On election day, California State voters passed Proposition 24, the California Privacy Rights Act ("CPRA"), a measure that strengthens consumer data privacy rights that were originally created by the California Consumer Privacy Act ("CCPA"). The amendments to the CCPA implement a regulatory framework that is, in some respects, closer aligned with that of the European Union's ("EU") General Data Protection Regulation ("GDPR"). With the passage of these additional California State consumer data restrictions, businesses should work with a CPRA lawyer to help navigate their compliance obligations. Failure to do so may result in private rights of action and/or investigations by California's State Attorney General.
What are the similarities between the CPRA and GDPR?
CPRA Trending Toward GDPR Principles
In 2016, the GDPR was passed into law with the purpose of affording individuals the right to restrict the use of their personal data through a uniform standard of protection across the EU. In 2018, California enacted the CCPA to enhance consumer data privacy rights for California State residents. The recently passed CPRA amendments to the CCPA bring California's data privacy law closer to the protections created under the GDPR. Important similarities between the CPRA and GDPR include:
- The CPRA and GDPR both afford consumers the right to rectify inaccurate personal data points that companies have collected about them.
- The CPRA mirrors the GDPR insofar as data minimization and retention matters are concerned. Specifically, the CPRA explains that "a business shall not retain a consumer's personal information . . . for longer than is reasonably necessary for that disclosed purpose." In turn, the GDPR provides that businesses cannot retain personal data for "longer than is necessary for the purposes for which the personal data are processed."
- The CPRA transfers enforcement of data privacy compliance from the California Department of Justice to the newly-enacted California Privacy Protection Agency ("CPPA"). The CPPA will be comprised of a five-member board "with full administrative power, authority, and jurisdiction to implement and enforce the [CCPA]." Similarly, the GDPR required each member state to designate a supervisory authority to oversee the application of the GDPR within the applicable jurisdiction of each member state.
- The CPRA creates a new "Sensitive Personal Information" category that aligns with the GDPR's tiers of personal information. Information such as religious beliefs, racial and ethnic origin, and geolocation will now receive heightened protection under the CCPA.
Hiring a CPRA Lawyer
The CPRA will become effective on or before December 11, 2020. However, please note that California is not due to begin enforcing the CPRA until July 1, 2023. In the interim, it is imperative that businesses now follow existing CCPA requirements and begin working toward compliance with the CPRA in the near future. A CPRA lawyer can help businesses comply with California State consumer data privacy law mandates with the goal of avoiding regulatory investigation and costly civil penalties.
Related Blog Posts:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.