Canadian Startup and Video Game Law Blog

Changes to California’s Privacy Law – Consumer Privacy Rights Act

On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA), which replaces the California Consumer Privacy Act of 2018 (CCPA).

The CPRA expands consumers’ rights regarding protection of personal information. Companies collecting personal data should review the changes to ensure compliance. Indeed, we anticipate that enforcement of these laws will drastically increase when the CPRA comes into effect

For many companies, the CPRA may not directly apply, but companies may be contractually obligated to comply with the law if they conduct business with large tech firms.  As as a result, it will be prudent for many companies to comply in order to ensure they can continue to service their clients.

Major changes include:

1. Enforcement

The CPRA creates the California Privacy Protection Agency, a government body tasked to make the regulations and enforce the CPRA. It is predicted that the CPRA will increase the level of enforcement because it is partially funded by the fines.

2. No more warnings

The new law eliminates the 30-day cure period provided by the CCPA. The CCPA provided notices to businesses not complying with the law and allowed them to fix the violations within 30 days without having to pay fines. The notice and cure period no longer exist with the CPRA.

3. Sensitive Personal Information

The CPRA creates a new subcategory of personal information, which includes information such as biometric information and contents of e-mails and texts. Collection of sensitive personal information compels additional disclosure, opt-out and use requirements.

4. Expansion of Consumer Rights

Consumers now have the right to opt-out of businesses sharing and selling their personal information. Under the CCPA, consumers only had the right to opt-out of the sale of their personal information. Consumer also have the right to request businesses to delete their personal information and businesses must notify third parties to delete the personal information as well.

The CPRA will become effective on January 1, 2023 with a look back period of 12-months so businesses will need to comply by January 1, 2022.

The CPRA will likely be the foundation for privacy legislation in other states and on a federal level. Similar laws will pass in the near future in many states including Washing and New York and on a federal level in both the US and Canada.

In this constantly changing regulatory environment, it will be critical to review your data collection practices and Privacy Policy to ensure that your company remains compliant and to avoid enforcement actions.