Ride the Lightning

California Has Passed a New Privacy Rights Act

November 9, 2020

Law firm Clark Hill published an alert on November 6 about the November 3 passage of the California Privacy Rights Act ('CPRA'). CPRA expands the privacy protections of the California Consumer Privacy Act (CCPA) adopted in 2020.The CCPA will remain in force until January 1, 2023, when the CPRA becomes effective, superseding the CCPA and giving consumers in California new and expanded rights over how businesses may use their personal information.

For smaller business, there is one great benefit. Doubling the previous threshold, a business falls under the CPRA if it buys, sells, or shares the personal information of 100,000 or more California consumers or households.

Also, businesses must comply with the CPRA if they derive at least 50 percent or more of their annual revenue from selling or sharing the personal information of California consumers, and/or the business has gross revenue over $25 million in the preceding year.

Notably, the act gives California consumers the ability to prevent businesses from using some categories of sensitive information, such as biometric identifiers, race, health, religion, geolocation, sexual orientation, and other personal information.

Under the new law, businesses must disclose, deliver, or correct inaccurate personal information or delete a consumer's personal information within 45 days of receiving a request from the consumer. The time period can be extended an additional 45 days when it is reasonably necessary for the business to comply. Consumers also have the right to opt out of a business' sale or sharing of their personal information.

The CPRA provides funding for the California Privacy Protection Agency which would be charged with enforcing privacy laws. Once fully operational, it is likely that investigations and enforcement actions of California consumer privacy violations will increase significantly.

Finally, the CPRA expands the scope of a private cause of action granted to consumers by adding email addresses and passwords or security questions to the list of personal information, which, if subject to a data breach, may give rise to liability to affected consumers via a private cause of action.

The ACLU was opposed to the law because of its provision permitting businesses to charge consumers more for goods and services if they decide to opt-out of the sharing or selling of their personal information.

As the political landscape settles down in 2021, I agree with the post – it is likely that any federal or state draft legislation will look to California's new law as, at least, a starting point.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson