Top 10 Practical Business Implications Arising From the Passage of the CPRA

December 03, 2020 Articles
The Recorder

California’s Proposition 24 passed as expected, and the new California Privacy Rights Act will change the privacy landscape created by the California Consumer Protection Act (CCPA), which went into effect only months ago. While the CPRA won’t go into effect until Jan. 1, 2023, with enforcement (concerning data collected from Jan. 1, 2022 and later) beginning no sooner than July 1, businesses should already be in a position to comply.

In short, the difficult work in marshaling the data subject to the CPRA will need to have been undertaken in connection with CCPA compliance. As such, assuming a business has taken efforts to comply with the CCPA, the new law will require evolution rather than revolution of companies’ privacy practices. That does not mean, however, there is not work to be done, and companies subject to the CPRA should be taking steps to comply sooner rather than later.


(1) It should be noted that the CPRA amends, incorporates, and replaces the CCPA. The definition of companies subject to the new act is narrowed, and so those that would not be subject to the CCPA will similarly not be subject to the CPRA. Certain companies currently subject to the CCPA will not be subject to the CPRA, and after Dec. 31, 2022 will no longer have to comply with the requirements of the CCPA (or, obviously, the CPRA). This would mainly include companies who collect and use the personal information of more than 50,000 but less than 100,000 California data subjects. Such companies should continue satisfying the requirements of the CCPA through at least the end of 2022. Action item: Determine applicability of CCPA and CPRA to identify compliance regime.

(2) The CPRA has extended the deadlines under the CCPA concerning personal information of employees and business-to-business contacts until Jan. 1, 2023. Thus, companies subject to the CCPA that will not be subject to the CPRA need not take steps to bring the collection and use of this specific data into compliance with the applicable provisions of the CCPA. Action item: Determine whether employee and b2b data and the associated deadlines are relevant to your company’s compliance.

Further Refinement of Data Identification and Treatment

(3) The CPRA will require companies to further segregate certain “Sensitive Personal Information” and treat such data differently than other personal information. Consumers will need to be given heightened notice and be able to limit the use or disclosure of such information, which is defined to include things like Social Security, driver’s license, state ID card, or passport numbers, log-in or financial information in combination with any required information enabling access to such information, geolocation information, contents of the consumer’s communications with third parties, racial, genetic, or ethnic information, biometric information used for identification (e.g., fingerprint or facial recognition access methods), health information, and sex life and sexual orientation information. Action item: Determine Sensitive Personal Information within Personal Information and account for differing treatment.

(4) Companies will need to ensure the collection, use, retention, and sharing of personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed,” and disclose a data retention policy reflecting this along with the requirement that data not be retained for longer than reasonably necessary given the applicable disclosed purpose. Action item: Identify purposes of collection and use, and the period for holding of personal information and period for storage of information; prepare data retention policy to account for and reflect same.

(5) Where personal information is shared with third parties, the home page of the business must include a button enabling consumers to opt out of such sharing. Many companies already required to have a “Do Not Sell My Personal Information” will either need a second button regarding sharing or a combination “Do Not Sell or Share My Personal Information” button. Action item: Determine which buttons will be required and incorporate into the website.

(6) In addition to their rights currently offered consumers under the CCPA, the CPRA requires companies to enable consumers to correct errors in their personal information and have that personal information transferred to a third party. Action item: Update Privacy Policy to reflect additional rights.

Effects on Third-Party Agreements Regarding Sharing and Use of Personal Information

(7) The CRPA requires that those companies that share personal information with service providers and other third parties contractually obligate such recipients to process the personal information with the CPRA-required level of protection. Action item: Review and amend forms and existing contracts to incorporate such provisions.


(8) The CPRA removes the 30-day cure period for government enforcement, and companies will no longer be able to rely on the notice and cure period to avoid liability for noncompliance. Action item: Generally incorporate proactive compliance behaviors.

(9) The CPRA expands the private right of action currently limited to data breaches resulting from unreasonable security practices to also apply to the unauthorized access to and/or disclosure of an “email address in combination with a password or security question and answer that would permit access to an account” where reasonable security practices were not in place. Action item: Ensure proper security practices, policies, and tools are in place.


(10) While neither the CCPA nor the CPRA includes any provisions concerning insurance, the willingness of insurance companies to offer policies limiting liability for damages arising from the acts, whether in the form of government penalties and fines or private actions, is evolving. Action item: Review insurance policies and discuss available coverage with your broker.

California law continues to define and expand consumer protections around privacy rights in personal information. While this landscape will continue to evolve, whether from additional state law or potential federal legislation, it is important that corporate legal, marketing, and IT teams coordinate to stay current on and compliant with the law to best ensure new requirements result in reasonable compliance steps rather than costly and potentially insurmountable sea changes.

Reprinted with permission from the December 3, 2020 issue of The Recorder. © 2020 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Firm Highlights


Janice Reicher Named a 2022 Leadership Council on Legal Diversity Fellow

Farella Braun + Martel is proud to announce that Janice Reicher has been named a member of the 2022 class of Leadership Council on Legal Diversity (LCLD) Fellows. Janice joins a select group of...

Read More

The War Exclusion in a Time of War

The “war” exclusion has gotten more attention over the past couple of weeks in light of Russia’s invasion of Ukraine. For good reason. This exclusion, common in property and liability policies alike, typically eliminates...

Read More

Maximizing Your Insurance Coverage for Data Privacy Liability

With news of massive data breaches making headlines in recent years, the handling of personal data has become a focus for legislators and regulators around the world. Compliance with data privacy regulations such as the...

Read More

hiQ’s Groundbreaking Injunction Against LinkedIn Reaffirmed: Scraping of Publicly Available Data Likely Does Not Violate CFAA

The U.S. Court of Appeals for the Ninth Circuit has affirmed its prior decision , holding that LinkedIn could not block hiQ, a scraping entity, from scraping public LinkedIn profiles. The court found it was...

Read More

Using Multi-Factor Authentication as a Prerequisite to Cyber Liability Coverage

Multi-factor authentication (MFA) is more than an annoying popup or text message when logging onto a company’s website or platform. Not only is using MFA a sound security practice and good business, it is frequently...

Read More

Continuing Use of CGL Policies to Cover Data Breach Losses

Our lives and the products and devices we use become more dependent on data by the day. As a result, cyberattacks and data breaches present everchanging risks to companies and individuals, and the importance...

Read More

How to Guard Against 3 Cannabis Cyber Attack Risks

Cyber attacks are now commonplace. Ransomware attacks, in particular, have skyrocketed in frequency and size. High-profile data breaches have cost businesses in the United States millions of dollars in losses and incalculable reputational harm...

Read More

LinkedIn Loses Data Appeal

Erik Olson was quoted in the article "LinkedIn Loses Data Appeal" in CDR Magazine . In the article, Erik said: We are pleased to see that the Ninth Circuit has again affirmed, in light...

Read More

How hiQ Labs v. LinkedIn and Cases Following It Have Changed U.S. Law on Scraping

Alex Reese is a speaker at OxyCon's 2022 web scraping conference for the session "How hiQ Labs v. LinkedIn and Cases Following It Have Changed U.S. Law on Scraping." To register for the conference, please click...

Read More

Caught in the Crossfire — How will the war exclusion affect commercial policyholders?

The war exclusion has received a lot of attention over the past year, particularly since Russia invaded Ukraine in February. Policyholders’ concern that insurers will assert the exclusion as a basis to deny coverage...

Read More