New changes are coming to California’s data privacy laws in 2023, and companies doing business in California need to start preparing now to ensure continued compliance in their data collection and privacy disclosure practices heading into the coming year. On November 3, 2020, California voters approved through ballot initiative the California Privacy Rights Act (“CPRA”), which amends the existing California Consumer Privacy Act (“CCPA”) and creates new rights for California residents (also called “consumers” under the CCPA/CPRA). The CPRA will become fully operative on January 1, 2023, and will be enforced starting July 1, 2023.
Key features of the CPRA include the following:
1. Creates a New Category of “Sensitive Personal Information.” The CPRA creates a new category of “Sensitive Personal Information” and provides consumers with the new right to opt out of a business's use and disclosure of their Sensitive Personal Information. “Sensitive Personal Information” includes the following types of information: social security numbers, driver's license numbers, passport numbers, financial account and payment card information, precise geolocation, and health and biometric information. “Sensitive Personal Information” also includes the following information categories: race, ethnicity, religion, union membership, private personal communications, and sexual orientation. In addition to disclosing the types of sensitive personal information they collect and the purposes for collection, businesses must provide a clear and conspicuous link on their website homepage, entitled "Limit the Use of My Sensitive Personal Information," that enables a consumer or other authorized agent to limit the use or disclosure of the consumer's Sensitive Personal Information.
- The retention period or retention criteria for each category of personal information collected.
- Details regarding the processing of Sensitive Personal Information.
- Notification to consumers of the new Right to Correct any inaccurate personal information the business maintains about that consumer.
3. California Privacy Protection Agency and Enforcement. Further, the CPRA establishes the California Privacy Protection Agency to enforce and issue new regulations for the CPRA. The CPRA will triple the CCPA’s penalties for violations involving the personal information of minors under age 16. Further, the CPRA eliminates the CCPA’s current 30-day cure period for violations, meaning that establishing a compliance program in advance of any perceived non-compliance will be essential for businesses covered by the CPRA.
4. Employee and B2B Data Exceptions. The CPRA has extended the current exceptions for employee and business-to-business data until January 1, 2023, at which time the exceptions will expire and California-based employees and business-to-business contacts and their personal information will be entitled to the same rights and protections as California consumers generally. It remains to be seen whether the California legislature will further extend these exceptions before the January 1, 2023, expiration date or enact a more long-term solution for employee and business-to-business data in the meantime.
At this time, some key steps that current CCPA-compliant businesses can take now to prepare for the CPRA include performing a data inventory of any Sensitive Personal Information collected and determining the retention periods and retention criteria for personal information.