The New and Improved CCPA

Finally, after a tense week of watching support for Prop. 24 (the California Privacy Rights Act) wax back and forth between 56% of the vote and 56% of the vote, it seems appropriate to finally say that it has probably passed. (As of November 10, "yes" votes were ahead by more than the remaining uncounted ballots.)

That leaves us with one giant question: What are all the questions we should be asking now that the CPRA has become reality? How about:

What is the CPRA?

In a (privacy-shaped) nutshell, the CPRA is not a whole new privacy law. It’s a voter-passed piece of legislation that expands and amends the already existing CCPA. So instead of scrapping an entire privacy program geared toward CCPA compliance, businesses subject to the CCPA will just need to update their current program to take into account the new rights and obligations that the CPRA enacted.

What’s the five-second takeaway for businesses that need to comply?

Hyperventilation is not necessary (yet). There’s a relatively long runway before the new obligations kick in. If you’ve already gone through the CCPA compliance process, you should have a good base to build from.

When do I have to start worrying?

That’s a question with a surprisingly multi-layered answer. Most of the law won’t become “operative” until January 1, 2023—that is, the new rights and obligations will come into force on that date. That might seem like a long way off, but when you peel that layer back you see that those rights and obligations will apply to personal information collected beginning on January 1, 2022. (And to make things more confusing, the CPRA is technically “effective” five days after the election results are certified, but only a handful of provisions mostly related to the new privacy regulator enter into force that day.) Due to that look-back period, businesses will already need to be thinking about compliance before the beginning of 2022.

What’s being added or changed?

Most significantly, the CPRA would create a new state agency, the California Privacy Protection Agency—which we should agree right now to call the CalPPA (or maybe CAPPA?) to forestall the inevitable confusion between “CCPA” and “CPPA.” That brand new agency would be vested with full administrative power, authority and jurisdiction to implement and enforce the CCPA. Some other big-ticket items the CPRA accomplishes are:

• Extending the employee and B2B exemptions until January 1, 2023
• Providing for a new right of correction
• Enacting restrictions on “sharing” (which is defined as sharing with a third party for cross-context behavioral advertising, not sharing in a general sense)
• Requiring data-minimization practices (collection and retention limitations)
• Expanding the private right of action to include breaches involving email and password/security question
• Eliminating the automatic 30-day cure period for regulatory enforcement (it will instead be at the regulator’s discretion)
• Enacting additional protections (right to limit use and disclosure) for sensitive information
• Creating a new “contractor” category separate from “service provider”
• Requiring risk assessments and audits for businesses whose processing presents “significant risk to consumers’ privacy or security”