Top 10 Practical Business Implications Arising From the Passage of the CPRA

December 03, 2020 Articles
The Recorder

California’s Proposition 24 passed as expected, and the new California Privacy Rights Act will change the privacy landscape created by the California Consumer Protection Act (CCPA), which went into effect only months ago. While the CPRA won’t go into effect until Jan. 1, 2023, with enforcement (concerning data collected from Jan. 1, 2022 and later) beginning no sooner than July 1, businesses should already be in a position to comply.

In short, the difficult work in marshaling the data subject to the CPRA will need to have been undertaken in connection with CCPA compliance. As such, assuming a business has taken efforts to comply with the CCPA, the new law will require evolution rather than revolution of companies’ privacy practices. That does not mean, however, there is not work to be done, and companies subject to the CPRA should be taking steps to comply sooner rather than later.


(1) It should be noted that the CPRA amends, incorporates, and replaces the CCPA. The definition of companies subject to the new act is narrowed, and so those that would not be subject to the CCPA will similarly not be subject to the CPRA. Certain companies currently subject to the CCPA will not be subject to the CPRA, and after Dec. 31, 2022 will no longer have to comply with the requirements of the CCPA (or, obviously, the CPRA). This would mainly include companies who collect and use the personal information of more than 50,000 but less than 100,000 California data subjects. Such companies should continue satisfying the requirements of the CCPA through at least the end of 2022. Action item: Determine applicability of CCPA and CPRA to identify compliance regime.

(2) The CPRA has extended the deadlines under the CCPA concerning personal information of employees and business-to-business contacts until Jan. 1, 2023. Thus, companies subject to the CCPA that will not be subject to the CPRA need not take steps to bring the collection and use of this specific data into compliance with the applicable provisions of the CCPA. Action item: Determine whether employee and b2b data and the associated deadlines are relevant to your company’s compliance.

Further Refinement of Data Identification and Treatment

(3) The CPRA will require companies to further segregate certain “Sensitive Personal Information” and treat such data differently than other personal information. Consumers will need to be given heightened notice and be able to limit the use or disclosure of such information, which is defined to include things like Social Security, driver’s license, state ID card, or passport numbers, log-in or financial information in combination with any required information enabling access to such information, geolocation information, contents of the consumer’s communications with third parties, racial, genetic, or ethnic information, biometric information used for identification (e.g., fingerprint or facial recognition access methods), health information, and sex life and sexual orientation information. Action item: Determine Sensitive Personal Information within Personal Information and account for differing treatment.

(4) Companies will need to ensure the collection, use, retention, and sharing of personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed,” and disclose a data retention policy reflecting this along with the requirement that data not be retained for longer than reasonably necessary given the applicable disclosed purpose. Action item: Identify purposes of collection and use, and the period for holding of personal information and period for storage of information; prepare data retention policy to account for and reflect same.

(5) Where personal information is shared with third parties, the home page of the business must include a button enabling consumers to opt out of such sharing. Many companies already required to have a “Do Not Sell My Personal Information” will either need a second button regarding sharing or a combination “Do Not Sell or Share My Personal Information” button. Action item: Determine which buttons will be required and incorporate into the website.

(6) In addition to their rights currently offered consumers under the CCPA, the CPRA requires companies to enable consumers to correct errors in their personal information and have that personal information transferred to a third party. Action item: Update Privacy Policy to reflect additional rights.

Effects on Third-Party Agreements Regarding Sharing and Use of Personal Information

(7) The CRPA requires that those companies that share personal information with service providers and other third parties contractually obligate such recipients to process the personal information with the CPRA-required level of protection. Action item: Review and amend forms and existing contracts to incorporate such provisions.


(8) The CPRA removes the 30-day cure period for government enforcement, and companies will no longer be able to rely on the notice and cure period to avoid liability for noncompliance. Action item: Generally incorporate proactive compliance behaviors.

