer Privacy Act (CCPA)
3. The CPRA institutes stronger privacy protections for consumers through requirements for businesses that were originally weaker in the predecessor CCPA
- Consumers are also granted more control to limit the use and disclosure of their sensitive information
4. A new agency is being created by the CPRA: the California Privacy Protection Agency
- This new body, as opposed to the California Office of the Attorney General which currently enforces the CCPA, will be solely focused on protecting consumer privacy and enforcing the CPRA. This will allow the agency to deal with infractions of the law in a timely and effective manner and could allow for broader enforcement beyond just large companies and major violations.
5. Scope of privacy has been expanded under the CPRA
- The CPRA defines employees and vendors as data subjects, and expands the scope of opt-out to “Do not sell or share”
Our full report contains more information on how the CPRA impacts businesses, including net positive impacts around definitions and thresholds, more clear requirements, and greater obligations on service providers. It also outlines the variety of limitations the CPRA creates for selling and sharing data and how the law expands the scope of opt-out requirements. Get the full breakdown of what businesses need to know and key dates to keep in mind in our Simple Guide.