The briefing began with a recap of the California Consumer Privacy Act of 2018 (CCPA), which went into effect on January 1, 2020. Parna reviewed the intent of the privacy law, which was broadly designed to protect the personal information of California residents. She gave an overview of the types of personal information covered or excluded under CCPA, the rights of California consumers, the duties of businesses in collecting and processing personal information, and enforcement.
Parna and Alex then unpacked key elements of the California Privacy Rights Act (CPRA), an amendment to the CCPA. The CPRA, which went into effect January 1, 2023, has notably established the California Privacy Protection Agency, which will interpret and enforce the law beginning on July 1, 2023. They explored the expanded scope of the law, to whom it applies, and how it alters rights and protections offered under the CCPA.
Rights of California consumers, some of which are expanded under the CPRA, include the right to delete, right to access, right to opt-out, right to data portability, and right to know. New consumer rights are a minor’s right to opt-in to the sharing of data, right to correction, right to know about automated decision-making, and the right to opt-out of automated decision-making.
A new category of personal information added to CPRA is Sensitive Personal Information (SPI), which adds protections for data such as biometric and geolocation data. Special rules that apply to SPI are the right to restrict use of SPI, and expanded notification requirements. Additional business requirements added into the CPRA include a cyber security audit and risk assessment. Parna also previewed an upcoming children’s privacy law, the California Age-Appropriate Design Code Act, which goes into effect on July 1, 2024.
Turning to other state privacy laws, the attorneys looked at laws being enacted or pursued across the country, including Oregon. They concluded the briefing with considerations for CPRA enforcement, encouraging a deep look at all parts of a business from Marketing and IT to Finance to determine what consumer data is held, why it’s needed, and how it is handled. Because CPRA removes employee exemptions, businesses should also consider if they need a separate privacy notice for California employees.
A recording of the webinar will be available in three parts. Part one can be seen here. Future webinars will be offered as CPRA regulations are announced.
Parna Mehrbani is a partner at Tonkon Torp and is Co-Chair of its Intellectual Property and Information Privacy & Security practice groups. Her practice is focused on intellectual property, trademark and copyright registration, licensing and enforcement, and advising on intellectual property portfolios for local, national, and international companies. She also advises businesses on the management and security of personal data and the laws that regulate the collection, use, and protection of personal data.
Alexandria Wagner-Jakubiak is an associate in Tonkon Torp’s Business Department. Her practice focuses on information privacy and security, intellectual property, and other general business matters.