Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
K Royal
K Royal
Connect Directly
E-Mail vvv

What You Need to Know About California's New Privacy Rules

Proposition 24 will change Californians' rights and business's responsibilities regarding consumer data protection.

In November's elections, Californians voted in favor of Proposition 24, which effectively expands the state's data privacy legislation with a new set of rules. At a broad level, the California Privacy Rights Act (CPRA) will succeed the California Consumer Privacy Act (CCPA) on January 1, 2023.

Many organizations may have just gotten comfortable with General Data Protection Regulation (GDPR) or CCPA compliance. They are likely wondering what the CPRA entails and what those changes mean moving forward.

In the coming months, the California legislature will iron out the details about the CPRA. However, the major changes between the CCPA and CPRA have already crystallized. Although this list isn't exhaustive, the following are some of the biggest changes in the regulation.

Related Content:

The Sameness of Every Day: How to Change Up Audit Fatigue

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

A New Enforcement Agency Is Born
The CPRA introduces a new enforcement agency, the California Privacy Protection Agency (CPPA). This agency is akin to data protection supervisory authorities that exist in other countries. The agency will made up of a five-person board, two of whom must be appointed by the California governor. The California State Assembly, Senate, and Attorney General will appoint the remaining members. The CCPA is tasked with investigating CPRA violations, conducting hearings, and issuing sanctions when necessary. The agency will also provide guidance on CPRA's implementation.

Requirements About Sensitive Personal Information
The CPRA introduces the concept of "sensitive personal information." According to the new law, sensitive personal information includes identification numbers, such as Social Security numbers, driver's license numbers, identity card or passport numbers, account credentials, credit card details, geolocation information, communications content in emails and text messages (if a business is not the recipient of the communication), and data elements that align with Europe's GDPR. These elements include religious or philosophical beliefs; union membership; health, genetic, and biometric data; and information related to an individual's sex life or sexual orientation. The CPRA states that consumers have the right to ask a business to not disseminate sensitive personal information.

Consumer Rights With Regard to Data
The CPRA now empowers consumers with a number of rights regarding the data that companies use. The CCPA already includes the right to deletion, whereby consumers can ask a business to delete their personal information it has on file. The CPRA will extend this right to ensure businesses cooperate with deletion requests and allow businesses to keep a confidential record of deletion requests for future reference. The CPRA will also introduce a right of correction, which enables consumers to request that a business correct inaccurate personal information. Under the CCPA, consumers were able to request to see the data a business has collected about them during the 12 months preceding the request. Under the CPRA, consumers can request to see data that businesses collected before the 12 months preceding that request if the business possesses that information.

Consumers Will Have More Say Over Data Collected for Advertising
Many companies use cross-context behavioral advertising, a practice that leverages individual consumer profiles for advertising purposes. Under the CPRA, consumers may opt out of these data collections. This change will also impact how companies present choices to opt out; for example, businesses will not be able to show large, brightly colored "accept all" preference buttons to consumers who view their websites. 

CPRA Extends Data Breach Requirements
When information such as nonencrypted or nonredacted information or login credentials and password combinations is granted unauthorized access, it's considered a data breach under the CCPA. The CPRA empowers consumers to claim compensation or other recourse that a court deems necessary to make up for the breach. If a court finds that a data breach was caused by insufficient data security, it may also seek administrative enforcement against the organization.

What Can Companies Do Now?
The good news is companies have until the Jan. 1, 2023, enforcement date to comply with these (and other changes) introduced in the CPRA. Although businesses don't need to address the CPRA specifically right now, compliance organizations should begin to prepare by taking note of the major changes and thinking about whether their existing privacy programs will be able to easily scale to support them.

K Royal is an attorney and global compliance professional with 25 years of experience in the legal and health-related fields. K has a particular interest in technology along with its challenges and opportunities. On a typical day, she works with GDPR. HIPAA, CCPA, incident ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.