During last week’s election, the state of California voted to pass the new California Privacy Rights Act (CPRA). This legislation is intended to expand and strengthen the current California Consumer Privacy Act (CCPA). Last October I published a blog post outlining the implications of CCPA, which can be read here. For a quick refresher, lets first talk about CCPA and what it is. CCPA was passed in 2018 and put into effect early 2020. It is a data privacy law that regulates how businesses all over the world can handle the personal information of California residents.
So, what is this new CPRA of 2020?
CPRA builds off CCPA, which is why many refer to it as CCPA 2.0. CPRA essentially takes the regulations put in place by CCPA and expands on those with more stringent requirements and fines if not complied with. Some of the changes include prohibiting the retention of consumer’s information for longer than the business needs, tripling the penalty involving violations for data of minors under the age of 16, and many other changes. Below are some of the new and amended rights included in CPRA:
New Rights:
Amended Rights:
The California Privacy Rights Act will not be put in place and enforced until 2023. However, organizations should start preparing now.
Who is required to comply with the changes?
Just like CCPA, this new privacy act is a California law but applies to organizations across the world who collect and store the personal information of California residents. However, there are some slight differences between CCPA and CPRA regarding who is required to comply. You are required to comply if you are a for-profit organization that meets at least one of the following criteria:
The first two points have not changed from CCPA. The third point here you may notice has essentially doubled. It went from 50,000 to 100,000, which will make some businesses that were required to comply with CCPA exempt based on the volume they handle. Another important note here on the third bullet point is they have added “shares” into the language. This is important because some organizations were exempt through CCPA because they may not have been buying or selling data for profit, but they were sharing it. Consumers can now opt out of the sharing and selling of their data under CPRA.
What does this mean for my organization?
Though this privacy act does not go into effect until 2023, it is important for organizations to be aware of it and the changes that come along with it compared to the original CCPA that took effect in 2020. If your organization has been working towards complying with CCPA, you are in a great spot and just because it is changing come 2023 doesn’t mean the work and policies put in place to comply with CCPA were all for nothing. Complying with CCPA is a great place to start, and as more details come between now and when CPRA takes effect, it is important for your organization to be aware of the changes and if they are applicable to you. Please feel free to contact us for more information on CCPA or the new CPRA legislation. Compass IT Compliance has been assisting organizations of all sizes in achieving or maintaining CCPA compliance and will be conducting CPRA audits and assessments as well!