California voters approved California Privacy Rights and Enforcement Act. Now what?

California voters approved California Privacy Rights and Enforcement Act. Now what?

On November 3, California citizens approved the California Privacy Rights and Enforcement Act (CPRA), a comprehensive privacy law that expands the California Consumer Privacy Act (CCPA). Of note, the CPRA creates more stringent requirements for companies that collect and share sensitive personal information and creates the California Privacy Protection Agency, which will be responsible for enforcing CPRA violations once the CPRA becomes effective on January 1, 2023. Most privacy experts believe the CPRA moves California closer to the European Union’s General Data Protection Regulation (GDPR).

The CPRA defines “sensitive personal information” as a wide range of data points that includes things like account and login information, precise geolocation data, contents of mail, email and text messages, genetic data, Social Security numbers, drivers licenses, passports, financial accounts, race, ethnicity, religion, union membership, personal communications, genetic and biometric data, health information, and anything about sex life or sexual orientation.

CPRA sets limits on the collection and retention of personal information, requiring a business to retain only that which is reasonably necessary to achieve the purposes for which the personal information was collected or processed. In addition, the CPRA requires businesses to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information, or the criteria used to determine that period.

The CPRA also expands the private right of action for consumers to bring claims against a business for the unauthorized access or disclosure of an email address and password or security question that would permit access to an account, along with access to a consumer’s non-encrypted and non-redacted personal information. It creates triple damages for violations relating to consumers who are minors under the age of 16.

One key change in the CCPA requirements in the CPRA is an extension of an exemption for businesses in terms of their employees’ data. The CPRA gives businesses the exemption from meeting the consumer privacy requirements’ tough standards for their employees until January 1, 2023. However, businesses will have to comply with certain aspects of employee privacy protection between now and then.

Source: California voters approved a new and even tougher data privacy act.  What happens now?

About the Author

Chris Versace, Chief Investment Officer
I'm the Chief Investment Officer of Tematica Research and editor of Tematica Investing newsletter. All of that capitalizes on my near 20 years in the investment industry, nearly all of it breaking down industries and recommending stocks. In that time, I've been ranked an All Star Analyst by Zacks Investment Research and my efforts in analyzing industries, companies and equities have been recognized by both Institutional Investor and Thomson Reuters’ StarMine Monitor. In my travels, I've covered cyclicals, tech and more, which gives me a different vantage point, one that uses not only an ecosystem or food chain perspective, but one that also examines demographics, economics, psychographics and more when formulating my investment views. The question I most often get is "Are you related to…."

Comments are closed.