California Privacy Rights Act, 2020 (CPRA)

In November 2020, Californians voted to approve the California Privacy Rights Act (CPRA) of 2020. The CPRA is the strongest consumer privacy law ever enacted in the United States, and is comparative with the most comprehensive laws in other jurisdictions including Europe (GDPR), Japan, Israel, New Zealand, Canada, etc.

The CPRA builds on existing California law passed in 2018 (the California Consumer Privacy Act or CCPA). Both laws were sponsored by the same group, Californians for Consumer Privacy. The CPRA came into effect on 1 January 2023 and will become fully operational in phases over the next 2 years. We expect to see a final implementation in mid-2023.

Key components of the law include:

  • Access and deletion rights: The law provides for consumers to obtain and delete their own personal information.
  • Consumers can prevent the sale of their information.
  • The CCPA protects children by requiring a guardian’s permission before the sale of the child’s information can take place.
  • A consumer’s information can only be used for a specific purpose.
  • Businesses may only store a consumer’s information if they have stated this publicly.
  • Businesses may not collect more consumer information than is necessary.
  • Businesses must have reasonable and appropriate security measures in place to protect personal information.
  • Consumers must be able to correct their personal information with businesses.
  • If anyone commits a violation involving children’s information, they will face up to three times the amount of a fine under the Act.
  • The law provides people with the right to stop someone from using their sensitive Personal Information, for example race, precise geolocation, religion, union membership, genetics, biometrics, sexual orientation, contents of communications.
  • Annual cybersecurity audits and risk assessments for high-risk data processors.
  • The CPRA introduces four new rights: 1) the right to correction, meaning that users can request to have their personal information (PI) and special personal information (SPI) corrected; 2) the right to opt-out of automated decision making, meaning that California residents can say ‘no’ to their PI and SPI being used in profiling for behavioural advertisement online; 3) the right to know about automated decision making; and 4) the right to limit use of sensitive personal information.

Find out more

For detailed information about the CPRA and any updates, you can visit CPRA resource center website.