California follows the footsteps of Europe and makes one more step to mirror the GDPR by ratifying the California Privacy Rights Act.
The California Consumer Privacy Act (CCPA)
After Europe passed the General Data Protection Regulation in 2016, California followed closely by passing the California Consumer Privacy Act (the “CCPA”) two years later, in June 2018. In effect since the 1st of January 2020, the CCPA represents the first comprehensive data privacy law and consumer privacy legislation in the United States. This state-wide landmark data privacy law provided regulations and obligations to worldwide businesses that handled and operated personal information of Californian consumers.
According to Rob Bonta, the attorney general of California’s Department of Justice, the CCPA of 2018 offers consumers a bigger control over the personal information that is collected by businesses. In fact, the CCPA regulations lay out recommendations on the implementation of the law, protecting several new privacy rights for California consumers, such as the right to know, the right to delete, the right to opt-out and the right to non-discrimination (according to privacybee.com).
Although the CCPA resembled the GDPR, there were some fundamental differences between the two in regards to who they affected, the data protected, the data collected, the data sharing and the penalties involved.
California Privacy Rights Act (CPRA)
This is where the CPRA comes into play. After a citizen’s initiative ballot question in 2020 (referendum), the California Privacy Rights Act, a ballot measure, was ratified by California voters in November 2020. The CRPA, the “CCPA 2.0”, will come into force in January of 2023 and its enforcement will begin by July of the same year.
The CPRA, also referred to as Proposition 24, is an amendment of the CCPA : it aims to amend existing provisions within the CCPA and annex new provisions linked to the creation of the California Privacy Protection Agency, the official authority that enforces and implements the CCPA.
California draws closer to the European GDPR…
With the CPRA, California makes one step closer to mirroring the European GDPR. The amendments made by the CPRA include :
- the granting of additional data subject rights,
- the introduction of “sensitive personal information”,
- the introduction of restrictions on sharing personal information,
- the widening of the definition of “publicly available information”
- the private right of action,
- the addition of two new fundamental requirements : accountability and data retention (similar to the GDPR),
- the necessity to ensure data security,
- and the establishment of the new agency, the CPPA (stated above).
M2 Cyberjustice – Promotion 2022/2023