Privacy was on the ballot this November, at least in California. And it appears that enough people voted in favor of Proposition 24, the California Privacy Rights Act (CPRA), for it to become law. Although the CPRA technically becomes effective five days after the California Secretary of State certifies the voting results, the bulk of the law – which is an overhaul of the California Consumer Privacy Act (CCPA) – will not come into force until January 1, 2023. Businesses have some time to prepare for the most significant changes, which we have written about previously. Those changes include handling a new category of “sensitive personal information,” the expansion of the existing CCPA private right of action, and mandatory changes to company privacy policies. So what happens to the CCPA, and what do businesses have to prepare for? The answer is not much in the short term.
Until the CPRA becomes fully effective in 2023, the CCPA remains in full effect. That means businesses should keep up with their CCPA compliance, including being attentive to new California Attorney General regulations. The following CPRA provisions – which largely do not impact businesses directly – will become effective once the California Secretary of State certifies the voting results:
- An extension of the carve out for business contact and employee personal information that is collected by businesses covered by the CCPA. In the existing CCPA, these carve outs were set to expire on January 1, 2021. The carve outs will now be extended to January 1, 2023.
- A Consumer Privacy Fund will be created – with appropriations to be made by the legislature – with the purpose of “offsetting the costs” of state courts and the California Attorney General enforcing the CCPA (and later the CPRA). The fund will also be used “to promote and protect consumer privacy, educate children in the area of online privacy, and fund cooperative programs with international law enforcement organizations” in connection with addressing consumer data breaches.
- The California Attorney General will be charged with developing a laundry list of new regulations, which will put meat on the bones of many of the new CPRA rules.
- A new state agency, the California Privacy Protection Agency, will be created, funded, and begin operations.
Because of the phased effective dates for CPRA’s provisions, businesses have time to revise their policies and prepare for the full weight of the CPRA. Of course, that does not account for whatever CPRA regulations the California Attorney General publishes, which we expect to be previewed perhaps as early as late 2021.
Jenner & Block has developed a checklist for clients to compare their existing CCPA privacy notices against the new requirements of the CPRA. If you need assistance preparing for the CPRA, please contact the authors.