The California Privacy Rights Act of 2020: A broad and complex data processing regulation that applies to businesses worldwide

Abstract

The California Privacy Rights Act of 2020 (CPRA) introduces sweeping changes to the California Consumer Privacy Act of 2018 (CCPA), most of which will become operative as of 1st January, 2023, with a ‘look back’ to 1st January, 2022. Key revisions include a new definition of ‘sensitive personal information’ and detailed obligations regarding the processing of sensitive personal information for non-essential purposes; a new and counterintuitive definition of ‘sharing’ personal information and related restrictions aimed at the digital advertising industry; new data subject rights to correct inaccurate information and opt out of the use of automated decision-making technology; new requirements to include data protection and processing terms in contracts with data recipients and vendors; new requirements regarding what privacy notices must include and how they must be furnished to data subjects; and the establishment of a new privacy authority, the California Privacy Protection Agency. Although some requirements are similar to those in other jurisdictions, some are unique in their scope and even more onerous and detailed than those of the European Union General Data Protection Regulation. For example, CCPA also applies to ‘household data’ and will require companies to include California-specific language in their vendor contracts and privacy notices. This paper summarises some of the key revisions that CPRA makes to CCPA and offers practical recommendations on how companies subject to the law must comply. Companies that do business in California must comply not only with the revised CCPA but also detailed laws specific to particular sectors, industries, harms and activities.