While there is still no U.S. national federal data privacy law, a level playing field so to speak, that has not stopped states from taking the lead instead. Less than a year after the California Consumer Privacy Act (CCPA) enforcement began, California passed yet another sweeping privacy law: the California Privacy Rights Act (CPRA), with a 56% majority in the California General Election. The CPRA imposes firmer protection of consumer privacy rights, similar to the European Union’s General Data Protection Regulation (GDPR). This new act will have a significant impact on corporations working in California or for any organization processing the data of Californians.
The CPRA brings about several changes to the CCPA, notably classifying sensitive personal information as a new category of personal information. But what are the impacts of this expanded privacy law on information governance and data protection? Mercifully for those under-prepared, most of the CPRA’s changes, which we will outline below, do not come into effect until Jan. 1, 2023, and apply only to personal information collected on or after January 1, 2022. However, given the scope of the changes, organizations need to start thinking about their data collection and management practices now in order to achieve compliance by the time 2023 comes around.