Along with countless significant decisions, November 3 brought the passage of a long-awaited update to California data privacy law. This week, the California Privacy Rights Act of 2020 (CPRA) passed with a majority vote as expected, adding to and modifying the requirements and enforcement of the California Consumer Privacy Act (CCPA).
While CCPA has been widely viewed as bringing GDPR-level data privacy regulation to the U.S., the real teeth are coming with CPRA. Many of the conditions in CPRA emulate GDPR, and will likely become the blueprint for new privacy regulations in other states. In a Legaltech News article this week, I wrote an in-depth analysis of CPRA, and the most impactful changes organizations need to begin addressing. These include:
- The addition of data minimization and limitation—only keeping necessary data and only for as long as needed—requirements.
- Creates a subcategory of personal information(PI), which is similar to GDPR in defining higher-risk data as sensitive personal data (SPI). This will be afforded expanded data subject rights such as limiting the use and disclosure of this type of information
- Stronger penalties for infractions relating to failure to minors’ personal and sensitive data.
- Extensive rights for data subjects to limit what can be shared for the purposes of advertising. It allows data subjects to opt-out of onward transmission of their personal information and sharing of their exact geolocation.
- The establishment of a standalone data privacy authority to enforce data privacy compliance, vs. the current model of oversight by the state attorney general.
These and other changes, as well as recommended steps for companies to begin taking, are discussed in detail in the Legaltech News article here.