What You Need to Know About California's New Voter-Approved California Privacy Rights Act

December 15, 2020
Hinshaw Alert

With the ink barely dry on the newly enacted California Consumer Privacy Act (CCPA), California voters have approved The California Privacy Rights Act (CPRA), which significantly amends the CCPA and creates new obligations for covered businesses. While not fully operative until January 2023 and not enforceable until July 2023, CPRA will require organizations currently grappling with CCPA compliance to further strengthen their data collection and privacy practices. CPRA builds on the CCPA, expanding consumer rights over their personal information and clarifying responsibilities for businesses that use such information. CPRA also imposes protections similar to those of the European Union's General Data Protection Regulation (GDPR), a reflection of where U.S. privacy regulation may ultimately be headed.

Noteworthy CPRA Requirements


Businesses subject to the CPRA should begin the process of reviewing their privacy and cybersecurity policies and procedures in light of the new requirements imposed by the new law. They also should update their data maps and inventories to identify SPI and operationalize their obligations concerning that new category of personal information. Business also should review and update their service provider contracts to incorporate provisions required by CPRA.