By almost 1.5 million votes, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”).  The CPRA amends and expands the California Consumer Privacy Act of 2018 (“CCPA”) and is affectionately referred to as “CCPA 2.0.”  While the CPRA’s requirements do not take effect until January 1, 2023, the CPRA ushers in significantly more privacy protections for California residents, while also amending some of the CCPA’s jurisdictional requirements.  Below, we touch on some of the CPRA’s requirements.

First, from a jurisdictional standpoint, previously one prong of the CCPA’s jurisdictional test was if a business reached 50,000 California consumers, then it was subject to the CCPA.  Practically speaking, this meant if a business had a website that received on average 137 hits per day from California, it could be subject to the CCPA’s requirements.  Under the CPRA, this threshold is bumped up to 100,000 consumers/households.  This change benefits small and midsize businesses, which otherwise would not meet the other jurisdictional requirements of having revenue above 25 million dollars per year, or a business that receives 50% of its income from the sale of personal information of CA consumers.

Second, similar to GDPR, the CRPA establishes a new category of “sensitive personal information.”  Under the CPRA, sensitive personal information includes an individual’s precise location, race, religion, sexual orientation, and specified health information, among others. With regard to this sensitive information, individuals will have greater control.  The CPRA will allow individuals to opt out of a business’ use or disclosure of such sensitive personal information.

Third, the CPRA strengthened protections for minors, as it triples fines related to violations for minors under 16.

Lastly, the CPRA establishes the California Privacy Protection Agency.  This agency will enforce and implement consumer privacy laws and can administer fines for businesses that violate California’s privacy laws.

Much like the CCPA, we expect the CPRA to evolve and change prior to the January 1, 2023 implementation date.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and…

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.