Summary by Section

Below is an executive summary of each section the California Privacy Rights Act (CPRA) of 2020:

Preamble emphasizes California Constitution’s right to privacy. Intent of law is to prevent the Legislature from weakening privacy protections while allowing the Legislature to strengthen them over time. Discussion of state interest in protecting consumers, who are realistically unable to manage all their privacy settings to protect themselves, when many businesses are actively trying to make this difficult.

(A). Consumer Rights

(B). Responsibilities of Businesses

(C). Implementation of the Law

Section 3 is the heart of the law in terms of protecting it from being weakened in the future. Section A establishes that consumers have a right to control and protect their personal information, and that their authorized agents should be able to help them to do so. Section B references philosophical limitations on business’ collection and use of consumer information. Section C establishes the “one-way ratchet” which allows the Legislature to strengthen privacy over time and prohibits the Legislature from passing any amendments to CPRA which weaken consumer privacy in California.

First principles of privacy: purpose limitation, storage limitation, data minimization, requirements for a chain of custody when personal information is sold or shared, requirement for reasonable security.

Consumers have a right to delete their information (except in limited circumstances where businesses need to keep the information to complete a transaction, ensure security, exercise free speech etc.).

Consumers have a right to correct their inaccurate information held by businesses.

Consumers have a right to see what personal information businesses have collected about them, where it came from, why the business is selling it, where it is being disclosed.

Consumers have a right to know what personal information of theirs is being sold or shared, and with whom. 3rd parties may not resell or re-share personal information unless the consumer has received notice and has the right to opt out.

Consumers have the right to opt out of the sale of their information, also to opt out of its sharing for advertising. Guardians of children under 13, and consumers from 13 to 16, must opt in to the sale of their information.

Consumers can drastically limit the use and disclosure of their sensitive personal information, including race, religion, sexual orientation, health, precise geolocation, etc. The only exception is when a business delivers a product to a consumer which the consumer him/herself requested, and when the information would be used in a way reasonably expected by an average consumer.

Businesses may change service levels, offer financial incentives, or charge an opted-out consumer more, but there are strict limitations on such difference in service levels: the change or price difference must be reasonably related to the value provided to the business by the consumer’s data. Prevents businesses from imposing extreme financial or operational hurdles on a consumer who wants to prohibit the sale of their information.

Specific details/provisions with respect to these rights.

Businesses that sell or share information must provide a “Do Not Sell or Share my Personal Information” button. All businesses must respond to a Do Not Sell (aka “opt out”) signal (whose specifications will be developed by the new California Privacy Protection Agency). If a business responds to the opt out signal by agreeing not to charge the consumer, not to limit the functionality of the website, and not to degrade their service in response to the signal being received, then (and only then) the business can avoid posting a Do Not Sell button. In other words, a business may avoid the requirement to post a “Do Not Sell” button (i.e., this is the carrot), if the business agrees not to avail itself of the steps set forth in Section 1798.125 allowing it to change the service experience for an opted out consumer (and this is the stick).

Defined terms.

Exemptions from the law.

Permits private right of action in the event of negligent data breach, i.e. if a business has not redacted or encrypted consumers’ personal information and suffers a data breach.

Provides for penalties of $2,500 per violation and up to $7,500 per intentional violation. Allows for enforcement of the law by the California Privacy Protection Agency, by the Attorney General, and by any District Attorney in any county in California, as well as the City Attorneys in the 4 largest cities in the state (by repealing language in CCPA that gave the Attorney General exclusive authority).

Funds from fines go first to offset costs of enforcement, then 91% to a “lockbox” fund managed by the State Treasurer, whose interest is available to the state’s general fund. 9% of proceeds shall be made available for grants in California to nonprofits associated with privacy/data breaches.

The law applies to all businesses doing business in California, not simply businesses that collect information electronically, or over the Internet. This law should be harmonized with other consumer privacy laws, and whichever offers consumers the most protection, should control.

This state law preempts local laws.

California Privacy Protection Agency is given rule-making authority “as necessary to further the purposes of this title.” Specific directions include:

  • Regulations must ensure that consumers have the ability to exercise their choices “without undue burden.” Prevents businesses from “engaging in deceptive or harassing conduct, including in retaliation against consumers for exercising their rights”
  • Annual cybersecurity audit and regular risk assessments
  • Regulations to give consumers opportunity to object to automated decision-making including profiling
  • Defining scope of opt-out signal
  • Defining specification to indicate a consumer is a child

Avoidance actions taken in series to try to avoid the scope of this act shall be disregarded for the purpose of enforcing the Act.

No contract may waive or limit a consumer’s rights under this title.

New state agency is established with guaranteed minimum funding of (2021-22) $10 million per year indexed to CPI. Will allow for hiring ~ 50 privacy professionals, (25% more than the FTC has for the entire country).

  • 5-person board appointed by Governor, Attorney General, Senate Rules Committee, and Assembly Speaker
  • Rule-making authority beginning in 2021, enforcement authority beginning in 2023
  • Agency enforces via Administrative Procedure Act-governed hearings

No amendments are permitted unless they further the purpose and intent of the act (section 3). I.E., a one-way ratchet: the law can be amended to become more privacy protective, but not less.

The Act is severable.

N/A, no other privacy-related measure was placed on the ballot in 2020.

Other agencies can defend the constitutionality of the law in court.

The act shall be construed liberally.

The act is not intended to preempt federal law or the California Constitution.

  • March 16 deadline for naming 5 California Privacy Protection Agency board members
  • Agency begins rule-making later of 7/1/21, or 6 months after agency provides notice to the AG that it is prepared to begin rulemaking
  • 7/1/22 Final CPRA Regs adopted
  • 1/1/23 CPRA goes into effect
  • 7/1/23 civil and administrative enforcement of CPRA begins