The California Privacy Rights Act of 2020 – Updating the CCPA (Part One of Two)

The California Privacy Rights Act of 2020 – Updating the CCPA (Part One of Two)

By:  Kathleen D. Winger and Ivan Castro

On November 3, 2020, California voters approved Proposition 24, also known as the California Privacy Rights Act of 2020 (“CPRA”) with an effective date of January 1, 2023.  The Act’s stated intent is to protect consumers’ constitutional right to privacy.  In order to do so, the CPRA amends certain provisions of the California Consumer Privacy Act (“CCPA”) and creates a new enforcement agency known as the California Privacy Protection Agency (“CPPA”).₁

Like the CCPA the CPRA begins by identifying a series of important concepts regarding privacy in the state of California.  Thus, it recognizes that the fundamental right of privacy is the ability of individuals to control the use (including the sale) of their personal information.  The Act goes on to find that, in light of that fundamental right, the state has an interest in mandating laws that allow consumers to understand more fully how their information is being used and for what purposes so that they will be on more equal footing when negotiating with businesses to protect those rights.  The Act also finds that businesses should be held directly accountable to consumers for data security breaches and should be required to notify them when their most sensitive information has been compromised.  Overall, the stated purpose of the Act is to strengthen, not dilute individual privacy rights with respect to their information.

One of the significant changes to the CCPA is the CPRA’s transfer of the obligation to request categories and specific pieces of data that businesses collect from the users whose information is being collected to the businesses that control the collection.  Thus, businesses will have the affirmative obligation to inform users of the categories of data collected at or before the point of collection without the need for any request from those users.  Businesses will also be prohibited from gathering additional categories of data from users without making additional disclosures.

The CPRA also removes the 30-day time period businesses had under the CCPA to correct any alleged violations.

Another major change that the CPRA brings is the creation of the CPPA, whose stated mission is to implement and enforce CCPA and any amendments including those set forth in the CPRA.

Check this space for Part 2 of this series, which will discuss CPRA provisions that pertain to data security.

For questions about or assistance with the CCPA and the CPRA, we can be reached at kathy@kdwinger.com or 520-391-4475.

1 This blog’s discussions of the CCPA can be found here, here and here.

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.