California’s New Privacy Law: The California Privacy Rights Act

California’s Proposition 24 on consumer privacy protection, also known as the California Privacy Rights Act (CPRA), just passed by a vote of 56.1% to 43.9% (as of November 11, 2020). The new law will expand consumer rights beyond that of the existing California Consumer Privacy Act (CCPA) of 2018 by requiring businesses falling under the Act to implement the changes outlined below. Although CPRA will officially go into effect as of January 2023, we recommend preparing ahead of time.

While the CPRA only applies to California, businesses across the country may soon be affected. If your business stores personal data pertaining to California residents and falls under the definition of a covered business, your business must comply with the CPRA and the CCPA. Even if your business does not fall under the definition of a covered business at this time, we recommend that you begin working towards compliance before your business grows enough to fall under the definition.

Currently, the CCPA applies to businesses that buy, sell, or share the personal data of 50,000 or more consumers, households, or devices annually; businesses that receive 50% of their revenue from sharing or selling personal data; and businesses that make $25 million or more in gross revenue. Once the CPRA goes into effect, devices will no longer be counted and the annual threshold will be increased to 100,000 or more consumers or households.

Notably, the new law raises the standards set by the CCPA by:

• Establishing the California Privacy Protection Agency, a separate enforcement agency dedicated to enforcing the CPRA;

• Allowing consumers to direct businesses to not share their personal data, to take reasonable efforts to correct inaccurate personal data, and to limit the use of “sensitive” personal information, including precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information;

• Requiring businesses to notify consumers of the length of time they will keep personal data;

• Prohibiting businesses’ retention of personal information for longer than reasonably necessary;

• Tripling maximum penalties for violations concerning consumers under the age of 16;

• Authorizing civil penalties for theft of consumer login information for businesses that suffer a data breach because reasonable security procedures were not in place; and

• Eliminating the ability of businesses to avoid penalties by addressing violations within 30 days of being told of the violation.

So far, it appears that these laws do not currently extend to business-to-business entities where they have under $25 million in annual revenue or store data of less than 100,000 consumers or households.

The attorneys of Cislo & Thomas LLP keep up to date on the complex and constantly changing cyber and privacy compliance laws and regulations. We are happy to assist you in all aspects of your data protection and consumer privacy compliance needs.

Specifically, Cislo & Thomas LLP can help you with:
– Privacy Policy Drafting
– Privacy Compliance Assessments
– Ongoing Privacy Program Management
– Third Party Contract Review
– Incident Response Plans
– Internal Policy Development

Contact us at or 310-979-9190 if you are interested in an initial consultation and privacy compliance assessment.