Search for:

In brief

The California Privacy Rights Act of 2020 (CPRA) introduces sweeping changes to the California Consumer Privacy Act of 2018 (CCPA), most of which will become operative as of 1 January 2023 with a “look back” to 1 January 2022.


Some key revisions include:

  • A new definition of “sensitive personal information” and detailed obligations regarding the processing of sensitive personal information for non-essential purposes;
  • A new and counterintuitive definition of “sharing” personal information and related restrictions aimed at the digital advertising industry;
  • New data subject rights to correct inaccurate information, limit the processing of sensitive personal information, and opt out of “sharing” personal information and the use of automated decision-making technology;
  • New requirements to include data protection and processing terms in contracts with data recipients and vendors;
  • New requirements regarding what privacy notices must include and how they must be furnished to data subjects; and
  • The establishment of a new privacy authority, the California Privacy Protection Agency.

Baker McKenzie Partner Lothar Determann and Associate Jonathan Tam recently published a paper in the Journal of Data Protection and Privacy summarizing some of the key revisions that CPRA makes to CCPA and offering practical recommendations on how companies subject to the law must comply. The revised CCPA is just one of myriad privacy laws that companies must take into account when doing business in California. The paper reflects the authors’ opinions only.

Click here to read the full paper.

Author

Jonathan Tam is an associate in Baker & McKenzie´s Toronto office. He advises clients on regulatory compliance, with experience in the areas of global privacy, information technology, cyberlaw, international trade and commerce, intellectual property and telecommunications. He has co-authored multiple publications focusing on accountability in the privacy context, and routinely coordinates multijurisdictional projects aimed at ensuring that clients’ global operations safely comply with applicable local requirements.