California Privacy Rights Act

The California Privacy Rights Act (“CPRA”) is a comprehensive privacy law that expands and enhances privacy rights and protections for California residents. It was passed as a ballot initiative in November 2020 and is set to become effective on January 1, 2023. The CPRA builds upon the foundation of the California Consumer Privacy Act (“CCPA”) and amends and supplements its provisions. Key features of the CPRA include …

New Rights: The CPRA introduces new privacy rights for California residents, including the right to correct inaccurate personal information held by businesses and the right to limit the use and disclosure of sensitive personal information.

Expanded Definition of Personal Information: The CPRA expands the definition of personal information to include new categories, such as precise geolocation data, genetic data, and certain types of browsing history and application usage data.

Creation of the California Privacy Protection Agency: The CPRA establishes the CPPA, an independent regulatory agency responsible for implementing and enforcing the CPRA. The CPPA will take over enforcement responsibilities from the California Attorney General.

Enhanced Protection for Children’s Privacy: The CPRA enhances protections for the personal information of minors by requiring opt-in consent for the collection and use of personal information of consumers under the age of 16.

Increased Penalties for Data Breaches: The CPRA increases the maximum penalty for data breaches involving the personal information of California residents. The new penalty can range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.

Expanded Scope for Service Providers: The CPRA clarifies the responsibilities of service providers and introduces the concept of “contractors” who are subject to certain privacy obligations.

Limited Data Retention Periods: The CPRA introduces requirements for businesses to limit the retention of personal information and implement data minimization practices.

The CPRA aims to strengthen and improve privacy protections for California residents and build upon the foundation established by the CCPA. It includes additional requirements for businesses and introduces new privacy rights for individuals. Businesses subject to the CPRA will need to review and update their privacy practices and policies to ensure compliance with the enhanced requirements.