The CPRA significantly changes the types of “businesses” that are subject to the CCPA by amending the criteria (e.g., gross revenue, scope of data processing activities) used to determine whether an organization is a covered “business.” The CPRA creates a new regulatory agency: the California Privacy Protection Agency, which is vested with full administrative power, authority, and jurisdiction to implement and enforce the CCPA (as amended by the CPRA). The Agency will (i) investigate and hold hearings to determine whether a businesses, services provider, and/or contractor is compliant with the CCPA, (ii) administer fines for non-compliance, and (iii) assume rulemaking responsibilities under the law. Third Party Contracts. Although the CCPA did not mandate that businesses execute data protection contracts with their third party service providers, it encouraged the practice by granting certain benefits to those entities that do so. The CPRA had made this contracting practice mandatory—if a business sells or shares personal information to a third party, or simply discloses such information to a service provider or contractor for a business purpose, then the parties to must enter into an agreement that includes specific data processing provisions (e.g., limited use clauses, flow-down compliance obligations, notice of breach and remediation rights). Data Correction Rights. The CPRA grants California residents with a right to request businesses correct any “inaccurate” personal information in their custody and control. Business are required to furnish Californians with notice of this right and to “use commercially reasonable efforts” to comply with data correction requests. Interestingly, however, a business is only obligated to make corrections if the data is “inaccurate” based on the context and purpose for which it was being processed. Do Not Share My Personal Info. The CPRA significantly restricts how a business can “share” personal information, which is defined broadly to mean a business’s disclosure of personal information, through any means, to a third party for “cross-contextual behavioral advertising” regardless of whether money or other valuable consideration is exchanged between the parties. Businesses that engage in these activities may be required to post “opt-out” links on their websites to ensure Californians can withdraw from this disclosure and advertising process. Sensitive Personal Information. The CPRA grants California residents the right to direct a business to limit its use of sensitive personal information (e.g., social security numbers, geolocation data, contents of communication) to only certain purposes set forth in the law and in future regulations. Business may also be required to post “opt-out” links on their websites to comply with the CPRA’s requirements in this area. Rewards and Financial Incentive Programs. The CPRA clarifies that, while its non-discrimination clauses—which prohibit businesses from providing different prices or discounts in exchange for personal information—will not prohibit a business from offering a loyalty, premium features or discount program, the new obligations will make it more difficult for businesses to do so. In addition to the “opt-in” consent required under the CCPA, the CPRA now requires businesses wait at least 12 months before requesting consumers join a program in the event they previously declined. Employee Data. Under the CCPA, employment related personal data was exempted from certain compliance requirements until January 1, 2021. The CPRA extends this compliance deadline until January 1, 2023. The CPRA did not amend the CCPA’s requirements for immediate compliance with the point-of-collection notices and data breach rights for HR data. Additionally, the CPRA explicitly prohibits businesses from retaliating against an employee, job applicant, or independent contractor, for exercising their rights under the law.