California Legislative Update: Prop 24
By GRSMCyberPrivacyTeam on November 4, 2020
Apparently there’s some stuff going on with a couple of guys named Joe and Don that’s got everyone distracted for some reason. The cool kids know, however, that the most important thing to happen last night was the passage of Prop 24 in California which means the CCPA is old news and the CPRA is the new game in town.
You read that right. Having just (mostly) figured out what the implementing regulations should be for CCPA, a massive new privacy law that’s only been in effect since January, California voters said, “Eh, know what? Let’s do it all over again.”
We’ll let you get back to clicking around about this Joe and Don thing, but here’s a quick run-down of what the new CPRA adds to the CCPA:
- specific third-party oversight responsibilities, similar to GDPR;
- requirements for annual audits and regular risk assessments for certain businesses;
- requirements when doing “profiling” that are in-line with the GDPR:
- an entirely new enforcement authority the California Privacy Protection Agency;
- an expanded private right of action to cover beaches of account access credentials;
- increased penalties for mishandling of children’s data;
- a consumer right to correct data; and
- more specific data retention disclosures
We’ll have more in-depth analysis and thoughts on readiness programs to come in the near future.