| Americas | Articles
California voters have passed the California Privacy Rights Act which is set to amend and supersede the still recent California Consumer Privacy Act (CCPA). The new act, passed on November 3, will go into effect on January 1, 2023.
The California Privacy Rights Act, or CPRA, builds on the existing framework of the CCPA and expands consumer privacy rights to more closely align with the EU’s GDPR. It also, imposes additional obligations on businesses, and establishes the California Privacy Protection Agency (CCPA) – the nation’s first agency dedicated to privacy regulation and enforcement.
The new CPRA provisions of note include the following:
- Clarifying the definition of a covered “business” under the CCPA. This makes is clear that the $25 million annual gross revenue threshold should be measured as of January 1 of the calendar year for the preceding calendar year. It also increases the number of “consumers” or “households” from whom a for-profit entity annually buys, sells, or shares personal information from 50,000 to 100,000, though notably a “device” will no longer contribute to this calculation.
- Distinguishing between “sharing” and “selling” consumer data. In addition to having the ability to opt-out of the sale of their personal information, consumers also have the ability toopt-out of the sharing of their personal information. “Sharing” is defined as:
- “Sharing, renting, releasing, disclosing, disseminating, making available, transferring . . . a consumer’s personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
- Extension of delaying the law’s coverage of both employee data and business-to-business data until January 1st, 2023.
The CPRA as a whole will not go into effect until January 1, 2023 and will only apply to information collected on or after January 1, 2022. Enforcement will not begin until July 1, 2023. Until then, the CCPA will remain the governing privacy regime.
