Well, California is at it again. Less than one year after the California Consumer Privacy Act (CCPA) took effect, the people of California voted to approve Proposition 24 (aka the California Privacy Rights Act, the CPRA) on Election Day 2020. The CPRA will largely take effect on Jan. 1, 2023, adding a handful of rights for California consumers and new obligations for businesses, which will be enforceable by the California Privacy Protection Agency, a new state privacy regulatory agency created by the CPRA.
Concepts
The CPRA has added several new concepts and definitions, some of which are borrowed from the EU’s General Data Protection Regulation (GDPR):
• Data minimization, which dictates that only data that is necessary and proportionate to the purpose be collected and processed;
• Purpose limitation, where without notice and additional permissions, data is not used beyond the original purpose(s) for which the consumer provided it, or a reasonably expected purpose stemming from the original purpose; and
• Storage limitation, requiring the data not be held longer than reasonably necessary. Businesses should start analyzing what information they are collecting, whether it is “necessary,” how it is used, and what the “necessary” retention period is, given the purpose of processing and any legal obligations they may have.
