top of page

As California nears the adoption of the final CPRA regulations, businesses should be on guard.

According to the California Privacy Protection Agency (CPPA), the state of California has released the first set of its comprehensive California Privacy Rights Act (CPRA) implementation final rules, with the release of the other rules anticipated within the next few months.

The historic CPRA, which updates the 2018 California Consumer Privacy Act (CCPA) and is regarded as the nation's strictest consumer privacy law, was enacted by ballot initiative in 2020.

The CPRA gives California residents and employees extra protections against companies that might seek to acquire, store, share, or sell their personal information. When sensitive information, such as social security numbers and location information, is included, the regulations provide customers with additional protection.

The CPPA stated in a press release on March 30 that the final rules "place the consumer in a position where they can knowingly and freely negotiate with a business over the business’s use of the consumer’s personal information."

Email address rights are added to the CCPA's "private right of action," which allows residents to directly sue businesses in specific situations after a data breach.

The final rules grant data protection rights to California employees and consumers alike, including remote workers who reside in California, just like the proposed standards did.

The CPRA's consumer privacy protections typically apply to bigger businesses that annually gather at least 100,000 California residents' personal information. Companies that have gross revenues of $25 million or more are subject to the employee protections.

Businesses that violate the CPRA may be fined $2,000 for each infraction, $2,500 for negligent violations, and $7,500 for willful violations.

By July 1, when the agency's enforcement of the Act officially starts, the CPPA expects to prepare, vote on, and publish multiple final sets of rules covering 15 topics. Risk assessments, cybersecurity audits, and automated decision-making are anticipated to be part of the upcoming set of final CPRA guidelines.

The attorney general's office, which concentrates on big businesses and complex cases, and the CPPA jointly enforce the rules. AG Rob Bonta has so far targeted businesses for violating the law's consumer opt-out clauses, including mobile app developers and cosmetics behemoth Sephora.

In order to postpone the implementation of the CPRA, the California Chamber of Commerce filed a lawsuit against the CPPA and the California attorney general on March 30. The chamber argued that firms should be granted an extra 12 months to get ready because the CPPA missed deadlines for releasing the guidelines.

According to Jenny Holmes, Nixon Peabody's deputy leader for cybersecurity and privacy, the final standards are essentially unchanged from the draft guidelines that the CPPA adopted in February.

Although having the final rules is immensely helpful, she insisted that nothing was final.

Companies won't truly understand how the CPPA is applying the laws until the organization starts enforcing them, according to Holmes.

"It goes without saying we all need to be on alert for further guidance and enforcement actions," according to Holmes. "Companies must remain flexible" and be ready to make changes in accordance with the CPPA's enforcement priorities.

According to Holmes, businesses must be prepared to "grow with the law."

According to Holmes, companies can find out what areas the agency will prioritize as well as from the mistakes of others.

According to Holmes, the CPPA is expected to concentrate on the same issues as the attorney general has up to now, which have largely been the enforcement of customers' rights to refuse to have their data held by businesses.

If businesses haven't begun the process of becoming compliant with the law, they must do so immediately.

"I would stress that July 1 is going to come very quickly," she remarked.

"We’ve seen companies take it seriously. It’s sparked a lot of interest among companies to look at the privacy practices they extend to all employees, not just California residents," Holmes said.

According to Holmes, the regulations make clear what is needed in agreements with contractors, service providers, and other parties.

A firm faces the danger of having the sharing of private data seen to be a "sale" of personal data if its agreement with a third party does not adhere to the CPRA's requirements.

"It’s really important for companies to look at their contractual relationships to make sure they’re appropriately classifying those entities the right way," according to Holmes. If you classify a company as a service provider, Holmes advised, "make sure it aligns with the CPPA’s intention of that word."

Although none are as thorough as California's law, privacy laws have been enacted in five other states and will go into effect this year in Colorado, Connecticut, Utah, and Virginia. A privacy law in Iowa won't go into effect until 2025.

The states assert that they are taking independent action in the absence of a comprehensive consumer data privacy bill from Congress.



bottom of page