What You Need to Know About The California Privacy Rights Act

By Chris Lippert

When it became effective in 2018, the GDPR provided a blanket blueprint that led to over a dozen countries updating their national privacy laws to “keep up” with the new industry standards.

But unfortunately, the U.S. has yet to do the same when it comes to federal data protection legislation—as it stands right now, Congress will need to compromise on the two key issues of preemption and private right of action before more progress can be made.

That’s left us with a patchwork of state and industry legislation that hasn’t done much to help demystify U.S. data protection. Our dedicated privacy practice and team are tasked with staying abreast of potential and emerging changes to this landscape, and with a significant change on the horizon, we want to help you prepare.

There’s a new law now in effect in the California Privacy Rights Act (CPRA), and in this article, we’re going to break down what you can expect, including by drawing comparisons to the older California Consumer Privacy Act (CCPA). Let us simplify at least this part of the privacy landscape so that you can more easily “keep up” with regulations.

What is the CPRA?

So what is the CPRA, and why should you care?

Effective on January 1, 2023, the CPRA represents California’s latest state legislation concerned with protecting the digital privacy of CA residents.

For what it’s worth, California is doing its part to somewhat “keep up with the Joneses”—the CPRA and the GDPR share similar concepts and extraterritorial reach. The former contains GDPR-like provisions regarding things like data minimization, retention, and conducting risk assessments.

While the GDPR speaks to personal data of natural persons in the EU, the CPRA applies to businesses dealing with the personal information of California residents, but to actually fall under its jurisdiction, an organization must meet at least one of three established criteria. Your organization will be subject to the CPRA if you:

  • Buy, share, or sell the personal information (PI) of at least 100,000 consumers or households annually.
  • Make $25 million in gross revenue in the preceding year, as of January 1.
  • Receive 50% or more of gross revenues from sharing or selling personal information collected from your users.

CPRA vs. CCPA

The CPRA can be considered a new iteration of an earlier piece of California legislation—the CCPA, which went into effect on January 1, 2020, and created an array of consumer privacy rights and business obligations with regard to the collection and sale of personal information.

The CPRA builds upon its predecessor—some even call it CCPA 2.0—but there are some key differences between the two regulations you should understand, including significant expansions:

What You Need to Know About The CPRA Table scaled

What is the CPPA?

The CPPA is likely the most anxiety-inducing change for organizations. With an office now solely devoted to responsible for safeguarding all Californian’s digital privacy, resources will be increased exponentially and enforcement should see a big uptick after the July 1, 2023 enforcement date.

But the CPPA won’t just be dropping the hammer. They’ll also be responsible for further rulemaking, including drafting and implementing regulations on requirements for performing annual cybersecurity audits and conducting risk assessments, some of which will be required to be submitted to the CPPA on an annual basis.

What’s Next for Privacy in the United States

California certainly has been leading the charge in the United States where data privacy is concerned, but it’s also important to note that several other states are close on its heels with their own legislation as well.

In Connecticut, Virginia, Colorado, and Utah, new laws are set to become effective in 2023, and while they have some similarities to the CPRA when it comes to scope and requirements, there are key differences as well regarding factors such as:

  • Revenue thresholds;
  • Carve outs; and
  • Private right of action.

As much as this is all good news for data protection, all these new laws with varying jurisdictions and requirements will continue to cause additional headaches for organizations pending an established baseline to adhere to that stretches across the entire United States.

Complying with The CPRA

Until federal privacy legislation is passed, privacy standards in the U.S. will continue to be surpassed by more countries across the globe. And as the privacy “Joneses” will continue to leave us in the dust, organizations will continue to encounter an increasing barrier to e-commerce—for those reasons, we can only hope that Congress prioritizes the passing of a national privacy law sooner rather than later.

But for those organizations conducting business in California, you’ll have to contend with the new CPRA and its expanded requirements for the time being. With the establishment of the CPPA to enforce these data privacy regulations, you may want to adopt a more conservative approach with your privacy notices and protections to ensure you remain in compliance.

Chris Lippert is a Senior Manager and Privacy Technical Lead with Schellman and is based in Atlanta, GA. With more than 10 years of experience in information assurance across numerous industries, regulations, and frameworks, Chris developed a passion for and concentration in data privacy. He is an active member of the International Association of Privacy Professionals (IAPP), holds his Fellow of Information Privacy (FIP) designation, and advocates for privacy by design and the adequate protection of personal data in today’s business world.