In California the California Privacy Rights Act (CPRA) ballot initiative has been passed after winning the approval of 56% of votes.
This means that Californiance Consumers Privacy Act will be amended to incorporate additional rights for the consumer. Along with this there will new requirements in relation to processing and protecting personal information while also clarifying definitions of certain aspects of the legislation. A California state guide, published in the run-up to the vote, referred to the new legislation as “a way for consumers to prevent businesses from sharing personal information, correct inaccurate personal information, and limit businesses’ use of ‘sensitive personal information,’ including precise geolocation, race, ethnicity, and health information.” In addition to this it allowed for the creation of the the California Privacy Protection Agency.
As a result of this there will be pressure on all business in the state to ensure that all activities they carry out are legally compliant. There is some time to complete the process of achieving compliance as the CPRA amendments will not become active until January 1, 2023 with enforcement beginning later that same year on July 1. However exemptions for business contacts, employees, job applicants, owners, directors, officers, medical staff members and independent contractors that are currently active under CCPA will remain so until December 31, 2022.
It is envisaged that the newly established California Privacy Protection Agency will implement final regulations on or by July 1, 2022.
The main changes that are being introduced with the CPRA are the right to correct personal information, the right to prevent the use of sensitive personal information, and the right to opt out of personal information being shared to third parties. This enhances the existing rights of the CCPA for the consumer to be aware of, delete or opt out of the sale of personal information.
Last August, following publication of the proposed amendments, California Attorney General Xavier Becerra said in a statement: “With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy.”
Alastair Mactaggart, chair of Californians for Consumer Privacy and Proposition 24 sponsor, speaking after the passing of the Act, said: “We are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data. “I’m looking forward to the work ahead and the next steps in implementing this law, including setting up a commission that is dedicated to protecting consumers online.”
The onus is not on all companies to move quickly to ensure that they are compliant as early as possible. As was the case the introduction of other data privacy legislative acts around the would, including CCPA and GDPR, those companies that adapted early suffered less stress, business interruptions and concerns relating to possible regulatory fines.