Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
K Royal
K Royal
Connect Directly
E-Mail vvv

What You Need to Know About California's New Privacy Rules

Proposition 24 will change Californians' rights and business's responsibilities regarding consumer data protection.

In November's elections, Californians voted in favor of Proposition 24, which effectively expands the state's data privacy legislation with a new set of rules. At a broad level, the California Privacy Rights Act (CPRA) will succeed the California Consumer Privacy Act (CCPA) on January 1, 2023.

Many organizations may have just gotten comfortable with General Data Protection Regulation (GDPR) or CCPA compliance. They are likely wondering what the CPRA entails and what those changes mean moving forward.

In the coming months, the California legislature will iron out the details about the CPRA. However, the major changes between the CCPA and CPRA have already crystallized. Although this list isn't exhaustive, the following are some of the biggest changes in the regulation.

Related Content:

The Sameness of Every Day: How to Change Up Audit Fatigue

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

A New Enforcement Agency Is Born
The CPRA introduces a new enforcement agency, the California Privacy Protection Agency (CPPA). This agency is akin to data protection supervisory authorities that exist in other countries. The agency will made up of a five-person board, two of whom must be appointed by the California governor. The California State Assembly, Senate, and Attorney General will appoint the remaining members. The CCPA is tasked with investigating CPRA violations, conducting hearings, and issuing sanctions when necessary. The agency will also provide guidance on CPRA's implementation.

Requirements About Sensitive Personal Information
The CPRA introduces the concept of "sensitive personal information." According to the new law, sensitive personal information includes identification numbers, such as Social Security numbers, driver's license numbers, identity card or passport numbers, account credentials, credit card details, geolocation information, communications content in emails and text messages (if a business is not the recipient of the communication), and data elements that align with Europe's GDPR. These elements include religious or philosophical beliefs; union membership; health, genetic, and biometric data; and information related to an individual's sex life or sexual orientation. The CPRA states that consumers have the right to ask a business to not disseminate sensitive personal information.

Consumer Rights With Regard to Data
The CPRA now empowers consumers with a number of rights regarding the data that companies use. The CCPA already includes the right to deletion, whereby consumers can ask a business to delete their personal information it has on file. The CPRA will extend this right to ensure businesses cooperate with deletion requests and allow businesses to keep a confidential record of deletion requests for future reference. The CPRA will also introduce a right of correction, which enables consumers to request that a business correct inaccurate personal information. Under the CCPA, consumers were able to request to see the data a business has collected about them during the 12 months preceding the request. Under the CPRA, consumers can request to see data that businesses collected before the 12 months preceding that request if the business possesses that information.

Consumers Will Have More Say Over Data Collected for Advertising
Many companies use cross-context behavioral advertising, a practice that leverages individual consumer profiles for advertising purposes. Under the CPRA, consumers may opt out of these data collections. This change will also impact how companies present choices to opt out; for example, businesses will not be able to show large, brightly colored "accept all" preference buttons to consumers who view their websites. 

CPRA Extends Data Breach Requirements
When information such as nonencrypted or nonredacted information or login credentials and password combinations is granted unauthorized access, it's considered a data breach under the CCPA. The CPRA empowers consumers to claim compensation or other recourse that a court deems necessary to make up for the breach. If a court finds that a data breach was caused by insufficient data security, it may also seek administrative enforcement against the organization.

What Can Companies Do Now?
The good news is companies have until the Jan. 1, 2023, enforcement date to comply with these (and other changes) introduced in the CPRA. Although businesses don't need to address the CPRA specifically right now, compliance organizations should begin to prepare by taking note of the major changes and thinking about whether their existing privacy programs will be able to easily scale to support them.

K Royal is an attorney and global compliance professional with 25 years of experience in the legal and health-related fields. K has a particular interest in technology along with its challenges and opportunities. On a typical day, she works with GDPR. HIPAA, CCPA, incident ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel i...
PUBLISHED: 2021-05-06
A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbi...
PUBLISHED: 2021-05-06
aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
PUBLISHED: 2021-05-06
The administrator application on ASUS GT-AC2900 devices before allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_chec...
PUBLISHED: 2021-05-06
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.