California Consumer Privacy Act (CCPA)
CPRA Final Text
- Prop 24 passed in the November 2020 general election, which created the California Privacy Rights Act (CPRA)
- Unlike the CCPA, the CPRA establishes a new enforcement agency to handle complaints from data subjects, investigate potential GDPR violations and help advise companies in areas of uncertainty. Similarly, the California Privacy Protection Agency will act as an advisory body to companies aiming to do the right thing according to the law, but will also enforce the law, taking enforcement out of the California attorney general’s hands.
- The new agency can begin its rulemaking in July 2021. The law allows for the agency to issue fines three times as high as the attorney general could under the CCPA if the violation involves users under the age of 16. Enforcement of the CPRA itself can begin no sooner than July 1, 2023. Until then, the CCPA applies.
- Helpful links:
- Key CPRA provisions to note from IAPP:
- extensions of the employee exception and business-to-business exception to Jan. 1, 2023
- the establishment of a Consumer Privacy Fund
- direction for the California attorney general “to adopt regulations and the mechanisms to transfer regulatory authority” to the state’s new enforcement agency, the California Privacy Protection Agency (CPPA)
- creation of the CPPA, “vested with full administrative power, authority and jurisdiction to implement and enforce the CCPA, as amended by the CPRA”
- designation of funds for the CPPA, which are expected to be approximately $10 million.
- Governor Newsom signed Assembly Bill No. 1281 into law that extends business-to-business and employment exemptions under the California Consumer Privacy Act until January 1, 2022 rather than the original January 1, 2021 date
Bottom line – California continues to lead the way in the US for consumer privacy. If you do business in California (or with Californians), pay close attention as the new CPRA is better understood and the CPPA is formed.