State flag of California

On November 3, 2020, California’s voters approved Proposition 24, the California Privacy Rights Act of 2020 (the so-called CCPA 2.0). This means that the new California Privacy Rights Act (CPRA) will amend the California Consumer Privacy Act (CCPA) with some significant changes.

Effective Date

The act takes effect on January 1, 2023, with a one-year lookback provision. This means it applies to information collected on or after January 1, 2022.

New Government Agency

The CPRA creates the California Privacy Protection Agency (CPPA)—which is “vested with full administrative power, authority and jurisdiction to implement and enforce” the CCPA, as amended by the CPRA.

Sensitive Personal Information

The new law defines a new category of “sensitive personal information,” to include the usual identifiers such as Social Security number, driver’s license number, passport number, and account information, but also new categories of information, such as precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, personal communications (i.e., the content of emails and text messages), genetic data, biometric or health information, and sex life or sexual orientation.

Additional Provisions

In addition to these changes, once effective, the new law will implement the following changes:

  • A new right for consumers to limit use and disclosure of Sensitive Personal Information.
  • New limits on automated profiling to analyze or predict aspects concerning a person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements
  • New requirements for annual audits and regular risk assessments for high-risk businesses
  • A new right for consumers to request correction of inaccurate personal information
  • New penalties and increased fines for mishandling children’s data
  • New restrictions on the length of time a business can retain personal information
  • New definitions, requirements, and obligations for service providers, contractors, and third parties

Employment and Business-to-Business Exemptions Under the CCPA

Exemptions under the CCPA with respect to employment-related and business-to-business information are extended to January 1, 2023. However, the existing exemption for employment-related information is not a complete exemption, and employers are still required to comply with certain provisions of the CCPA.

Next Steps for Employers

The CCPA remains in effect until January 1, 2023. As such, businesses will be required to comply with the CCPA while making preparation to comply with the CPRA.

Browse More Insights

Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now