Californians voted in November to extend their data-privacy rights beyond the provisions of the CCPA. The new California Privacy Rights Act of 2020 (CPRA) is an expansion of the CCPA, designed to strengthen and clarify privacy requirements – and more closely align with international privacy standards, namely the GDPR.
The most significant provisions of the CPRA center around three areas: sharing and selling of personal information, service providers and contractors, and consumer rights. In addition, the law adopts certain GDPR principles, such as data minimization, purpose limitation, and storage limitation. The CPRA also adds muscle to the CCPA by creating a new government agency – the California Privacy Protection Agency – dedicated to handling enforcement and compliance with the new regulations.
While the majority of CPRA provisions don’t become operative until 2023, don’t wait to begin the compliance process. The CPRA may be leading the way for future U.S. privacy regulations on a broader scale.
Here’s a look at the new CPRA provisions, how they compare to the CCPA – and what you can do now to prepare.
Some of these provisions may be further refined by future regulations released by the newly created California Privacy Protection Agency. Meantime, here are three actions to take now:
- Honor opt-ins and opt-outs. Make sure you have a process in place to quickly enact privacy requests.
- Comply with CCPA regardless of your company’s physical location. CCPA compliance extends beyond state borders to include any California resident no matter their location. If a California resident can access your website, you must comply with CCPA.
- Understand the complexities of personal information and how that is defined. Maintaining legal compliance while conducting marketing initiatives is an ongoing process, not a one-time checkpoint. Regularly revisit how personally identifiable information is being used each time
privacy regulations are changed or updated.
With the passage of the CPRA, the nation’s most robust consumer-privacy law just got significantly stronger – and the stakes significantly higher. And if the lessons of the CPRA, CCPA, and GDPR are any indication of the future, expect more states and countries to develop their own privacy requirements. Meantime, put the right policies, procedures, and technology in place so you can adjust your privacy practices accordingly.
The clock is ticking.