On November 3, Californians voted to approve Proposition 24, the California Privacy Rights Act (or “CPRA”). This ballot initiative will significantly modify the California Consumer Privacy Act (“CCPA”), California’s existing privacy law which came into effect less than a year ago. The CPRA makes a number of changes to the CCPA, revising the law’s applicability, consumer protections, and enforcement mechanisms. While these are substantial revisions, the CPRA will not go into effect until January 1, 2023, giving companies time to adjust. This Client Alert outlines the regulatory road ahead and highlights the changes you will need to make to your CCPA compliance program to comply with the CPRA.

The CPRA Passed. What happens next?

Most of the substantive provisions of the CPRA will not come into effect until January 1, 2023. While that gives companies more than two years to prepare, during the interim period the CCPA will remain in effect. We expect to see a fair amount of uncertainty during this time, as both the CCPA and CPRA could be modified by regulations. Companies should keep the following key dates in mind:

• January 1, 2022: Companies should be prepared to begin tracking their data practices in accordance with the CPRA’s requirements on this date. The CPRA contains a look-back provision: when the CPRA comes into effect on January 1, 2023, companies will be required to respond to consumer requests regarding personal information collected during the prior year.
• July 1, 2022: Deadline for the adoption of final regulations to the CPRA. It is likely that we will not know the final CPRA requirements until this date. It is also possible that the CCPA – which will remain in effect until January 1, 2023 – will be modified by further regulations before this date.
• January 1, 2023: This is the effective date of the CPRA – the date on which the CPRA replaces the CCPA.
• July 1, 2023: On this date the CPRA becomes enforceable.

What key changes does the CPRA make to the CCPA?

Increases Threshold for Applicability

Compared with the CCPA, fewer companies will be subject to the CPRA. The CCPA applies to companies that annually buy, receive, sell, or share the personal information of more than 50,000 consumers, households, or devices. The CPRA would increase this threshold to 100,000 and provide that the threshold only applies to the buying, selling, or sharing of personal information relating to consumers or households – not devices.

Creates Additional GDPR-Type Consumer Rights

• Right to limit use or disclosure of a consumer’s “sensitive personal information”. The CPRA creates a new category of “sensitive personal information,” which includes a consumer’s social security number, certain information relating to financial accounts, and genetic, biometric, or precise geolocation information. A consumer has the right to request that a business limit its use and disclosure of sensitive personal information. However, there are exceptions for sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer, and for certain pieces of sensitive personal information that are governed by other laws, such as the Gramm-Leach-Bliley Act (“GLBA”) and Health Insurance Portability and Accountability Act (“HIPAA”).
• Right to opt-out of sharing. The CPRA preserves the consumer’s right to opt-out of the sale of their personal information, and adds a new right for consumers to opt-out of the sharing of personal information for cross-context behavioral advertising. 
• Right to correct inaccurate personal information. Similar to the European Union’s General Data Protection Regulation ("GDPR"), the CPRA allows a consumer to request that a business correct inaccurate personal information maintained about the consumer.
• Right to Data Minimization; Data Storage Limitations. Also following the GDPR, the CPRA introduces a data minimization right and data storage limitation requirements: a business should only collect as much personal information as it needs, and it may not store that personal information for longer than it needs.
• Right to know about and opt-out of automated decision-making. CPRA regulations will give consumers access and opt-out rights with respect to a business’s use of automated decision-making technology. Companies will be required to provide meaningful information about the logic involved in automated decision-making processes, as well as a “description of the likely outcome of the process with respect to the consumer.”

Enforcement and Potential Liability

Notably, the CPRA does not substantially expand the CCPA’s private right of action, which will continue to apply only to violations involving a data breach. The CPRA creates a new California Privacy Protection Agency (“Privacy Agency”), which is empowered to impose a fine of $2,500 for each violation of the CPRA, or $7,500 for each intentional violation or each violation involving a consumer under 16 years of age. These fines are not substantially different from the potential penalties under the CCPA. The CPRA eliminates the CCPA’s 30-day cure period, but the Privacy Agency has the discretion to provide a business with a time period in which to cure the alleged violation, taking into account a lack of intent to violate the CPRA and voluntary efforts to cure the alleged violation prior to being notified by the Privacy Agency of a complaint.

Business-to-Business and Employee Exemptions

Under the CCPA, certain personal information obtained in business-to-business transactions or from employees is exempt from many of the CCPA’s requirements (so for example, a company’s employees have fewer rights with respect to their personal information than the company’s end users). The CPRA has extended these exemptions, which were set to expire on January 1, 2022, through January 1, 2023.

Will the CPRA change after today?

As noted in the timeline above, the CPRA directs the California Attorney general and the new Privacy Agency to draft and implement regulations supplementing the CPRA. As we saw with the CCPA, these regulations can have a significant impact on the requirements and specific compliance steps that companies should take. The CPRA requires these final regulations to be issued by July 1, 2022, six months before the CPRA’s effective date. Looking forward, it’s important to note that the CPRA requires that any changes to the CPRA be “consistent with and further the purpose and intent of [the] act.” Practically speaking, this means that any modifications viewed as less protective of consumers’ privacy are likely to face legal challenges. Given that, companies should not plan on any significant loosening of the requirements.

Is there anything we should start doing now to prepare for the CPRA’s effective date?

• For companies that have worked to become CCPA-compliant: CCPA compliance is still required until January 1, 2023. Before looking ahead, companies should make sure that they have a comprehensive CCPA compliance program in place. As we gain clarity in the coming months and years about the CPRA’s specific requirements, we’ll assist clients with putting together a CPRA plan that prepares companies to be CPRA-compliant on its January 1, 2023 effective date. This plan may involve (i) reviewing and updating data mapping efforts, including tracking of any sensitive personal information, (ii) updating notices (e.g., notice-at-collection, privacy policy), (iii) ensuring mechanisms are in place to enable consumers to exercise new rights under the CPRA (e.g., right to correct inaccurate personal information), and (iv) updating contracts with third parties.
• For companies that are not yet CCPA-compliant: CCPA compliance is an important first step, and should be a priority for companies that are not currently compliant. If you would like assistance with a CCPA compliance program, please contact us.