California Voters Pass Proposition 24, the California Privacy Rights and Enforcement Act
Highlights
Ballot initiative resulted in California Privacy Rights and Enforcement Act of 2020 (CPRA), effective Jan. 1, 2023, with enforcement beginning July 1, 2023
CPRA will enhance protection of “sensitive personal information”
The new act will establish a new state agency, the California Privacy Protection Agency, to regulate and enforce these new privacy laws once they go into effect
On Nov. 3, 2020, California voters passed Proposition 24, paving the way for the California Privacy Rights and Enforcement Act of 2020 (CPRA) and its amendments to consumer privacy rights enacted under the California Consumer Privacy Act of 2018 (CCPA). The new law will impose additional restrictions and requirements on businesses.
Among the most notable changes, CPRA – set to take effect on Jan. 1, 2023 – will create a new privacy enforcement agency, provide new definitions and protection for sensitive consumer data, expand and clarify limits on the use and sharing of this data, and expand liability for breaches of the security of this data.
More specifically, CPRA, a voter-initiated amendment to the 2018 act, provides even more restrictions on businesses sharing personal information and gives consumers greater control over their personal information. It also establishes and provides funding for a new California state agency to oversee implementation and enforcement of state privacy laws, taking over many CCPA regulatory duties from the state’s Attorney General.
In light of the population of California, CPRA continues California’s de facto role as a privacy regulator beyond its borders by adding to an increasingly complex regulatory compliance environment for businesses across the world, operating across any number of industries. It is a further indication such privacy regulations are only going to increase, whether at the state or federal level.
Businesses, many of which are still working toward full compliance with CCPA and the European Union’s General Data Protection Regulation (GDPR), will now need to act before Jan. 1, 2023, to further update their privacy and data protection policies and procedures to ensure compliance with this new law, which applies to data collected beginning Jan. 1, 2022. The CCPA remains in effect until the CPRA takes over.
Certainly, best practices dictate understanding and responding to these new requirements well before the law’s effective date.
CPRA Key Takeaways
Keep Up to Date in a Changing World
