by Jim Halpert, Andrew A. Kingman and Andrew Serwin

As the business community takes stock of the 2020 election results, it should place particular significance on the passage of Proposition 24, the California Privacy Rights Act (CPRA), by about a 12 percent margin. The CPRA makes significant changes to the California Consumer Privacy Act (CCPA), which was originally passed by the California legislature in 2018. However, the CPRA does not take effect until January 1, 2023, giving businesses a bit more than two years to prepare.

The CPRA adds new obligations on both businesses and service providers, adds some important new definitions, and creates new liability risks, while clarifying some operationally difficult aspects of the CCPA. Importantly, it also mandates the creation of a new agency to enforce privacy violations, which should increase enforcement. Finally, the CPRA limits the ability of the legislature to amend the law.

Learn more about the 52-page initiative in our recent Data Protection, Privacy and Security Alert here.