On Nov. 3, 2020, California voters approved the California Privacy Rights Act (CPRA) expanding and modifying privacy rights under the California Consumer Privacy Act (CCPA), which went into effect on Jan. 1, 2020.

The CPRA becomes operative on Jan. 1, 2023 and will apply to personal information collected after Jan. 1, 2022. Civil and administrative enforcement will commence on July 1, 2023. The CPRA establishes the California Privacy Protection Agency which becomes the first privacy protection enforcement agency of its kind in the United States.  

The CPRA will apply to businesses that: (1) in the preceding calendar year had an annual gross revenue of $25 million; (2) annually buy, sell or share the personal information of 100,000 consumers or households; or (3) derive 50% or more of its annual revenue from selling or sharing consumers’ personal information.  The CPRA has expanded its reach to now include those businesses deriving at least 50% of their annual revenue from selling and/or sharing information. The annual buy, sell, or share threshold under CCPA is currently 50,000 and includes devices, but that number has been increased to 100,000 and does not include devices, which may alleviate some of the burden on small businesses when the CPRA goes into effect.  

The CCPA regulates “service providers” and “third parties.” A “service provider” is an entity that processes consumer personal information on behalf of a business pursuant to a written contact. A “third party” is not the business that collects consumer personal information nor is it a person to whom the business discloses a consumer’s personal information pursuant to a written contract which is to contain very specific provisions regarding the handling of personal information.  The CPRA adds a new category of regulated entities – contractors.  A “contractor” is “a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract.”  Contracts involving service providers, contractors, and third parties must contain very specific provisions and are set forth in the statute.  

Organizations subject to the CPRA must:  (1) have a specific and legitimate business purpose for collecting, using, retaining or sharing the personal information and the processing must not be inconsistent with the stated purpose; (2) limit the personal data to information which is reasonably necessary for the stated business purpose; and (3) store the data no longer than reasonably necessary.  
The CPRA creates a new data set called “sensitive personal information” which has a variety of specific fields, including, but not limited to racial origin, religious affiliation, financial information, account credentials, precise geolocation, and sexual orientation.

The CPRA expands and modifies the CCPA’s existing consumer rights provisions in addition to creating new protections for California consumers.  

Organizations subject to California’s laws should ensure that they undertake a thorough and comprehensive evaluation of the California’s consumer privacy protection laws and implement a robust compliance strategy. Below are some considerations:

• Consult with legal counsel to determine whether your organization is subject to the CPRA’s compliance obligations.

• Ensure that your compliance strategy includes consideration of all potentially applicable privacy protection laws, including international,
federal, state and local regulations.

• Establish a team within your organization, including members from legal, IT, operations and finance to evaluate your data collection, use, and retention practices and create a course of action specific to your organization’s needs and its compliance obligations.

• Evaluate contracts with entities that have access to data and are performing services for your organization, as well as contracts with customers to whom you are providing services.

• Plan for and establish a budget dedicated to compliance efforts, including allocations for implementing risk transfer mechanisms such as cyber insurance.

Teena Hostovich is vice chair of Lockton Pacific. Maryam Rad, vice president insurance & claims counsel of Lockton Insurance Brokers, LLC, generously contributed to this article. For more information about the new regulations, visit Lockton’s Global Cyber & Technology Practice at lockton.com/global-cyber-technology-practice or call (213) 689-0065.



Return to Event Page

For reprint and licensing requests for this article, CLICK HERE.