The California Privacy Rights Act – what it means for consumers and businesses

      The California Privacy Rights Act (CPRA) is a privacy law that was passed in California in November 2020 and came into effect on 1 January 2023.

      It will be enforceable from 1 July 2023 and builds on the California Consumer Privacy Act (CCPA), providing additional privacy rights and protections for California residents. The CPRA expands and strengthens the privacy protections of the CPPA.

      The implications of CPRA are significant for businesses and consumers alike. We have set out below some of the key implications of CPRA:

      1. Expanded consumer privacy rights: image/svg+xml Atoms / Icons / plusExpand

      CPRA expands the rights of California residents to control their personal information, including the right to correct inaccurate information, the right to limit the use of sensitive information and the right to opt-out of the sale or sharing of their personal information.

      Read more
      2. Increased obligations for businesses: image/svg+xml Atoms / Icons / plusExpand
      CPRA imposes additional obligations on businesses that collect and use personal information, including the requirement to conduct regular risk assessments and to implement data minimization practices. It also creates a new enforcement agency, the California Privacy Protection Agency (CPPA), which will have the authority to enforce the law and impose fines for non-compliance.

      Read more
      3. Impact on businesses outside of California: image/svg+xml Atoms / Icons / plusExpand

      While CPRA applies specifically to California residents, its impact will be felt by businesses outside of California that collect personal information from California residents. This is because CPRA requires businesses to extend the same privacy rights to California residents, regardless of where the business is located.

      Read more
      4. Expansion of the definition of personal information: image/svg+xml Atoms / Icons / plusExpand

      CPRA expands the definition of information to include new categories such as precise geolocation data, race, ethnicity and health information.

      Read more
      5. Data retention periods: image/svg+xml Atoms / Icons / plusExpand

      The CPRA introduces new requirements for businesses to limit the retention of consumers’ personal information. Businesses must inform consumers about the length of time they intend to retain personal data and must not retain it for longer than necessary.

      Read more
      6. Greater liability for data breaches: image/svg+xml Atoms / Icons / plusExpand

      CPRA increases the potential liability for businesses in the event of a data breach, requiring them to implement reasonable security measures and imposing penalties for failure to do so.

      Read more

      How Waystone Compliance Solutions can help

      Overall, the implications of CPRA are complex and far-reaching, as it enhances privacy protections for consumers and increases the obligations and potential liability for businesses.

      For more information on how cyber and data protection team can help you navigate through the CPRA ahead of its enforcement date, please contact us.

      Contact Us

      CCPA v CPRA comparison chart

      The CCPA v CPRA comparison chart highlights the evolution of privacy regulations in California. While the CCPA introduced privacy rights and obligations, the CPRA further enhances consumer privacy protections, expands rights, and establishes a comprehensive data protection framework in the state.

      Previous post Next post

      More like this

      US State Data Privacy Laws – a comparison

      As more US states introduce privacy laws, companies must be aware of and be able to manage the varying provisions…
      Read more

      Business Email Compromise – is your business protected?

      In today's digital age, email has become an essential tool for business communication. However, with the increasing reliance on email,…
      Read more

      Open comment period for SEC’s proposed cyber security requirements deadline

      The Securities and Exchange Commission (SEC) is seeking public comment on proposed cyber security requirements for investment advisers and broker-dealers.…
      Read more

      SEC Commissioner Lizárraga’s speech at the Digital Directors Network 2023 conference

      Recently, Commissioner Lizárraga spoke at the Digital Directors Network 2023 conference. We can gain valuable insights from the speeches that…
      Read more

      Guidance on ChatGPT (or other AI language models) For Regulated Firms

      Over the last few months many clients have been asking for guidance as it relates to ChatGPT and other natural…
      Read more

      The SEC's cyber security rules are coming in April 2023

      By now everyone should understand the SEC is proposing rule 206(4)-9 under the Advisers Act and 38a-2 under the Investment…
      Read more