The California Privacy Rights Act of 2020 (CPRA) introduces sweeping changes to the California Consumer Privacy Act of 2018 (CCPA), most of which will become operative as of 1 January 2023 with a “look back” to 1 January 2022.
Some key revisions include:
- A new definition of “sensitive personal information” and detailed obligations regarding the processing of sensitive personal information for non-essential purposes;
- A new and counterintuitive definition of “sharing” personal information and related restrictions aimed at the digital advertising industry;
- New data subject rights to correct inaccurate information, limit the processing of sensitive personal information, and opt out of “sharing” personal information and the use of automated decision-making technology;
- New requirements to include data protection and processing terms in contracts with data recipients and vendors;
- New requirements regarding what privacy notices must include and how they must be furnished to data subjects; and
- The establishment of a new privacy authority, the California Privacy Protection Agency.
Baker McKenzie Partner Lothar Determann and Associate Jonathan Tam recently published a paper in the Journal of Data Protection and Privacy summarizing some of the key revisions that CPRA makes to CCPA and offering practical recommendations on how companies subject to the law must comply. The revised CCPA is just one of myriad privacy laws that companies must take into account when doing business in California. The paper reflects the authors’ opinions only.
Click here to read the full paper.