The California Privacy Rights Act (CPRA) is a significant amendment to the California Consumer Privacy Act of 2018. It strengthens the rights of consumers regarding the control and use of their information. The CPRA does not go into effect until January 1, 2023, but its impact on businesses warrants immediate attention. Highlights include:
- Creation of a new administrative agency, the California Privacy Protection Agency (CPPA), exclusively focused on investigation and enforcement of data privacy complaints and CPRA violations. Notably, the California Attorney General remains empowered to impose fines ranging from $2,500-$7,500 per violation, depending upon the circumstances of the violation. Those fines could be massive.
- Elimination of the 30-day cure period afforded to businesses under the CCPA prior to the commencement of enforcement actions. Notably, the 30-day cure period as it relates to the commencement of a private right of action remains under the CPRA, but the CPRA notes that the implementation and maintenance of reasonable security procedures and practices following a breach does not constitute a cure with respect to the event. This is bad for impacted businesses.
- Expansion of information that, when subject to unauthorized access and exfiltration, theft or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices, provides the basis for a private right of action. Exposure of an email address in combination with a password or security question and answer that would permit access to the account will afford consumers the right to pursue a private right of action under the CPRA.
- Cessation of the HR and B2B CCPA exemptions, effective January 1, 2023. While the CCPA included a one-year exemption for employee, job applicant and contractor data, as well as personal information furnished by persons acting on behalf of a business or other entity, the one-year exemption was extended prior to the passage of the CPRA, these exemptions – as it currently stands – will sunset when the CPRA goes into effect.
The CPRA is dense with significant changes to the CCPA. Businesses need to proactively determine what changes in practices and policies are necessary to ensure compliance with the CPRA. They should factor the additional risk created by CPRA into their risk management efforts.
Mullen Coughlin is a law firm uniquely focused on providing tailored data privacy and incident response services to organizations of all sizes and across multiple sectors. Our team of experienced attorneys can assist in determining the applicability of the CCPA and CPRA to your organization and ensuring that it is administratively compliant with the requirements of various laws. If you have further questions or would like additional information about the CCPA or the CPRA, please contact Jenn Coughlin (; 267.930.4774) or Jim Monagle (; 267.930.1529).