Intellectual Property and Privacy Update | November 2020
New California Privacy Rights Act Expands the Applicability and Scope of the CCPA and Strengthens Consumer’s Privacy Rights
California voters pass the California Privacy Rights Act of 2020 (“CPRA”), which both expands upon and amends the California Consumer Privacy Act (“CCPA”), the majority of which will come into effect on January 1, 2023.
As detailed in our previous newsletters, the California Consumer Privacy Act (“CCPA”) came into effect on January 2, 2020 and enforcement commenced on July 1, 2020. However, on Tuesday, November 3, 2020, California voters passed ballot Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”), which expands upon, amends and brings a number of considerable changes to the CCPA.
While the CCPA no doubly evidenced the global effect of the enactment of the EU’s General Data Protection Regulation (“GDPR”) and is generally considered groundbreaking legislation in the U.S., the consumer’s rights afforded by the CCPA were significantly narrower than those provided to data subjects under the GDPR and generally the CCPA provides for a less compressive privacy protection regime, compared to the GDPR. As such, the CPRA will now expand and amend the CCPA and put California’s privacy regulations on a par with the GDPR.
Notable examples of changes introduced by the CPRA include the following:
- The CPRA introduces new disclosure and purpose limitation requirements for “sensitive personal information”, as well as new requirements for data minimization, purpose limitation and storage limitation and strengthened requirements for obtaining consumers’ consent.
- The CPRA introduces new consumer rights, such as the right to correct inaccurate personal information that businesses holds about them (Right to Correct) and a right to opt-out of the use of personal information for automated decision making and to access meaningful information about the logic involved in such decision-making processes (Automated Decision Making). The CPRA also expands and clarifies existing rights under the CCPA, including the right to data portability, the right to delete as well as the right to opt-out, and strengthened opt-in rights for minors.
- The CPRA amends the definition of “service provider”, introduces a new category of “contractors,” and imposes new requirements on service providers and contractors, such as an obligation to notify businesses of any engagement with a sub-service provider or subcontractor and bind them to the same written contract that is concluded between the business and the service provider/contractor, as well as an obligation to assist businesses in responding to consumers’ rights requests.
- The CPRA expands the opt-out obligations imposed on businesses and consumer’s opt-out rights, particularly in the field of digital advertising, in a direct attempt to explicitly regulate the digital advertising market.
- Whereas the CCPA is currently enforced by the California Office of the Attorney General, the CPRA establishes a new California Privacy Protection Agency which will take over the role of the Attorney General.
- The CPRA eliminates businesses’ 30 day cure period following notification of alleged violations by the Attorney General and increases the maximum penalties for violations concerning minors to $7,500.
Most of the new provisions of the CPRA are expected to come into effect on January 1, 2023. However, certain provisions of the CPRA, including an extension of the employee and B2B exceptions under the CCPA, are expected to come into effect in the near future. In the meanwhile, the CCPA remains in full force and effect. For more details regarding the CCPA, please refer to our comprehensive CCPA update.
GKH’s IP and Privacy Group is available to assist clients in preparing for the impact of the CCPA on their business.
For further information regarding this update, please contact Adv. Ella Tevet, Partner, Head of IP and Privacy Practice, at firstname.lastname@example.org or 03-6074588.