On November 3, 2020, California voters approved the California Privacy Rights Act (“CPRA” or the “Act”). The CPRA is sometimes referred to as “CCPA 2.0” because it includes a number of revisions to the California Consumer Privacy Act (CCPA) while adding new privacy and security obligations for covered businesses. The revisions bring the CCPA closer to the European Union’s General Data Protection Regulation (GDPR) by adding a right to correction, restrictions on the collection and retention of data, a special category of “sensitive data,” rights relating to automated decision making, expanding security requirements and creating a dedicated privacy authority. The substantive provisions become operable on January 1, 2023, and enforceable on July 1, 2023. Enforcement shall only apply to violations occurring on or after July 1, 2023.
Key provisions of CPRA include:
Extends Exemption for B2B and Employee Data
The current exemption for all business-to-business data and partial exemption for employee data will be extended to January 1, 2023. Covered employers are still required to provide applicants, employees and contractors with an initial disclosure, at or before the point of collection, identifying the categories of personal information collected and the purposes for which the categories of personal information shall be used. Employees may also have a right to statutory damages in the event of a data breach caused by a failure to implement reasonable security measures. See our Alertfor more detailed information on the scope of employer obligations under the CCPA.