California Privacy Rights Act Goes into Effect

The California Privacy Rights Act, which establishes the California Privacy Protection Agency, goes into effect.

When California Secretary of State Alex Padilla certified the results of the November General Election on 11 December, the California Privacy Rights Act (CPRA) went into effect. The majority of the CPRA’s provisions will not be fully operative until 1 January, 2023 and will not be fully enforceable until July 2023. However, some provisions are now fully operative, such as the establishment of the California Privacy Protection Agency.

The California Privacy Rights Act (CPRA) is not the first of its kind, following in the footsteps of the California Consumer Privacy Act of 2018 (CCPA), which grants California residents some of the same personal privacy rights found in the EU’s General Data Privacy Regulation (GDPR), such as the right to access, transfer, delete and object to the sale of their personal information. The CPRA not only updates the CCPA of 2018, but issues new regulations and specifications, such as:

• The specifics of opt-out mechanisms from “selling” and “sharing” data.
• How often and under what circumstances consumers may request the correction of their personal information.
• The standards for annual cybersecurity audits and risk assessments.

The first fully operative provision in the CPRA is the establishment of the California Privacy Protection Agency (CPPA), a five-member board, the members of which are each chosen by the California Governor, Attorney General, Senate Rules Committee, and Speaker of the Assembly. The appointments will consist of California residents with expertise in privacy, technology, and consumer rights, serving no longer than eight consecutive years.

This first-of-its-kind agency will act as a rulemaking and enforcement body regarding consumer privacy, issuing administrative proceedings and fines between $2,500 and $7,500 per privacy violations. The agency will also have the power to conduct audits that ensure compliance with the CPRA and coordinate with other privacy enforcement agencies in the state, as well as in other states, territories, and countries. While the CPPA will likely be an authoritative body, it must coordinate with the California Attorney General who retains the power to enforce the CPRA through civil penalties.