As you may be aware, California voters recently passed ballot Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”).
The new CPRA regulation, also commonly known as “CCPA 2.0”, goes into effect on January 1, 2023 and extends privacy protections to California Consumers above and beyond the current CCPA framework, the new CA privacy law that just went into effect earlier this year.
Many of the new protections offered by both CCPA and CCPA 2.0 continue to be inspired by GDPR, an EU law on data protection and privacy that has become a model for further privacy laws adopted across the globe.
The original CCPA framework, which went into effect on January 1, 2020, empowers consumers to find out what personal information is collected about them, how it is used, who it is shared or sold to, and to make informed choices about how their data is managed (including the ability to opt out, delete, or request to know what personal information business is collecting about them).
The Good and The Bad
But wait…we already have CCPA to provide California consumers with privacy protections, so why exactly do we need CCPA 2.0?
Advocates of the new CPRA regs emphasize that CCPA doesn’t go far enough, citing loopholes which allow certain businesses to get around the new restrictions. They believe the new CCPA 2.0 provisions plugs those gaps and could become a model for the rest of the country.
As an example, CCPA provides users with the right to opt out of the “sale” of their data. But some tech companies argue that certain transfers of user information which raise privacy concerns don’t actually amount to ‘sales’ per say, as there’s no exchange of money (such as with cross-context behavior advertising). The new provisions fill this crack by expanding the CCPA’s obligations formerly limited to the ‘sale’ of data to include a newly defined concept of data ‘sharing’.
Aside from new rights to prevent businesses from sharing their information, the new provisions would provide consumers the ability to correct inaccurate personal information, and limit businesses’ use of “sensitive personal information,” including precise geolocation, race, ethnicity, and health information. It also establishes a new California Privacy Protection Agency to oversee compliance and enforcement of the new rules.
On the flip side, critics of CPRA voice concerns that the new rules may encourage what some call “pay for privacy” where businesses may charge users more if they opt out of sharing of their information. This model may disproportionally affect lower income consumers and households, who should not have to compromise their privacy needs.
Another ongoing concern is the hodge-podge of privacy laws that are bound to follow across all 50 states in the absence of any single federal privacy law. This de-centralized approach to privacy rule-making may not only confuse and overwhelm consumers, but will also add further strains to businesses, many of which just spent the last couple years updating privacy programs and processes to comply with CCPA.
Having only been live for months, critics are also concerned that we need more time to figure out exactly what is and isn’t working with CCPA, before rolling out an entirely new CCPA 2.0 privacy framework.
That said, regardless of where you stand on this topic, CPRA is here to stay so let’s take a look at what it means for consumers and businesses.
What does CCPA 2.0 mean for Consumers?
The CPRA introduces a number of new consumer rights, above and beyond the current CCPA regulations. Here are some areas of note among the new provisions:
Which businesses must comply with CPRA?
CCPA 2.0 includes slight changes about which entities qualify as a ‘covered business’ under the new regulations. Any companies which collect consumer’s personal information and do business in California are subject to CPRA, if they satisfy one or more of the below criteria:
What must Covered Businesses do to comply?
Companies will likely need to implement new processes, procedures and policies and train their employees to accommodate the new consumer rights and provisions described above. Additionally, the regulation may require Businesses to take further actions to address these additional requirements:
So now that the ballot initiative has passed, when will this all happen? Here’s what Throtle expects so far with respect to CPRA timelines:
At Throtle we strongly support consumer privacy rights and transparency and are committed to implementing the necessary enhancements to achieve full compliance of CPRA before it goes into effect on January 1, 2023. We will continue to actively monitor CPRA for the latest developments and expect to have further updates once the rulemaking activity is underway.
Please note that this blog post should not be taken as legal advice and we strongly encourage you to consult with your respective legal counsel for guidance on CPRA compliance.
Copyright © Throtle, Inc. All Rights Reserved.
141 W Front Street, Suite 312 Red Bank, New Jersey – 07701