Voters Approve the California Privacy Rights Act 2020

Based on the reported voting results, the majority of Californians have approved Proposition 24, the California Privacy Rights Act 2020 (CPRA).

Even before the California Consumer Privacy Act came into effect on January 1, 2020, the Californians for Consumer Privacy, an advocacy group that originally advanced the CCPA as a ballot initiative, published the text of their next major privacy proposal – the CPRA.  By June 25, 2020, the CPRA qualified to be on the California’s ballot. Unlike two years ago, when the California legislators compromised by enacting the CCPA in exchange for the proponents withdrawing the ballot initiative, the fate of the new privacy law has been decided by the state voters.

The CPRA will incorporate and significantly amend the CCPA and expand privacy rights of California consumers as well as compliance obligations of covered businesses and their processors on par with the European Union’s General Data Protection Regulation.

Under the CPRA, consumers will be able to limit businesses’ use of their sensitive personal information, to correct inaccurate personal permeation, to prevent businesses from sharing personal information for advertising purposes, and to opt-out of the automated decision-making.  The law will regulate businesses’ use and retention of personal information and will require companies whose processing of personal information presents significant risk to the consumers’ privacy or security to perform cybersecurity audits and risk assessments. The CPRA will also establish the first dedicated privacy agency in the United States – California Privacy Protection Agency, which will have the authority to implement and enforce the new law.  Furthermore, the CPRA will effectively set the floor for privacy legislation in California as the Act, per its terms, could only be amended consistent with and to further its purpose and intent to “protect consumers’ rights, including the constitutional right of privacy.”

The CPRA’s impact will reverberate well beyond California, as it will impose new obligations on out-of-state companies with California customers, as well as contractors located outside the state. In addition, other states are likely to follow the suit and enact their versions of comprehensive privacy laws similar to the CPRA.  The CPRA will also likely push federal lawmakers to move forward on the federal privacy legislation.

With the passage of the CPRA, covered businesses will need to promptly start reviewing their privacy and data management systems, programs, and practices to assess their compatibility with the new legal requirements and to map out a path to compliance.  Furthermore, even though businesses will have two years to prepare for their new obligations under the CPRA, they would still have to comply with the CCPA and its Regulations in the interim period.

What to learn more the CPRA?  Download Clarip’s whitepaper “What Your Company Needs to Know About the California Privacy Rights Act of 2020”!