Click to open contact form.
Your Global Partners in the Business of Innovation

California Enacts the California Privacy Rights Act (CPRA) Amending the CCPA

Publications / Nov 30, 2020

Join us on our privacy and data protection webinar (held in Hebrew) on December 7th at 11:00 am Israel time, for an in-depth discussion of important developments in Israel and around the world. Participation is free of charge but is subject to prior registration. Click HERE for more information and to register.

Article written by Haim Ravia, Dotan Hammer and Adi Shoval

Less than a year after the groundbreaking California Consumer Privacy Act (“CCPA”) entered into effect, California is enacting the California Privacy Rights Act (“CPRA”) which introduces major changes to the CCPA. Most of the CPRA’s GDPR-inspired obligations will become effective in 2023, but some will enter into effect as early as 2021.

One significant change is the establishment of the California Privacy Protection Agency (the “Agency”) in 2021. The Agency will be vested with full administrative power to implement and enforce the CPRA and promote public awareness of consumer privacy.

In 2022, the Agency will adopt new rules and procedures for businesses on a variety of topics, which will become enforceable in 2023. These topics include annually required cybersecurity audits; privacy risk assessment that businesses will be required to periodically file with the Agency; and rules on a business’s permissible uses and disclosures of a consumers’ sensitive personal information.

The CPRA will also modify the threshold criteria for the law’s applicability to businesses. It also will introduce new limitations and restrictions on business’s processing of personal information, including sensitive information such as government-issued identifiers, online account or financial account credentials, precise geolocation, and genetic and health information.

One of the CPRA’s reliefs for business will start in 2023, when the CPRA’s obligations on businesses, and the privacy rights it gives consumers, will no longer apply to information that a business reasonably believes is lawfully made available to the general public by the consumer. This carve-out likely will allow companies to harvest personal information that is publicly posted on social networks, without being subject to any CPRA obligations concerning such harvested data.

CLICK HERE to read Pearl Cohen’s review of the CPRA.