CPRA Could Bring Stricter Data Privacy Enforcement: Here’s How To Prepare
November 17, 2020
California’s passage of the California Privacy Rights Act (CPRA) on November 3 builds upon the California Consumer Privacy Act (CCPA). The EU’s privacy regulation, GDPR, is the gold standard in terms of data privacy laws, and CPRA gets closer to that standard by reflecting society’s increased desire for data privacy. Additionally, CPRA gives consumers even greater control over and access to personal data collected by companies than what CCPA did.
For covered entities, this may feel like a regulatory “one-two punch” because CCPA was just signed into law in January, with enforcement commencing in July. The good news for businesses is that CPRA will not go into effect until 2023, which gives businesses time to institute the necessary infrastructure to comply. While CPRA has many facets that must be examined, as explained by IAPP in May, I believe there are three areas of the new law that bring significant challenges as they relate to data protection:
• Creation of the California Privacy Protection Agency (CalPPA).
• Creation of the sensitive personal information category.
• Expanded consumer rights and data controller compliance.