{"id":2889,"date":"2020-11-05T11:08:00","date_gmt":"2020-11-05T17:08:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&#038;p=2889"},"modified":"2024-12-12T12:51:03","modified_gmt":"2024-12-12T18:51:03","slug":"california-privacy-rights-act","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/california-privacy-rights-act\/","title":{"rendered":"California Privacy Rights Act will be Enforced \u2013 Be Ready"},"content":{"rendered":"\t\t<section id=\"block_f31433e7c98c00b89f9a5ba4442e1cbb\" class=\"resource-intro intro-simple\">\n\t\t\t<div class=\"container\">\n\t\t\t\t\t\t\t\t\t<strong class=\"sub-title block uppercase\">Articles<\/strong>\n\t\t\t\t\t\t\t\t\t\t<h1>California Privacy Rights Act will be Enforced \u2013 Be Ready<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t<section id=\"block_0203cdc3f592609f18d39b89cad13be2\" class=\"columns-content\">\n\t\t<div class=\"container\">\n\t\t\t<div class=\"left\">\n\t\t\t\t\t\t\t<\/div>\n\t\t\t<div class=\"middle\">\n\t\t\t\t<div class=\"content\">\n\t\t\t\t\t<h2>California Proposition 24 adopted<\/h2>\n<p>On November 3, 2020, the Golden State voted in favor of Proposition 24, thus expanding the State\u2019s privacy legislation with a new set of rules. The law passed with 56.1% of the vote, despite being debated heavily.<\/p>\n<p>Surprisingly, civil rights organizations such as\u00a0<a href=\"https:\/\/www.aclunc.org\/blog\/californians-should-vote-no-prop-24\" target=\"_blank\" rel=\"noopener\">the ACLU came out in opposition to the Proposition<\/a>.<\/p>\n<p>Privacy prevailed, and on January 1, 2023, the\u00a0<a href=\"https:\/\/blog.trustarc.com\/2020\/08\/18\/ccpa-regulations-take-effect\/\" target=\"_blank\" rel=\"noopener\">California Consumer Privacy Act (CCPA)<\/a>\u00a0will be succeeded by the California Privacy Rights Act (CPRA) with a one-year look back to January 2022.<\/p>\n<h2>What does the California Privacy Rights Act (CPRA) entail?<\/h2>\n<p>The CPRA intends to amend the CCPA by adding new definitions, new individual rights, and broadening the enforcement elements of the CCPA.<\/p>\n<h4>As was the case with the CCPA, there are still a lot of details to be ironed out in the coming months to ensure the CPRA can be fully operational in 2023.<\/h4>\n<p>However, quite a few of the changes are already clear.<\/p>\n<h3>Sensitive personal information<\/h3>\n<p>CPRA introduces the concept of sensitive personal information, which requires more data protection than regular personal information.<\/p>\n<p>Sensitive information includes\u00a0identification numbers like<\/p>\n<ul>\n<li>social security,<\/li>\n<li>driver\u2019s license,<\/li>\n<li>identity card or passport number,<\/li>\n<li>account credentials,<\/li>\n<li>credit card details,<\/li>\n<li>the precise geolocation of a consumer,<\/li>\n<\/ul>\n<p>And the content of communications via mail, email, and text messages (if a business is not the recipient of the communication).<\/p>\n<p>As well as GDPR-aligned data elements like religious or philosophical beliefs, union membership, health, genetic and biometric data, and information related to an individual\u2019s sex life or sexual orientation.<\/p>\n<p>Under the CPRA, a consumer will have the right to direct a business not to use or disseminate their sensitive information.<\/p>\n<p>If so directed, the business may only use the bare minimum of already collected sensitive personal information that would be needed to deliver the agreed goods or services to the consumer.<\/p>\n<h3>The right to deletion<\/h3>\n<p>This right is already included in the CCPA and will be extended ensuring that service providers will cooperate with the deletion of personal information, and allowing business to keep a confidential record of deletion requests for future reference.<\/p>\n<h3>A right of correction<\/h3>\n<p>CPRA introduces a right of correction, allowing consumers to request the correction of inaccurate personal information.<\/p>\n<p>It is further clarified that\u00a0<strong>businesses may not\u00a0<\/strong><strong>\u2018punish\u2019<\/strong><strong>\u00a0a consumer for exercising their individual rights under the CPRA<\/strong>.<\/p>\n<p>The exception to allow businesses to run loyalty programs and offer premium discounts in return for personal information, is made more explicit in the law.<\/p>\n<h3>Consumers will get access to more data<\/h3>\n<p>A data access request is not limited to just the data collected in the 12 months preceding the consumer\u2019s request.<\/p>\n<p>This does not mean that companies will be forced to retain data longer than they usually do.<\/p>\n<p>But it may mean that if personal information is retained for 24 months, access will also need to be provided for all data collected and used during those 12 months.<\/p>\n<p><strong>This obligation will apply to all data collected after 1 January 2022<\/strong>. And the intended\u00a0<i>retention period<\/i>\u00a0for personal information needs to be disclosed in the privacy notice.<\/p>\n<h3>Concept of purpose limitation<\/h3>\n<p>CPRA introduces the concept of\u00a0purpose limitation\u00a0into the law, ensuring personal information can only be processed for pre-determined specific, explicit, and legitimate purposes.