In this week’s election, California citizens approved Proposition 24, known as the California Privacy Rights Act (CPRA), or California Consumer Privacy Act
(CCPA) 2.0. The CPRA amends some provisions of the CCPA, which became enforceable in July 2020. Both the CPRA and CCPA have many implications for enterprises, with the latter still unfolding.
A New Law, a New Agency
A key aspect of the CPRA is that it establishes a new data protection agency (the California Privacy Protection Agency) that will allow people (individuals or organizations) to file data/privacy-related complaints, according to
this Data Counsel article. Consumers, vendors, and consumer advocacy groups can bring complaints to the California Privacy Protection Agency (CPPA), and the agency may investigate possible violations on its own, according to Data Counsel.
The agency will set out to begin the rulemaking process by next summer, and organizations subject to the CPRA will need to monitor the regulation status and prepare for what comes next, Data Counsel explained. CPRA’s regulatory mandates also exceed that of CCPA and will most likely not be enforceable until July 2023, Data Counsel said.
The California attorney general (AG) and CCPA will have enforcement authority, and the AG can stay any administrative investigation or action, Data Counsel said. Data Counsel also stated that fines collected by the agency will be used to recoup the cost of CPRA enforcement and that there is a five-year statute of limitations.
Vendors, Contracting Requirements
As part of the obligations under the CPRA, businesses are required to have agreements with parties to whom they disclose information, including but not limited to service providers, contractors, and third parties, according to Data Counsel. This also includes organizations that sell or share private information. The CPRA further restricts how service providers process activities, and any business that doesn’t have a contract in place with a data recipient will be in violation of the CPRA, Data Counsel explained.
Data Counsel also re-stated that the CPPA must issue regulations as to which “business purposes, including other notified purposes, for which service providers and contractors may use consumers’ personal information received pursuant to a written contract with a business, for the service provider or contractor’s own business purposes.”
The CPRA also clarifies that the types of regulated vendors by adding a new "contractor" category, to the previous service provider distinction, according to Data Counsel. While most will be under the service provider classification, it's up to businesses to classify their vendors in such a way, Data Counsel explained.
And just like the full implications of the
CCPA took time to realize, we should expect something similar from the CPRA. Until then, tune into No Jitter for more insight.
