California Voters Approve New Data Privacy Law

Privacy & Cybersecurity Update

Date: November 04, 2020

On November 3, California voters approved Proposition 24, also known as the California Privacy Rights and Enforcement Act of 2020 (CPRA), which amends and expands upon California’s other landmark privacy legislation, the California Consumer Privacy Act of 2018 (CCPA). In particular, the CPRA establishes new data privacy rights for California residents, imposes new obligations and liabilities on businesses and service providers, and creates a regulatory agency empowered to enforce California privacy law and prosecute noncompliance. The CPRA becomes operative on January 1, 2023, and, with some exceptions, will apply to California residents’ personal information collected by organizations after January 1, 2022.

Welcome to the CPRA (aka CCPA 2.0)

In 2018, California’s legislature enacted the CCPA, which created new data privacy rights for certain California-based “consumers” (e.g., a business’s customers, clients and employees) and mandated that covered “businesses” and “service providers” comply with its comprehensive privacy framework. Since the CCPA was enacted, however, it has been subject to several legislative amendments and a new regulatory framework created by California’s attorney general, which, according to proponents of the CPRA, “significantly weakened” the CCPA’s core safeguards. By approving the CPRA ballot initiative, California voters circumvented the California legislature to make several substantive amendments to the CCPA and effectively prevented California’s state government from undermining these changes through future legislation. Here are some key features of the CPRA.

Changes in scope. The CPRA significantly changes the types of “businesses” that are subject to the CCPA by amending the criteria (e.g., gross revenue, scope of data processing activities) used to determine whether an organization is a covered business.

Enforcement. The CPRA creates a new regulatory agency, the California Privacy Protection Agency, which is vested with full administrative power, authority and jurisdiction to implement and enforce the CCPA (as amended by the CPRA). The agency will investigate and hold hearings to determine whether a business, service provider or contractor is compliant with the CCPA, administer fines for noncompliance and assume rulemaking responsibilities under the law.

Third-party contracts. Although the CCPA did not mandate that businesses execute data protection contracts with their third-party service providers, it encouraged the practice by granting certain benefits to entities that do. The CPRA makes this practice mandatory – if a business sells personal information to or shares it with a third party, or simply discloses such information to a service provider or contractor for a business purpose, the parties must enter into an agreement that includes specific data processing provisions (e.g., limited use clauses, flow-down compliance obligations, notice of breach and remediation rights).

Data correction rights. The CPRA grants California residents the right to request that businesses correct any “inaccurate” personal information in their custody and control. Businesses are required to furnish Californians with notice of this right and to “use commercially reasonable efforts” to comply with data correction requests. Interestingly, however, a business is only obligated to make corrections if the data is inaccurate based on the context and purpose for which it is being processed.

Personal information sharing. The CPRA significantly restricts how a business can “share” personal information, which is defined broadly to mean a business’s disclosure of personal information, through any means, to a third party for “cross-contextual behavioral advertising,” regardless of whether money or other valuable consideration is exchanged between the parties. Businesses that engage in these activities may be required to post opt-out links on their websites to ensure Californians can withdraw from this disclosure and advertising process.

Sensitive personal information. The CPRA grants California residents the right to direct a business to limit its use of sensitive personal information (e.g., Social Security numbers, geolocation data, contents of communications) to only certain purposes set forth in the law and future regulations. Businesses may also be required to post opt-out links on their websites to comply with the CPRA’s requirements.

Rewards and financial incentive programs. The CPRA clarifies that the CCPA’s nondiscrimination clauses, which prohibit businesses from providing different prices or discounts in exchange for personal information, will not prohibit a business from offering a loyalty, premium features or discount program. However, the CPRA’s new obligations will make it more difficult for businesses to offer such programs. For instance, in addition to the opt-in consent required under the CCPA for these rewards and loyalty programs, the CPRA now requires businesses to wait at least 12 months before requesting that consumers join such a program if they previously declined.

Employee data. Under the CCPA, employment-related personal data was exempted from certain compliance requirements until January 1, 2021. The CPRA extends this deadline to January 1, 2023. The CPRA does not amend the CCPA’s requirements for immediate compliance with point-of-collection notices and data breach rights for HR data. Additionally, the CPRA explicitly prohibits businesses from retaliating against an employee, job applicant or independent contractor for exercising their rights under the law.


The CPRA was enacted only a few weeks after the most recent amendments to the CCPA were published for notice and comment. Although organizations may be frustrated by its timing, they should be well positioned to leverage their existing (and relatively new) CCPA compliance programs to conform with the CPRA’s new requirements.


For more information, please contact:

Darcy M. Brosky

Steven G. Stransky

Thomas F. Zych

or any member of our Privacy & Cybersecurity group.

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.