CPRA: What You Need To Know White Paper
The California Privacy Rights Act of 2020 ('CPRA'), or Proposition 24, was passed with a 56% majority in the California General Election of 3 November 2020. The first version of the ballot initiative that became the CPRA was introduced in September 2019 by Alastair Mactaggart, Board Chair and Founder of the Californians for Consumer Privacy group and proponent of the California Consumer Privacy Act of 2018 ('CCPA'), which was passed by the California Legislature in June 2018.
The CPRA will enter into effect on 1 January 2023 and, with the exception of the right of access, it will apply to personal information collected by a business on or after 1 January 2022.
In spite of the timeframe for compliance, there are several new requirements that organizations are already preparing for.
OneTrust DataGuidance has summarised the key changes the CPRA introduces, which include:
- sensitive personal information as a new category of personal information;
- additional and amended consumer data rights;
- expanded contractual requirements for service providers and third parties;
- new definitions for, among other key terms, 'sharing,' profiling,' and 'service providers;'
- the creation of a state privacy agency;
- new risk assessment and cybersecurity audit requirements;
- provisions on profiling; and
- extended exemptions.