On November 3, 2020, California’s voters approved Proposition 24, the California Privacy Rights Act of 2020 (the so-called CCPA 2.0). This means that the new California Privacy Rights Act (CPRA) will amend the California Consumer Privacy Act (CCPA) with some significant changes.
The act takes effect on January 1, 2023, with a one-year lookback provision. This means it applies to information collected on or after January 1, 2022.
New Government Agency
The CPRA creates the California Privacy Protection Agency (CPPA)—which is “vested with full administrative power, authority and jurisdiction to implement and enforce” the CCPA, as amended by the CPRA.
Sensitive Personal Information
The new law defines a new category of “sensitive personal information,” to include the usual identifiers such as Social Security number, driver’s license number, passport number, and account information, but also new categories of information, such as precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, personal communications (i.e., the content of emails and text messages), genetic data, biometric or health information, and sex life or sexual orientation.
In addition to these changes, once effective, the new law will implement the following changes:
- A new right for consumers to limit use and disclosure of Sensitive Personal Information.
- New limits on automated profiling to analyze or predict aspects concerning a person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements
- New requirements for annual audits and regular risk assessments for high-risk businesses
- A new right for consumers to request correction of inaccurate personal information
- New penalties and increased fines for mishandling children’s data
- New restrictions on the length of time a business can retain personal information
- New definitions, requirements, and obligations for service providers, contractors, and third parties
Employment and Business-to-Business Exemptions Under the CCPA
Exemptions under the CCPA with respect to employment-related and business-to-business information are extended to January 1, 2023. However, the existing exemption for employment-related information is not a complete exemption, and employers are still required to comply with certain provisions of the CCPA.
Next Steps for Employers
The CCPA remains in effect until January 1, 2023. As such, businesses will be required to comply with the CCPA while making preparation to comply with the CPRA.