CCPA is Now CPRA — Here’s What’s Changed – Toolbox

The most famous U.S. state privacy law, the CCPA gets more teeth in the form of the California Privacy Rights Act (CPRA), which builds upon the foundation and offers additional protections to Californian consumers. The proposed law includes several consumer rights that were missing from the CCPA.

California just voted to toughen the California Consumer Privacy Act (CCPA), henceforth known as the California Privacy Rights Act (CPRA). The expansion brings the privacy law closer to Europe’s GDPR.

On November 3, Californians decisively voted by 56.1%, to pass Proposition 24, which was put forward by Californians for Consumer Privacy, a group founded and headed by Alastair Mactaggart, a real estate mogul who also took the initiative to pass the original CCPA.

Mactaggart said, “With tonight’s historic passage of Prop 24, the California Privacy Rights Act, we are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data.”

The CCPA went into effect at the start of this year on January 1 and was enforced on July 1. The law gives more teeth to authorities against companies with lax data privacy practices. The law is applicable to all California residents while compliance is mandatory for both domestic and international companies collecting data on California’s residents.

It applies to companies that:

  • Have gross annual revenues of over $25 million 
  • Generate more than 50% of their annual revenue from the sale of consumers’ (California residents’) personal information
  • Have personal information of 50,000 or more California residents

See Also: From Seat Belts to CCPA: Why Regulations Don’t Kill Innovation

CCPA was marred with loopholes in favor of tech companies, and this is exactly what the 52-page Proposition 24 aims to plug. It packs more clarity around the differences in ‘sharing’ and ‘selling,’ which will result in heftier fines and bring more companies within the scope of law.

Some of the major amendments to the law include:

  • Proposition 24 includes additional categories of sensitive personal information: race, sexual orientation, union membership, and location.
  • Californians can now exercise greater control over their data and can tell companies what they can and can’t use or share. This includes health, finances, race, ethnicity, and precise location data.
  • Clearly defines the differences between selling and sharing. Companies will need to disclose what is shared and what was sold accordingly.
  • Proposition 24 triples the fines to $7,500 for intentional violations against children (under 16 years of age), and $2,500 for each violation. It is important to note that accumulated fines can amount to millions of dollars under a large number of violations. A study found that CCPA compliance could cost organizations $55 billion, so organizations will have to shell out either way.
  • Establishment of the California Privacy Protection Agency to ‘defend these rights and hold companies accountable, and extend enforcement, including imposing penalties for negligence resulting in the theft of consumers’ emails and passwords.’

Lourdes Turrecha, Founder of The Rise of Privacy Tech, and Founder & CEO at PIX LLC said, “It creates a floor and, because of the nature of the ballot initiative process, makes it harder for anti-privacy interest groups to weaken privacy protections in California.” This, along with the establishment of an independent enforcement agency are perhaps the most significant changes in the privacy law.

The passage of CPRA can serve as a signal to other state and the federal governments to follow suit by introducing necessary laws around data privacy. “Californians have sent a message to Washington and beyond that Americans expect our democracy to finally hold the tech sector to account,” said Shoshana Zuboff, author of The Age of Surveillance Capitalism. ”The illegitimate extraction of our personal information and it’s anti-democratic consequences will not be tolerated. We need new law(s) for a new century. Prop24 is now the foundation upon which we will continue to advance this frontier for the sake of a democratic digital future.”

CPRA, which American entrepreneur and 2020 democratic presidential candidate Andrew Yang said will “sweep the country,” will come into force on July 1, 2023. 

Let us know if you liked this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!


Leave a Reply