California continues to lead the way in the U.S. with trailblazing privacy laws that strongly focus on protection of personal and sensitive information.
The California Privacy Rights Act (CPRA) is an amendment to the California Consumer Privacy Act (CCPA), which gives Californians even more control over their personal information and privacy rights including:
- Expansion of rights under the CCPA to cover consumer personal data rights, employee personal data rights and business-to-business (B2B) personal data rights
- Right to know what categories and pieces of personal information are collected, disclosed or sold by companies and the purpose/s
- Right to limit use of sensitive personal information, including limits on how long a company can keep personal information in its records
- Right to delete personal information, by requesting permanent removal of personal information from a company’s data records
- Right to correct personal information by requesting changes to any of their personal information held in a company’s data records
- Right to opt-out of the sale or sharing of personal information by a company to any other company and the right to opt-out of automated decision-making technology
- Right of non-retaliation by a company if an individual exercises their data privacy rights.
Timeline of the CPRA
The CPRA strengthens the safeguards on Californians’ personal information, particularly the collection and sale of sensitive personal information.
It expands on the scope of the CCPA, which focuses on the protection of consumer personal data to also cover protection of employee personal data and B2B personal data.
Key dates related to the CPRA include:
November 7, 1972 – Proposition 11 (also known as the Right to Privacy Initiative) passes with an overwhelming majority vote by Californians. It amends the California Constitution to include the right of privacy among inalienable rights of all people.
April 21, 2000 – Children’s Online Privacy Protection Act 1998 (COPPA) becomes effective. It gives parents control over online activities of their children under 13. It governs how businesses collect, keep and/or share personal information when children under 13 access a U.S.-based website or online service.
July 1, 2004 – California Online Privacy Protection Act 2003 becomes effective. It requires operators of commercial websites and online services to publish and comply with a privacy policy on their websites.
January 1, 2015 – Privacy Rights for California Minors in the Digital World becomes effective. It builds on the U.S.-wide COPPA law by protecting the online privacy of children of children under 18 who live in California.
December 18, 2017 – the California Department of Justice approves the language and petitioning of a ballot proposition for the California Consumer Privacy Act (CCPA). More than 600,000 California voters sign petitions to qualify the CCPA to be voted on in California’s November 2018 election where it received majority support.
June 28, 2018 – the California Consumer Privacy Act is signed into law
January 1, 2020 – the CCPA becomes effective
November 3, 2020 – more than 56% of California voters approve Proposition 24 for the amendment of the CCPA with the California Privacy Rights Act 2020 at California’s general election
December 2020 – the California Attorney General begins preliminary adoption of some of the regulations in the CPRA, including setting the foundations for the creation of the California Privacy Protection Agency
January 1, 2021 – the California Privacy Rights Act 2020 (CPRA) passes into law. The California Privacy Protection Agency is also established
July 1, 2021 – the California Privacy Protection Agency gains full regulatory authority and jurisdiction to implement and enforce California’s privacy laws, including regulations under the CCPA and CPRA
January 1, 2022 – personal consumer information of Californians collected from this date becomes legally accountable under the CPRA’s 12-month lookback period. However, there are exceptions for personal data collected from employees and B2B relationships
January 1, 2023 – the CPRA becomes effective and applies to all personal data collected from Californians since January 1, 2022 (the lookback period). The exceptions covering personal data collected from employees and B2B relationships expire
July 1, 2023 – the CPRA becomes enforceable by the California Privacy Protection Agency.