Thursday, March 4, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

How California’s New(er) Privacy Legislation Will Affect U.S. Businesses

What to Expect from the CPRA

by Matthew White and Alexander Koskey
November 18, 2020
in Data Privacy, Featured
fingerprint over Los Angeles skyline at night

The California Privacy Rights Act of 2020 is similar to the CCPA, but there are significant differences. Baker Donelson’s Matthew White and Alexander Koskey summarize several of the provisions of the CPRA that all covered businesses need to consider.

While most of us have been understandably focused on the presidential election, the State of California has passed significant new privacy legislation that may have a substantive impact on your business. Specifically, Californians voted to pass Proposition 24, the California Privacy Rights Act of 2020 (CPRA). The CPRA will replace the California Consumer Privacy Act (CCPA) beginning January 1, 2023. While many may be quick to label this as “CCPA 2.0,” the CPRA has a much broader set of rights and obligations than the CCPA, which may create new compliance hurdles for covered businesses.

Timing

The CPRA takes effect on January 1, 2023. However, it will have a “look back” period to January 2022, meaning that personal information collected by businesses starting January 1, 2022 will be subject to the CPRA’s requirements. Until that time, the CCPA remains in force.

Key Provisions

The CPRA appears to be moving California’s privacy regulations even closer to the requirements of the European Union’s General Data Privacy Regulation (GDPR). The CCPA was already the most significant privacy legislation in the United States, and with the passage of the CPRA, the requirements companies will face are now further heightened. Some of the CPRA’s key provisions include:

  • Creating the California Privacy Protection Agency (CPPA), the first privacy-specific regulator in the United States. The CPPA will be in charge of enforcing the CPRA and, once created, will assume enforcement of the CCPA from the California Attorney General’s Office. In addition to its enforcement abilities, the CPPA will be charged with conducting rulemaking to clarify a number of key areas of the CPRA’s requirements.
  • Revising the definition of a “covered business.” The CPRA modifies the definition of covered businesses to include all businesses that share personal data, without regard to whether they receive monetary compensation.
  • Classifying “sensitive personal information.” The CPRA establishes this specialized category of personal information and grants consumers additional rights with respect to the use of this information. Sensitive personal information is defined to include: Social Security numbers, driver’s license numbers, passport numbers, financial account information, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information and information about sex life or sexual orientation.
  • Expanding liability for data breaches. The CPRA expands the private right of action under the CCPA to include data breaches that result in the compromise of an email address and password or other information that would permit access to the consumer’s account.
  • Increasing protections for minors’ data. The CPRA triples fines for violations of the CCPA’s opt-in rights relating to the sale of data for consumers under the age of 16.
  • The CPRA expands upon the CCPA’s “Right to Opt-Out” to include both the sharing and sale of personal information. If your business determined that it did not need to provide an opt-out to California consumers under the CCPA, your processes will likely need to be evaluated again for the CPRA.

In addition to these provisions, the CPRA contains additional requirements with respect to the sharing of information, adds additional consumer rights (such as the creation of a new right of correction and expansion of the right to deletion), limits the CCPA’s 30-day opportunity to cure provisions, expands the CCPA’s anti-retaliation provisions and includes new personal data retention requirements. Notably, the CPRA also extends the current CCPA exemption for personnel/applicant data until January 1, 2023.

Takeaway

With the CPRA, California has taken the nation’s toughest privacy law – the CCPA – and expanded it to make it more comparable to Europe’s GDPR. Companies need to review their current CCPA compliance plans and prepare to revamp those plans to address the numerous additional requirements imposed by the CPRA. This will involve, among other things, revision of privacy notices, retention schedules, privacy practices and disclosures. The consequences for failing to do so are only heightened by the creation of the CPPA, whose charge will be to focus on protecting the privacy of California consumers by enforcing the CPRA.


Tags: California Privacy Rights ActCCPA/California Consumer Privacy ActGDPR
Previous Post

The Best Questions to Ask During a Fraud Interview

Next Post

Navigating Compliance and Culture Issues in a (Post)-COVID World

Matthew White and Alexander Koskey

Matthew G. White, a shareholder in the Memphis office of Baker Donelson, advises clients on a wide variety of cybersecurity and data privacy issues. He is a Certified Information Privacy Professional (CIPP / US, CIPP / E) and a Certified Information Privacy Manager (CIPM).
Alexander Koskey, an attorney in Baker Donelson’s Atlanta office, is a Certified Information Privacy Professional and represents financial institutions and organizations on a wide range of data privacy, regulatory and compliance and litigation matters.

Related Posts

The facade of the SEC in Washington, D.C.

Prepare Now to Comply with SEC’s Updated MD&A and Related Financial Disclosure Requirements

March 3, 2021
Illustration representing a facial recognition technology scan of a face.

Facial Recognition Technology in the Workplace: Employers Use It, Workers Hate It, Regulation Is Coming for It

March 3, 2021
A director contemplates information at her desk.

Key Concerns for Directors in 2021: Recovery from COVID-19 Is Top Priority

March 2, 2021
woman looking at horizon from mountain top

What’s on the Horizon for Anti-Corruption Enforcement?

February 25, 2021
Next Post

Navigating Compliance and Culture Issues in a (Post)-COVID World

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Addressing systemic racism in the workplace SAI Global
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights