Months after the California Consumer Protection Act took effect, California voters approved a measure that expands the scope of the regulation, called the California Privacy Rights and Enforcement Act of 2020 (CPRA). Starting January 1st, 2023 with enforcement scheduled for July 1st, it imposes a further obligation on companies to protect consumer data.
The CPRA moves privacy protection to something akin to Europe’s landmark General Data Protection Regulation (GDPR). The key changes to this regulation include:
- Expanded Consumer Rights: This allows California’s residents to correct businesses and the ability to opt out of “cross-context advertising.”
- New Category: The CPRA adds a further definition to Personal information called Sensitive Personal information. This is broad and includes things like social security numbers, licenses, passports, credit cards and other information that can be used against the person. The act creates new obligations to protect these and allows customers to limit their use.
- Data Minimization and security: Like the GDPR, data minimization and security forces businesses to disclose what they need the information for and for how long. It also puts pressure on them to protect their data and create a public disclosure policy.
- Service Providers: The same obligation is also on businesses when they disclose information to providers such as internet and phone companies. The amount of protection require has thus been increased.
The CPRA stands as one of many privacy laws that states will pass in the next few years. Like the GDPR, this law can apply to anyone doing business in the state. Be sure to understand the new regulations and protect your customers data.
Click here for insights into Cyber Liability.
