Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
K Royal
K Royal
Connect Directly
E-Mail vvv

What You Need to Know About California's New Privacy Rules

Proposition 24 will change Californians' rights and business's responsibilities regarding consumer data protection.

In November's elections, Californians voted in favor of Proposition 24, which effectively expands the state's data privacy legislation with a new set of rules. At a broad level, the California Privacy Rights Act (CPRA) will succeed the California Consumer Privacy Act (CCPA) on January 1, 2023.

Many organizations may have just gotten comfortable with General Data Protection Regulation (GDPR) or CCPA compliance. They are likely wondering what the CPRA entails and what those changes mean moving forward.

In the coming months, the California legislature will iron out the details about the CPRA. However, the major changes between the CCPA and CPRA have already crystallized. Although this list isn't exhaustive, the following are some of the biggest changes in the regulation.

Related Content:

The Sameness of Every Day: How to Change Up Audit Fatigue

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

A New Enforcement Agency Is Born
The CPRA introduces a new enforcement agency, the California Privacy Protection Agency (CPPA). This agency is akin to data protection supervisory authorities that exist in other countries. The agency will made up of a five-person board, two of whom must be appointed by the California governor. The California State Assembly, Senate, and Attorney General will appoint the remaining members. The CCPA is tasked with investigating CPRA violations, conducting hearings, and issuing sanctions when necessary. The agency will also provide guidance on CPRA's implementation.

Requirements About Sensitive Personal Information
The CPRA introduces the concept of "sensitive personal information." According to the new law, sensitive personal information includes identification numbers, such as Social Security numbers, driver's license numbers, identity card or passport numbers, account credentials, credit card details, geolocation information, communications content in emails and text messages (if a business is not the recipient of the communication), and data elements that align with Europe's GDPR. These elements include religious or philosophical beliefs; union membership; health, genetic, and biometric data; and information related to an individual's sex life or sexual orientation. The CPRA states that consumers have the right to ask a business to not disseminate sensitive personal information.

Consumer Rights With Regard to Data
The CPRA now empowers consumers with a number of rights regarding the data that companies use. The CCPA already includes the right to deletion, whereby consumers can ask a business to delete their personal information it has on file. The CPRA will extend this right to ensure businesses cooperate with deletion requests and allow businesses to keep a confidential record of deletion requests for future reference. The CPRA will also introduce a right of correction, which enables consumers to request that a business correct inaccurate personal information. Under the CCPA, consumers were able to request to see the data a business has collected about them during the 12 months preceding the request. Under the CPRA, consumers can request to see data that businesses collected before the 12 months preceding that request if the business possesses that information.

Consumers Will Have More Say Over Data Collected for Advertising
Many companies use cross-context behavioral advertising, a practice that leverages individual consumer profiles for advertising purposes. Under the CPRA, consumers may opt out of these data collections. This change will also impact how companies present choices to opt out; for example, businesses will not be able to show large, brightly colored "accept all" preference buttons to consumers who view their websites. 

CPRA Extends Data Breach Requirements
When information such as nonencrypted or nonredacted information or login credentials and password combinations is granted unauthorized access, it's considered a data breach under the CCPA. The CPRA empowers consumers to claim compensation or other recourse that a court deems necessary to make up for the breach. If a court finds that a data breach was caused by insufficient data security, it may also seek administrative enforcement against the organization.

What Can Companies Do Now?
The good news is companies have until the Jan. 1, 2023, enforcement date to comply with these (and other changes) introduced in the CPRA. Although businesses don't need to address the CPRA specifically right now, compliance organizations should begin to prepare by taking note of the major changes and thinking about whether their existing privacy programs will be able to easily scale to support them.

K Royal is an attorney and global compliance professional with 25 years of experience in the legal and health-related fields. K has a particular interest in technology along with its challenges and opportunities. On a typical day, she works with GDPR. HIPAA, CCPA, incident ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.