Executive Summary
In November 2020, over 9.3 million Californians voted to approve the California Privacy Rights Act (CPRA) of 2020 with the passage of Proposition 24.
The CPRA is the strongest consumer privacy law ever enacted in the United States, and achieves broad general parity with the most comprehensive laws in other jurisdictions including Europe (GDPR), Japan, Israel, New Zealand, Canada, etc.
CPRA builds on existing California law passed in 2018 (the California Consumer Privacy Act or CCPA). Both laws were sponsored by the same group, Californians for Consumer Privacy, led by Alastair Mactaggart. Some of it goes into effect now, and the rest is phased in over the next 2 years, with final implementation in mid-2023.
Key components of the law include:
- Access & Deletion rights: consumers can obtain and delete their own personal information.
- Prevent sale of data: consumers can prevent the sale of their information.
- Protect children: guardian or teen permission required prior to sale of children’s info.
- Purpose limitation: only use a consumer’s info for a stated purpose.
- Storage limitation: keep a consumer’s info only as long as business has stated publicly.
- Data Minimization: don’t collect more consumer info than necessary.
- Chain of custody: onward transferees must offer same level of protection.
- Requirement for reasonable & appropriate security to protect personal info.
- Deletion expansion: businesses must be able to tell businesses they’ve sold personal info to, or shared it with, to delete info when a deletion request is received.
- Right of Correction: let consumers correct personal information with businesses.
- Triples fines for violations involving children’s information.
- Sensitive Personal Info: right to stop its use (includes race, precise geolocation, religion, union membership, genetics, biometrics, sexual orientation, contents of communications).
- Right to see ‘all’ personal info, not just last 12 months’.
- Precise geolocation: no tracking within ~250 acres.
- Profiling: right to object to automated decision-making and learn meaningful information about the logic involved.
- Removing 30 day right to cure violation (ends “two strikes you’re out”).
- Right to opt out of cross-context behavioral advertising fixes major CCPA weakness.
- Data protection agency with guaranteed funding
- 2x+ bigger than current enforcement
- Removes exclusive enforcement by AG: allows 58 county and 4 largest city DA’s to enforce the law via Business & Professions Code Sec. 17200
- Annual cybersecurity audits and risk assessments for high-risk data processors.
- Chief Privacy Auditor to audit businesses for compliance w/ CPRA.
- Prevents law being weakened in the Legislature, because any amendments must be in furtherance of consumer privacy (which are then allowed by a simple majority of the Legislature).