Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
K Royal
K Royal
Connect Directly
E-Mail vvv

What You Need to Know About California's New Privacy Rules

Proposition 24 will change Californians' rights and business's responsibilities regarding consumer data protection.

In November's elections, Californians voted in favor of Proposition 24, which effectively expands the state's data privacy legislation with a new set of rules. At a broad level, the California Privacy Rights Act (CPRA) will succeed the California Consumer Privacy Act (CCPA) on January 1, 2023.

Many organizations may have just gotten comfortable with General Data Protection Regulation (GDPR) or CCPA compliance. They are likely wondering what the CPRA entails and what those changes mean moving forward.

In the coming months, the California legislature will iron out the details about the CPRA. However, the major changes between the CCPA and CPRA have already crystallized. Although this list isn't exhaustive, the following are some of the biggest changes in the regulation.

Related Content:

The Sameness of Every Day: How to Change Up Audit Fatigue

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

A New Enforcement Agency Is Born
The CPRA introduces a new enforcement agency, the California Privacy Protection Agency (CPPA). This agency is akin to data protection supervisory authorities that exist in other countries. The agency will made up of a five-person board, two of whom must be appointed by the California governor. The California State Assembly, Senate, and Attorney General will appoint the remaining members. The CCPA is tasked with investigating CPRA violations, conducting hearings, and issuing sanctions when necessary. The agency will also provide guidance on CPRA's implementation.

Requirements About Sensitive Personal Information
The CPRA introduces the concept of "sensitive personal information." According to the new law, sensitive personal information includes identification numbers, such as Social Security numbers, driver's license numbers, identity card or passport numbers, account credentials, credit card details, geolocation information, communications content in emails and text messages (if a business is not the recipient of the communication), and data elements that align with Europe's GDPR. These elements include religious or philosophical beliefs; union membership; health, genetic, and biometric data; and information related to an individual's sex life or sexual orientation. The CPRA states that consumers have the right to ask a business to not disseminate sensitive personal information.

Consumer Rights With Regard to Data
The CPRA now empowers consumers with a number of rights regarding the data that companies use. The CCPA already includes the right to deletion, whereby consumers can ask a business to delete their personal information it has on file. The CPRA will extend this right to ensure businesses cooperate with deletion requests and allow businesses to keep a confidential record of deletion requests for future reference. The CPRA will also introduce a right of correction, which enables consumers to request that a business correct inaccurate personal information. Under the CCPA, consumers were able to request to see the data a business has collected about them during the 12 months preceding the request. Under the CPRA, consumers can request to see data that businesses collected before the 12 months preceding that request if the business possesses that information.

Consumers Will Have More Say Over Data Collected for Advertising
Many companies use cross-context behavioral advertising, a practice that leverages individual consumer profiles for advertising purposes. Under the CPRA, consumers may opt out of these data collections. This change will also impact how companies present choices to opt out; for example, businesses will not be able to show large, brightly colored "accept all" preference buttons to consumers who view their websites. 

CPRA Extends Data Breach Requirements
When information such as nonencrypted or nonredacted information or login credentials and password combinations is granted unauthorized access, it's considered a data breach under the CCPA. The CPRA empowers consumers to claim compensation or other recourse that a court deems necessary to make up for the breach. If a court finds that a data breach was caused by insufficient data security, it may also seek administrative enforcement against the organization.

What Can Companies Do Now?
The good news is companies have until the Jan. 1, 2023, enforcement date to comply with these (and other changes) introduced in the CPRA. Although businesses don't need to address the CPRA specifically right now, compliance organizations should begin to prepare by taking note of the major changes and thinking about whether their existing privacy programs will be able to easily scale to support them.

K Royal is an attorney and global compliance professional with 25 years of experience in the legal and health-related fields. K has a particular interest in technology along with its challenges and opportunities. On a typical day, she works with GDPR. HIPAA, CCPA, incident ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...