The California Privacy Rights Act (CPRA) went into effect from January 1, 2023. Full enforcement of the CPRA began from July 1. The CPRA modified the California Consumer Privacy Act of 2018 (CCPA).

The CPRA provides California residents data rights covering the use of their personal information (PI) by entities providing them goods and services and establishes a number of obligations that these entities must satisfy.

The CPRA is underpinned by the CPRA Regulations that implement the legislation. These were finalized on March 29, 2023. This is 8 months later than the CPPA’s mandated deadline.

The Latest Updates to the CPRA Regulations

The most recent amendments to the CPRA were passed on March 29, 2023. These included a significant update to organizations’ privacy obligations surrounding HR data, which was excluded in the CCPA.

In addition to the notice of collection required under CCPA, employers must now:

  • Publish an online privacy policy
  • Ensure contracts with third parties include mandated language addressing the explicit and exclusive business purposes for PI data handling
  • Implement procedures to allow job applicants, employees and their dependents to exercise their data rights.

The March 29 final regulations include additional items that must be included in the privacy policy, that are not explicitly stated in the statute.

The latest revisions to the regulations clarify the data rights granted by the CPRA and adds new notification and disclosure requirements for responding to individuals’ requests against their data rights. The most significant is the requirement for businesses to explain any denial of those rights. Businesses must respond to data rights requests within 45 days.

The regulations introduced several other clarifications, and it’s important organizations review them to understand how these affect their PI handling practices.

CPRA Enforcement

From July 1, 2023, the California Privacy Protection Agency (CPPA) has enforcement powers for the full extent of the CPRA. The CPPA has the power to conduct investigations, issue subpoenas and issuing penalties.

Fines under the CPRA start from $2,500 per violation and range to $7,500 for intentional violations or violations involving PI of those under 16-years-old. In addition, violations will incur an injunction, and potential civil penalties may be applied by the Attorney General.

The CPRA also grants private right of action that wasn’t part of the original CCPA. This applies where there’s disclosure of non-encrypted and non-redacted PI resulting from poor security practices by an organization.

To find out more about CPRA compliance, download your copy of our white paper, “How Businesses Can Meet CCPA Compliance.

Want to keep up with all our blog posts? Subscribe to our newsletter!