California’s Consumer Privacy Rights Act: What you need to know

In November 2020, California voters approved a consumer data privacy law that adds significant rights to the existing California Consumer Privacy Act (CCPA) of 2018. The California Privacy Rights Act (CPRA) amends and expands the breadth of requirements introduced under the CCPA to give California residents more control over how businesses collect, use, process, retain, and share their personal data. 

The CPRA offers more stringent protection of consumer privacy rights and also creates the California Privacy Protection Agency (CPPA), the first state agency dedicated to protecting individual privacy rights. Companies will be expected to start complying with the CPRA in January 2023, with enforcement scheduled to begin in July 2023. (But, note that it applies to data collected starting Jan. 1, 2022, so businesses should now be applying the CPRA’s expanded definition of “private data.”)

CPRA advocates believe the law will not only strengthen consumer rights under the existing CCPA but also help drive the push for national data privacy standards. Significant changes include: 

A higher threshold for compliance

The volume of consumer personal information (PI) that an organization must process to qualify as a business under the scope of these protections has been raised. Any organization that processes the records of 100,000 California consumers or households will be required to comply with the CPRA, up from the 50,000 threshold stipulated by the CCPA. 

Establishes an enforcement oversight agency

The CPRA establishes a new enforcement agency, the California Privacy Protection Agency (CPPA), that will be responsible for upholding the rules and levying penalties for violations. Previously, the California state attorney general was responsible for oversight and enforcement. Enforcement will include administrative proceedings and fines that range from $2,500 to $7,500 per violation. In particular, the CPRA raises penalties for violations involving consumers under the age of 16 to $7,500 per incident.

The CPRA will require regulatory guidance mandating ongoing risk assessments and cybersecurity audits. Presumably, the results of these assessments and audits will be submitted to CPPA for review. In certain cases, the CPPA will maintain the right to audit companies in order to gauge their compliance.

The CPRA will also eliminate the 30-day “cure” period in which violators can address infractions. Instead, the CPPA will be able to set a time period for curing based on the intent of the business to violate privacy provisions. 

Expanded consumer rights 

The CPRA adds two new rights to the four created by the CCPA: the right to correction – companies that receive “verifiable consumer requests” to correct reportedly inaccurate personal information will be required to use “commercially reasonable efforts” to do so – and a right to place limits on how a business uses and discloses their personal information.

It also expands on three existing rights:

• Right of deletion: Service providers, contractors, and third parties will be required to cooperate with businesses’ requests to delete personal information.
• Right to know: The CPRA expands the consumer’s right to know what personal information has been collected, as well as the duration of its data retention.
• Right to opt out: The CPRA strengthens an individual’s right to opt out of sharing personal information for cross-contextual behavioral advertising. 

Expansion of private right of action

Under the CPRA, a consumer will be able to bring claims against a company for unauthorized access to or disclosure of an email address and password. Consumers can also take action against a company if a security question and answer that permits access to the consumer’s account is disclosed, leading to exposure of user data.