California Establishes First US Data Protection Regulator
California Privacy Rights Act (CPRA)
05 November 2020
While the rest of the world was watching the US presidential elections, privacy practitioners had their eye on another contest: California's Proposition 24 ballot initiative—better known as the California Privacy Rights Act (CPRA).
This vote ended up being far less contested, with the Associated Press reporting that over 56% of Californians had voted in favor of the bill. The law will bring significant amendments to California's existing privacy law—the California Consumer Privacy Act (CCPA)—strengthening many of the law's privacy protections and establishing new privacy rights. Perhaps most notably, the initiative also establishes the California Privacy Protection Agency (CPPA), the nation's first regulator focused solely on data privacy.
Privacy practitioners will recall that the current California privacy law, the California Consumer Privacy Act (CCPA), was itself spurred by a ballot initiative that was proposed in 2018. Legislators were able to strike a last-minute deal to prevent that initiative from going to voters by passing the CCPA—thus securing flexibility by lawmakers to amend the law through the more traditional legislative process. Indeed, since the law was passed in 2018, several amendments have been passed, such as carving out employee data and data collected in the context of business-to-business transactions from most of the protections of the law. It is this flexibility that ultimately led to the CPRA, with advocates arguing that a ballot initiative was necessary to prevent special interests from weakening the law—as some claim has happened with the CCPA. Because the CPRA was passed as a ballot initiative, legislators now have much less control over the law, only being allowed to make amendments that strengthen its privacy protections.
Affected companies can take some solace in the fact that the substantive provisions of the law do not come into force until 2023, with a "lookback" to 2022 with regard to affected data. With 2021 fast approaching, though, companies would be wise to start preparing now for compliance. In the meantime, the most immediate change in the next few months will be the establishment of the CPPA, California's new data protection regulator. Many of the law's new provisions will be implemented through this new agency's guidance and regulation, so companies that do business in California will want to keep a close eye on it—we definitely will be!