California Privacy Rights Act, 2020 (CPRA)

In November 2020, Californians voted to approve the California Privacy Rights Act (CPRA) of 2020. The CPRA is the strongest consumer privacy law ever enacted in the United States, and is comparative with the most comprehensive laws in other jurisdictions including Europe (GDPR), Japan, Israel, New Zealand, Canada, etc.

The CPRA builds on existing California law passed in 2018 (the California Consumer Privacy Act or CCPA). Both laws were sponsored by the same group, Californians for Consumer Privacy. The Act will come into operation in phases over the next 2 years. We expect to see a final implementation in mid-2023.

Key components of the law include:

  • Access and deletion rights: The law provides for consumers to obtain and delete their own personal information.
  • Consumers can prevent the sale of their information.
  • The CCPA protects children by requiring a guardian’s permission before the sale of the child’s information can take place.
  • A consumer’s information can only be used for a specific purpose.
  • Businesses may only store a consumer’s information if they have stated this publicly.
  • Businesses may not collect more consumer information than is necessary.
  • Businesses must have reasonable and appropriate security measures in place to protect personal information.
  • Consumers must be able to correct their personal information with businesses.
  • If anyone commits a violation involving children’s information, they will face up to three times the amount of a fine under the Act.
  • The law provides people with the right to stop someone from using their sensitive Personal Information, for example race, precise geolocation, religion, union membership, genetics, biometrics, sexual orientation, contents of communications.
  • Annual cybersecurity audits and risk assessments for high-risk data processors.

Find out more

For detailed information about the CPRA and any updates, you can visit CPRA resource center website.