<\/p>\n<p>Data collection will also need to be limited to what is\u00a0<i>necessary and proportionate<\/i>.<\/p>\n<h3>New cross-contextual behavioral advertising and dark pattern limitation<\/h3>\n<p>Another new limitation relates to cross-context behavioral advertising and the use of so-called <a href=\"https:\/\/trustarc.com\/resource\/ux-dark-patterns-consent-data-collection\/\">dark patterns or deceptive patterns<\/a>.<\/p>\n<p>Cross-context behavioral advertising means that advertising publishers can build a profile of an individual, to use as part of their advertising efforts.<\/p>\n<p>Under CPRA, individuals will get the possibility to opt-out of such data collections, also because the\u00a0<i>definition of a sale<\/i>\u00a0is expanded to also include the sharing of information without payment.<\/p>\n<p><strong>In short:<\/strong>\u00a0individuals get a right not to be tracked online if they so wish. To make this even easier, consumers may not be nudged towards accepting the processing of their personal information by the visual presentation of privacy preferences.<\/p>\n<p><strong>Examples include:<\/strong> offering a large, bright colored \u201caccept all\u201d button, and a much smaller and less conspicuous link to change data collection preference.<\/p>\n<h3>Extended data breach requirements<\/h3>\n<p>Personal information that is both non-encrypted and non-redacted, as well as the combination of an email address and password or security question and answer allowing access to an account that is subject to unauthorized access, is considered a data breach.<\/p>\n<p>Under the CPRA, individuals have the right to claim compensation and other relief that is considered necessary by a court. Companies may also face administrative enforcement for breaches caused by insufficient data security.<\/p>\n<h3>California gets a new enforcement agency<\/h3>\n<p>From the\u00a0enforcement\u00a0perspective, the\u00a0<strong>CPRA introduces a new enforcement agency in California<\/strong>, comparable to data protection supervisory authorities elsewhere in the world.<\/p>\n<p>The\u00a0<a href=\"https:\/\/cppa.ca.gov\/\" target=\"_blank\" rel=\"noopener\">California Privacy Protection Agency (CPPA)<\/a>\u00a0will consist of the five persons board, two of which will be appointed by the California Governor and the other members by the California Assembly, the Senate and the Attorney General.<\/p>\n<p>The CPPA will, among other things, be allowed to investigate violations of the law, conduct hearings and compel testimony, issue cease and desist orders as well as issue monetary sanctions.<\/p>\n<p>Lastly, the CPPA will also provide further guidance on the application and implementation of the CPRA.<\/p>\n<h3>How can you prepare for the CPRA?<\/h3>\n<p>Although some of the supporting provisions of the CPRA, including the establishment of the CPPA have already come into force, the main criteria won\u2019t apply until January 2023.<\/p>\n<p>This includes an extension of the current exception for employee data in the CCPA, until 2023. But keep in mind, companies operating in California will need a process in place for handling employee privacy as well.<\/p>\n<p>Start by documenting the purposes for your data processing and which personal information is necessary and proportionate to achieve those purposes.<\/p>\n<p>It will also be helpful to document which categories of sensitive personal information are being processed.<\/p>\n\t\t\t\t\t\t\t\t\t<div class=\"question-box-multiple\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-dark\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Online-Privacy_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Nymity Research<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>Get detailed insights, tools, and templates to help you manage the CPRA and other regulations.<\/p>\n<a href=\"https:\/\/trustarc.com\/free-trial\/nymity-research\/\" class=\"cta\">Start today<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-dark\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Update_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Automate Your Privacy Program<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>Centralize privacy tasks, automate your program, and seamlessly align with laws and regulations.<\/p>\n<a href=\"https:\/\/trustarc.com\/products\/privacy-data-governance\/privacycentral\/\" class=\"cta\">Learn more<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\t<div class=\"right sm\">\n\t\t\t\t<div class=\"share-it\">\n\t\t\t\t\t<strong class=\"title block uppercase\">Follow us<\/strong>\n\t\t\t\t\t<div class=\"soc-list\">\n\t\t\t\t\t\t<a href=\"https:\/\/www.linkedin.com\/company\/trustarc\/\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/li-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"\nhttps:\/\/twitter.com\/TrustArc\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/tw-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"javascript:;\" id=\"copy-url\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/link-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<span class=\"copied\" style=\"display:none;\">Link Copied!