On November 3, the California Privacy Rights and Enforcement Act (“CPRA”) was voted into law with close to 56 percent of California voters supporting the measure. The CPRA is the latest comprehensive privacy law to pass in California and it significantly amends the currently effective California Consumer Privacy Act (CCPA). Among other things, the CPRA creates additional obligations for companies collecting and sharing “sensitive” personal information, as well as a new agency, the California Privacy Protection Agency, that will be responsible for enforcing violations of the new law. We have previously written about the CPRA and its requirements here.
The substantive requirements for businesses subject to the CPRA do not go into effect until January 1, 2023, and these provisions are not enforceable until July 1, 2023. Additionally, most of these substantive requirements (with the exception of the “Right to Know” obligations) only apply to personal information that businesses collect after January 1, 2022. Meanwhile, the CCPA’s employee and B2B exemptions (which the California legislature recently extended to January 1, 2022) are now extended to January 1, 2023. Other provisions of the law that go into effect immediately are the authority of the California Attorney General to develop regulations to clarify certain portions of the CPRA and the creation of the California Privacy Protection Agency.