· The CPRA was established by the California Privacy Protection Agency
· There are changes in the criteria for which business are regulated since CCPA
· There are new consumer rights
· There is a category of sensitive personal information with stronger obligations and rights
· "Do not sell my data" will be "Do not sell or share my data"
· There is an extension of the requirements of consent
On 3 November 2020, California citizens voted and directly approved the enactment of the Proposition 24 or officially the California Privacy Rights Act of 2020 (CPRA), which amends and expands the existing California Consumer Privacy Act (CCPA) that became effective on 1 January 2020. In a nutshell, being GDPR-inspired, the CPRA creates new consumers rights, modifies existing ones, introduce a new category of sensitive personal information, alters the scope of application and establishes a dedicated privacy protection authority. The CPRA will become effective on 1 January 2023, applying though to personal information already collected by businesses on or after 1 January 2022.
The CPRA changes the criteria for which business are regulated. In particular, the CPRA doubles the threshold number of consumers or households (no reference to devices anymore) from 50,000 to 100,000, resulting thus to the exclusion of small and medium businesses. Furthermore, it expands the applicability of the privacy laws to businesses that generate their revenue not just from selling but also from sharing personal information.
Moreover, the exemption envisaged in the CCPA that its obligations upon the businesses would not apply to employment and business-to-business data until 31 December 2021, is now extended for an additional year, until 31 December 2022, and they will fully expire on 1 January 2023.