Editor's Note: This article, authored by Jacob Rheaume and Joseph Messer, originally appeared on the Messer Strickler, Ltd. Blog and is republished here with permission.
On Nov. 3, 2020, California voters approved Proposition 24, which enacted the California Privacy Rights Act of 2020 (CPRA). The CPRA will substantially expand the existing California Consumer Privacy Act (CCPA), which became effective in January of 2020. In addition to increasing the CCPA’s consumer privacy protection provisions, the CPRA establishes the California Privacy Protection Agency (the “Privacy Agency”). This first of its kind Privacy Agency will replace the California Attorney General as the chief enforcer of consumer privacy in California and will be vested with the full “power, authority, and jurisdiction to implement and enforce” the CCPA and CPRA.
In addition, the CPRA, which will be incorporated into the CCPA, expands the types of liability businesses may face for privacy or information security violations. The CRPA will take effect on January 1, 2023, but will have a “look-back” period to January 1, 2022. Provisions related to the Privacy Agency and requirements to adopt new privacy regulations take effect immediately.
CPRA Amendments to CCPA
Expanded Consumer Privacy Rights
The CPRA creates the Right to Correct Inaccurate Personal Information. Specifically, the CPRA states that a “consumer shall have the right to request a business that maintains inaccurate personal Information about the consumer correct such inaccurate personal information ...” This right is limited based on the nature and purpose of the processing of personal information.
Sensitive Personal Information
The CPRA creates a new subcategory of personal information called “Sensitive Personal Information.” Identifiers that qualify as Sensitive Personal Information include:
· Government-issued identifiers (e.g., social security number, driver’s license number, passport number);
· Financial information (e.g., financial account information, credit/debit card information);
· Precise geolocation information;
· Biometric information and genetic information;
· Racial or ethnic origin, religious or philosophical beliefs, or union membership;
· Personal information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation; and
· The contents of a consumer’s mail, email, and text messages, unless the business is the intended recipient of the communication.
Businesses that receive Sensitive Personal Information will be subject to additional requirements, and consumers will have the affirmative right to limit the use of their Sensitive Personal Information.
Expansion of Private Right of Action for Data Breaches
The CPRA expands the CCPA’s private right of action related to data breaches to include the compromise of email addresses in combination with a password or security questions that could grant access to a user’s account.