CPRA: What it is and what changes it may mean for your business
Updated: Jun 25
Long referred to as CCPA 2.0, proposed ballot initiative California Privacy Rights Act of 2020 has established itself under its very own acronym — CPRA. There’s good reason for that change; it’s getting a lot closer to becoming reality.
At the beginning of May, the initiative’s sponsor, Californians for Consumer Privacy, delivered more than 900,000 signatures to qualify CPRA for the ballot. And this week, CPRA cleared another hurdle — getting those 900,000+ signatures validated in time to get CPRA on the ballot. On Monday, a California Superior Court Judge ordered Secretary of State Alex Padilla to work with Californians for Consumer Privacy to either hasten the validating process or to push back the deadline to qualify CPRA for the ballot. Then Thursday, Padilla announced its qualification for the November ballot.
California already has the most comprehensive privacy law in the U.S., and — given the attorney general’s regulations were finalized just this month — most organizations are still working toward full compliance with that. So, why another privacy law?
Californians for Consumer Privacy initiated this proposal as a corrective measure for the shortcomings of CCPA, which resulted after some swift negotiating by the California legislature disappeared the original — and more restrictive — ballot initiative. The CPRA modifies CCPA to expand consumers’ rights and control over their personal information and borrows liberally from the EU General Data Protection Regulation (GDPR).
Here are some of the major changes and additions from the current law.
Rectification rights: Similar to rights provided under GDPR, the CPRA would give California consumers the right to correct inaccurate or out-of-date information an organization holds about them.
Sensitive personal information: Another concept the CPRA adopts from the GDPR is a classification of certain types of more sensitive data where additional controls will be required. These data types align with “Special Categories” of data under GDPR. Organizations that process sensitive personal information would be obligated to provide consumers more control over that data.
Consent: Once again, CPRA looks to GDPR when defining consent, using the language “freely given, specific, informed and unambiguous,” the definition closely mirrors that in the GDPR and may finally mean the end of “opt-out consent” as a concept in the US.
Extension of B2B and employee exemptions: The CPRA would extend the CCPA’s exemptions for employee data and personal information collected in the business-to-business context until January 1, 2023. This gives lawmakers an additional two years to develop legislation to address privacy in these areas.
Additional fines for children’s data: CPRA would triple the fines allowed under CCPA when organizations violate the privacy rights of children under 16 years of age.
Expanded definition of breach: CCPA includes a private right of action for certain data breaches. The CPRA increases the types of breaches for which consumers have a private right of action to those that include an email address in combination with authenticating information that would allow access to the account.
Establishes the California Privacy Protection Agency: CPRA would establish the first dedicated privacy enforcement body in the U.S. While the U.S. Federal Trade Commission has been considered the de-facto privacy enforcer in the U.S., the California Privacy Protection Agency would be the first tasked specifically with protecting individuals’ privacy rights.
It’s looking like the ballot initiative will make it this time and if California voters make it law, it would mean increased privacy protections for residents and increased compliance hurdles for organizations within the scope of CCPA. Make sure you’re prepared with a privacy program that can respond to this — and other — legislative changes.