CPRA - A New Data Privacy Law in California

What’s new under the CPRA?

First, the CPRA creates a new state agency called the California Privacy Protection Agency. This agency will enforce data privacy compliance requirements in California.

Second, the CPRA covers any business that shares personal data, regardless of whether any monetary compensation is exchanged.

Third, the CPRA establishes special requirements for personal information that’s sensitive in nature. This includes things like social security numbers, driver’s license numbers, health information, race, or religion.

The CPRA also expands liability for data breaches involving customer account information, and increases protections for personal information relating to consumers under the age of 16.

Finally, the CPRA expands the existing right to opt out, to include not only the right to opt out of the sale of your personal information but also the right to opt out of the sharing of your personal information in certain instances.

One bright spot with the CPRA is that it extends the current CCPA exemption for employee data until 2023.

What do you need to do about the CPRA now that it's passed?

If your organization processes California personal information, you need to understand these new requirements and how they will apply to your organization.

You will likely need to revise privacy policies, notices and disclosures, prepare for new opt-out requirements for data sharing, and also make plans for responding to new types of data privacy requests.

The new requirements will likely be fleshed out in more detail in implementing regulations. That will come at some point in the next year or two.

Stay tuned. I'll share more information as it becomes available!

With twenty five plus years in compliance experience, I can help your organization to make sure you're meeting your data privacy obligations.

If you have any questions about the CCPA, CPRA, or other data privacy issues, please contact me.