For the second time in two years, California is preparing to revolutionize its consumer privacy law framework. California voters overwhelmingly voted in favor of Proposition 24, the California Privacy Rights Act (CPRA), in the 3 November 2020, general election, approving the measure by a double-digit percentage margin—over two million votes. The CPRA’s inclusion on the ballot came due to efforts from Californians for Consumer Privacy, the same organization whose consumer privacy ballot initiative in 2018 prompted the California legislature to enact the California Consumer Privacy Act (CCPA). Californians for Consumer Privacy asserted that an “assault by giant corporations” on the CCPA during the legislative process weakened the law’s final, codified version, however, and therefore prompted the organization’s efforts to put the issue of adopting a new consumer privacy regime in California before California voters once more.
The key provisions of the CPRA, which will not go into effect until 1 January 2023, simultaneously constitute both a strengthening and a weakening of the current regime under the CCPA. As we explained in our earlier alert on the CPRA, some provisions of the CPRA expand the CCPA’s reach, enhancing the consumer privacy protections set forth in the CCPA both by clarifying rights currently existing under the CCPA and by imposing additional obligations on businesses subject to the CPRA’s provisions. In other places, however, the CPRA loosens requirements imposed under the CCPA, including narrowing the scope of businesses subject to the law.
Businesses have time, given the effective date of the CPRA, to determine what modifications must be made to their existing CCPA compliance efforts. The full 53-page text of the CPRA can be found here,1 but this alert will discuss several of the highlights from the CPRA.