From CCPA to CPRA - Key Takeaways

The California Privacy Rights Act (CPRA), also known as Proposition 24, is a ballot measure that was approved by California voters on Nov. 3, 2020. It amends and expands the CCPA, and also referred to as “CCPA 2.0.”

The California Privacy Rights Act (CPRA) is a state law that strengthens and expands upon the California Consumer Privacy Act (CCPA), which was enacted in 2018. The CPRA was passed by California voters and went into effect on January 1, 2023.

The new regulation revises the scope of business:

CPRA will be applicable on the businesses who meets any of the following conditions:

As of January 1, of the calendar year, had

• Annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year or
• Alone or in combination, annually buys or sells or shares the personal information of 1,00,000 or more consumers or households or
• Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal Information.

Here are some of the major changes introduced by the CPRA as compared to the CCPA:

Expansion of consumer rights [CPRA: Section 1798.105- 1798.125]

The CPRA expands upon the rights of consumers under the CCPA by giving them the right to opt out of the sale of their personal data and the right to request that their personal data be deleted. It also gives consumers the right to correct their personal data and the right to data portability.

New category of sensitive personal information

The CPRA introduces a new category of sensitive personal information, which includes data related to a consumer’s health, race, ethnicity, religion, and sexual orientation, among other categories. This data is subject to additional protections under the CPRA, and businesses must obtain explicit consent from consumers before collecting, using, or disclosing this data.

More stringent requirements for businesses

The CPRA imposes more stringent requirements on businesses in terms of their data protection practices. It requires businesses to implement and maintain reasonable security measures to protect personal data, and imposes additional obligations on businesses that process sensitive personal data.

New enforcement agency [CPRA: Section 1798.199.10]

The CPRA establishes a new state agency, the California Privacy Protection Agency (CPPA), to enforce the provisions of the law. The CPPA will have the authority to investigate alleged violations of the CPRA and to impose penalties on businesses that are found to be in noncompliance with the law.

Increased penalties for violations [CPRA: Section 1798.199.155]

The CPRA increase the potential penalties for violations of the law. It allows for fines of up to $2,500 per violation for unintentional violations, and up to $7,500 per violation for intentional violations.

Overall, the California Privacy Rights Act represents a significant expansion of consumer privacy rights in California and imposes new obligations on businesses in terms of their data protection practices. It is important for businesses that operate in California or that process the personal data of California consumers to understand and comply with the requirements of the CPRA.