California adopts CPRA Greatly expanding the California Consumer Privacy Act CCPA

Nov 09, 2020

While our nation focused on the presidential elections, California’s Proposition 24 quietly passed into law with seismic ramifications to our nation. Approval of Prop. 24 means the California Consumer Privacy Act will be amended to the existing California Privacy Rights Act, establishing a new privacy enforcement agency, new definitions for sensitive data having limits on use and sharing, and expanded liability for companies experiencing a breach of their systems.

This new and major privacy law goes on the books in stages from January 2022 through January 2023. Privacy professionals working for all U.S. companies that do business with California residents need to pay attention. Hintze Law Managing Partner Susan Hintze, CIPP/US, CIPT, FIP, offered some first-step advice: “First thing I would do as a privacy pro is educate leadership about the increased risks and request more funding. “

Prop. 24 faced an array of opposition, most notably from the American Civil Liberties Union of Northern California and the advertising technology industry. Opposition intensified because of the grip which Covid-19 has on our nation. Costs associated with this new ‘regime’ will be borne by hard-hit businesses and consumers.

At the time of this ballot, there were still many regulatory aspects of the original CCPA which required clarification. The state’s new enforcement agency, the California Privacy Protection Agency will be vested with full administrative power, authority, and jurisdiction to implement and enforce the CCPA, as amended by the CPRA. Rulemaking is sure to follow, after the five agency members are seated.

While the future of proposed federal privacy laws requires a political oracle, California’s intensification of its privacy regulations affects all 50 states who have customers in California. In addition, the Federal Trade Commission has been active in recent years enforcing privacy, based on their ‘fair practices’ doctrine. According to a just-announced FTC complaint, Zoom allegedly engaged in deceptive and unfair practices that misled consumers about the security of their communications on the platform and that put certain users at risk when the company undermined a security feature built into the Safari browser[2].

I have studied privacy and been certified with the same credentials which Susan (quoted above) carries. My job is to assist companies fulfill their obligation to satisfy these laws. I serve them, knowing full well, the values and importance of privacy, but I do not envy the position they are in.