After achieving a narrower than expected mandate of 56% on November 3, the California Privacy Rights Act (CPRA) has now passed. This new act overhauls the preexisting California Consumer Privacy Act (CCPA) and is a landmark moment for consumer privacy.
In essence, the CPRA closes some potential loopholes in the CCPA – but the changes are not uniformly more stringent for businesses (as I’ll show in a moment). It also moves California’s data protection laws closer to the EU’s GDPR standard. When the CPRA becomes legally enforceable in 2023, California residents will have a right to know where, when, and why businesses use their personally identifiable data. With many of the world’s leading tech companies based in California, this act will have national and potentially global repercussions.
The increased privacy is undoubtedly good news to consumers. But the act’s passage is likely to create concern among businesses that depend on customer data. With stricter enforcement, harsher penalties, and more onerous obligations, many companies are likely to wonder whether this new law will make operating more difficult.
While many of the finer details of the CPRA are likely to change before it becomes enforceable, here’s what your business needs to know right now.
Will you be subject to the CPRA?
The preexisting CCPA law applied only to businesses that:
1) had more than $25 million in gross revenue
2) derived 50% or more of their annual revenue from selling consumers’ personal information, or
3) bought, sold, or shared for commercial purposes the personal information of 50,000 or more consumers, households, or devices.
The CPRA keeps most of these requirements intact but makes a few changes. First, the revenue requirement (point 1 above) is now clearer: A company must have made $25 million in gross revenue in the previous calendar year to