On November 3, 2020, California's existing but still relatively new privacy law, California Consumer Privacy Act ("CCPA"), which became effective only 11 months earlier, was subsequently amended by the California Privacy Rights Act ("CPRA"), also referred to as Prop 24. The CPRA includes additional consumer privacy protections for California consumers, and went into effect on January 1, 2023.
While the CPRA is already in effect, many businesses have been waiting for the final release of the associated regulations, which are set to be released in April 2023.
At a glance, the CPRA extends special California privacy rights to employees and not just to customers. The CPRA now introduces a new category of sensitive personal information subject to its own set of rules. In addition, under the CPRA, California customers and employees have the right to opt out of profiling and limiting the use of their sensitive personal information, among certain other rights.
Does this apply to my organization?
If your organization is a for-profit business that does business in California (even if not incorporated, headquartered or has a physical presence in California) and your organization generates $25 million in annual gross revenue or more, processes data of at least 100,000 consumers, households, or devices with collected, bought, received, sold or shared personal information of California consumers; or at least 50% of the annual gross revenue of your organization comes from the sale of personal information of California consumers, then it is likely that your organization needs to comply with the law.
Be sure to get into compliance.
California has already established a new commission called the California Privacy Protection Agency (in addition to the California's Attorney General Office) to enforce these new laws legally. As of July 2022, only 11% of US businesses fully complied with California's privacy law. Civil penalties can run as high as $7,500 per violation, and California continues to be very active in pursuing investigations and imposing fines on businesses that are not compliant.
We recommend contacting the author or your trusted Gordon & Rees attorney to verify that your company’s policies and practices are in compliance.