What to Expect from the California Privacy Rights and Enforcement Act of 2020

The California Consumer Protection Act (CCPA) went into effect on January 1, 2020, with the California Attorney General beginning enforcement on July 1, 2020. The CCPA represents a historic shift in the U.S. privacy landscape as it affords California residents more control over their personal information.

However, some privacy advocates do not believe that the CCPA is strong enough and they are fighting to strengthen the rights of consumers with the introduction of The California Consumer Rights and Enforcement Act of 2020 (CPRA).


Features of the California Privacy Rights and Enforcement Act of 2020 (CPRA)

California residents will cast their votes deciding whether to institute the CPRA during the election on November 3, 2020.

Some of the key features of the CPRA include:

  • Establishing the California Privacy Protection Agency as an independent enforcement arm
  • Expanding privacy rights of action and increasing companies’ breach liability
  • Requiring annual audit/risk assessments for high-risk processing
  • Providing additional rights for sensitive personal information
  • Enhancing consumer rights including:
    • Right of correction for consumers
    • Right to opt-out of companies using geolocation data
    • Right to restrict use of sensitive personal information and profiling activities
    • Expanding the right to know


Personal Employee Data Management under the CPRA

The CPRA recognizes that collecting personal information during the job application process and the course of employment is necessary for businesses and exempts employee data from privacy control regulations until 2023. The CCPA currently exempts employee data from privacy regulations until December 31, 2020 and the CPRA gives companies more time to adjust their employee data management process by extending the deadline.


How Companies can Prepare for the CPRA

Consumer information privacy regulation policies will continue to become more prevalent and robust as more states begin to adopt new legislation. Companies can adapt to this change by first identifying what type of personal information exists within their operating environment. Understanding how personal information is collected, stored, and maintained is a critical next step in a successful data governance program. Inherent tools within Microsoft, Amazon, and other technology suites can help companies scan their networks to identify unstructured data and highlight where sensitive information is stored. Companies should also focus on revisiting their privacy policies and overall privacy and data governance programs.

By adhering to these steps, companies can enhance their privacy posture and will be better equipped to navigate new and evolving data protection requirements, including the CPRA.