<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"key-topics\">\n\t\t\t\t\t\t<strong class=\"title block uppercase\">Key Topics<\/strong>\n\t\t\t\t\t\t<ul>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/ccpa-cpra\/\" class=\"badge\">CCPA\/CPRA<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/us-consumer-privacy-laws\/\" class=\"badge\">US Consumer Privacy Laws<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"cta-area\">\n\t\t\t\t\t<p>Get the latest resources sent to your inbox<\/p>\n\t\t\t\t\t<a href=\"\/subscription-center\/\" class=\"cta\">Subscribe<\/a>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/section>\n\t","protected":false},"excerpt":{"rendered":"<p>California Proposition 24 passed, thus expanding the State\u2019s privacy legislation with new rules. What does the California Privacy Rights Act (CPRA) entail?<\/p>\n","protected":false},"featured_media":1254,"template":"","topic-resource":[75,114],"type-resource":[6],"class_list":["post-2889","resource","type-resource","status-publish","has-post-thumbnail","hentry","topic-resource-ccpa-cpra","topic-resource-us-consumer-privacy-laws","type-resource-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>California Privacy Rights Act will be Enforced \u2013 Be Ready | TrustArc<\/title>\n<meta name=\"description\" content=\"California Proposition 24 passed, thus expanding the State\u2019s privacy legislation with new rules. What does the California Privacy Rights Act (CPRA) entail?\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustarc.com\/resource\/california-privacy-rights-act\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/california-privacy-rights-act\\\/\",\"url\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/california-privacy-rights-act\\\/\",\"name\":\"California Privacy Rights Act will be Enforced \u2013 Be Ready | TrustArc\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/california-privacy-rights-act\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/california-privacy-rights-act\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/res-feat-plus-pink-test.png\",\"datePublished\":\"2020-11-05T17:08:00+00:00\",\"dateModified\":\"2024-12-12T18:51:03+00:00\",\"description\":\"California Proposition 24 passed, thus expanding the State\u2019s privacy legislation with new rules. What does the California Privacy Rights Act (CPRA) entail?\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/trustarc.com\\\/resource\\\/california-privacy-rights-act\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/california-privacy-rights-act\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/res-feat-plus-pink-test.png\",\"contentUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/res-feat-plus-pink-test.png\",\"width\":610,\"height\":152},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\",\"url\":\"https:\\\/\\\/trustarc.com\\\/\",\"name\":\"TrustArc\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/trustarc.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"California Privacy Rights Act will be Enforced \u2013 Be Ready | TrustArc","description":"California Proposition 24 passed, thus expanding the State\u2019s privacy legislation with new rules. What does the California Privacy Rights Act (CPRA) entail?","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustarc.com\/resource\/california-privacy-rights-act\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustarc.com\/resource\/california-privacy-rights-act\/","url":"https:\/\/trustarc.com\/resource\/california-privacy-rights-act\/","name":"California Privacy Rights Act will be Enforced \u2013 Be Ready | TrustArc","isPartOf":{"@id":"https:\/\/trustarc.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustarc.com\/resource\/california-privacy-rights-act\/#primaryimage"},"image":{"@id":"https:\/\/trustarc.com\/resource\/california-privacy-rights-act\/#primaryimage"},"thumbnailUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/01\/res-feat-plus-pink-test.png","datePublished":"2020-11-05T17:08:00+00:00","dateModified":"2024-12-12T18:51:03+00:00","description":"California Proposition 24 passed, thus expanding the State\u2019s privacy legislation with new rules. What does the California Privacy Rights Act (CPRA) entail?","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustarc.com\/resource\/california-privacy-rights-act\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/trustarc.com\/resource\/california-privacy-rights-act\/#primaryimage","url":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/01\/res-feat-plus-pink-test.png","contentUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/01\/res-feat-plus-pink-test.png","width":610,"height":152},{"@type":"WebSite","@id":"https:\/\/trustarc.com\/#website","url":"https:\/\/trustarc.com\/","name":"TrustArc","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustarc.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource\/2889","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/types\/resource"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media\/1254"}],"wp:attachment":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media?parent=2889"}],"wp:term":[{"taxonomy":"topic-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/topic-resource?post=2889"},{"taxonomy":"type-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/type-resource?post=2889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}