(9) The CPRA expands the private right of action currently limited to data breaches resulting from unreasonable security practices to also apply to the unauthorized access to and/or disclosure of an “email address in combination with a password or security question and answer that would permit access to an account” where reasonable security practices were not in place. Action item: Ensure proper security practices, policies, and tools are in place.


(10) While neither the CCPA nor the CPRA includes any provisions concerning insurance, the willingness of insurance companies to offer policies limiting liability for damages arising from the acts, whether in the form of government penalties and fines or private actions, is evolving. Action item: Review insurance policies and discuss available coverage with your broker.

California law continues to define and expand consumer protections around privacy rights in personal information. While this landscape will continue to evolve, whether from additional state law or potential federal legislation, it is important that corporate legal, marketing, and IT teams coordinate to stay current on and compliant with the law to best ensure new requirements result in reasonable compliance steps rather than costly and potentially insurmountable sea changes.

Reprinted with permission from the December 3, 2020 issue of The Recorder. © 2020 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Firm Highlights


What to Know About Taking a Data Center Company Public Through a SPAC

A recent IPO by InterPrivate IV Infratech Partners, a digital infrastructure-focused special purpose acquisition company, or SPAC, raised $250 million. Its impressive fundraising and management team, led by former CyrusOne CTO Kevin Timmons, may cause privately...

Read More

Electric Fence: Protecting Proprietary Rights in Collected Energy Data

Like companies in other industries, a growing number of modern energy-related companies are focusing their efforts on data collection and analysis. For example, Enphase – an energy technology company – regularly tracks data about how...

Read More

Data Center Business Deals Gone Bad, and the Risks of the “Known in the Industry” Defense

Exploring business partnerships often involves or even requires sharing highly confidential trade secret information. The data center industry is no exception, and its participants have in recent years faced litigation focused around the intellectual...

Read More

Privacy During Bankruptcy Proceedings: Why It Matters

During these particularly trying times resulting from the COVID-19 pandemic, businesses of all sizes have been concerned about the future. As a result, considering potential liquidation or restructuring through bankruptcy is inevitably starting to...

Read More

Cyber Insurance for the Cannabis Industry

Farella's Shanti Eagle (moderator), Nate Garhart and Tyler Gerking, along with guest speakers Javier Gonzalez and Michael Peters from PL Risk Advisors, discuss "Cyber Insurance for the Cannabis Industry." Cannabis businesses have cyber security...

Read More

Arbitration Agreements in Privacy Disputes: The Wyze Decision and the CCPA

Earlier this year, a number of individuals brought a lawsuit in the United States District Court for the Western District of Washington against Washington-based company Wyze Labs, Inc (Wyze), which manufactures “smart” home cameras...

Read More

How to Guard Against 3 Cannabis Cyber Attack Risks

Cyber attacks are now commonplace. Ransomware attacks, in particular, have skyrocketed in frequency and size. High-profile data breaches have cost businesses in the United States millions of dollars in losses and incalculable reputational harm...

Read More

Cannabis Farms in the Neighborhood: Water, Contaminants and Other Proximate Matters (Webinar)

Join Farella's Buzz Hines and guest speakers, Kari Campbell-Bohard from EpicVeg and Lompoc Valley Cooling and Robert Schultz from Geo Blue Consulting, in the discussion on "Cannabis Farms in the Neighborhood: Water, Contaminants and...

Read More

PSDcast – Is Energy Companies' Customer Data a Trade Secret?

We often focus on the privacy issues involved in data collection – and they are critically important – while neglecting the idea of data as a tangible and valuable resource (and how to protect...

Read More

Undergoing Bankruptcy Proceedings? Here’s How to Make Sure PII Maintains Its Value

Due to the COVID-19 pandemic, some businesses are considering potential liquidation or restructuring through bankruptcy. Companies in this situation should keep privacy concerns in mind, because the handling of personal data in bankruptcy proceedings...

Read More