Upon going into effect on Jan. 1, 2020, the California Consumer Privacy Act (CCPA) sent shock waves across the online business and marketing worlds by ushering in the nation’s toughest consumer-geared digital privacy protections. For many enterprises doing in-person or online business in California (and even for some whose websites were simply visited by California consumers), it created a host of new requirements regarding the collection and use of consumers’ personal data. For businesses meeting certain thresholds defined in the law, it required making revisions to their websites and other digital assets, including updating their privacy policies, preparing to respond to consumers’ requests regarding the data collected about them and more.
Now, the law’s sequel has arrived. Approved by California voters on Election Day 2020, the California Privacy Rights Act of 2020 (CPRA) will expand upon the data privacy protections created by the CCPA. It adds provisions allowing consumers to prevent businesses from sharing their personal information, speeds the imposition of penalties on business that violate the state’s consumer privacy laws and creates a new enforcement entity in the state’s Privacy Protection Agency, among other things.
The CPRA may be a California law, but due to the United States’ interconnected national economy, it will have sweeping effects on data-privacy practices for businesses throughout the nation, including in South Carolina. This is because, for businesses that meet the law’s applicability criteria (see details below), doing business with any California resident would make them subject to the law’s requirements. So any applicable business that collects information from any California resident, including via digital communications and transactions, would need to meet the law’s requirements.
The CPRA’s top business impacts
While most of the provisions of the CPRA are not set to fully take effect until January 2023 and will not be enforced until July 2023, the law will apply to information collected starting in January 2022, and impacted businesses will want to start making preparations for the changes well before that date.
While this is by no means an exhaustive list, some of the biggest responsibilities created by the CPRA that affected businesses will want to anticipate moving forward include:
Business owners and managers should be aware that the list above contains just a portion of some of the biggest responsibilities the CPRA will create for businesses that collect digital information about California consumers. The law’s full 50-plus pages can be reviewed here, and businesses that will be impacted by the new regulations are highly advised to seek legal counsel to determine just what steps they will need to take to ensure compliance with the law.
Looking for guidance and insights on the latest developments in the business-technology world? Keep an eye on the FTC Business Blog, where we regularly dive into technology-related topics affecting local and national businesses large and small. You can also follow us on Facebook and LinkedIn to stay up to date in the latest news and offerings from FTC.