For over two years businesses have spent considerable energy preparing for and complying with the California Consumer Privacy Act (CCPA). Businesses now have more work to do after California voters overwhelmingly approved Proposition 24, the California Privacy Rights Act (CPRA), which completely reshapes and overhauls the CCPA. Fortunately, most of the CPRA’s changes, including those that expand the rights of consumers and require affirmative action from businesses, do not become effective until January 1, 2023 and apply only to personal information collected on or after January 1, 2022. Nonetheless, given the scope of the changes effected by the CPRA, businesses should begin familiarizing themselves with the CPRA so they can sensibly plan to effectuate changes in their policies and procedures over the next year. Unfortunately, one of the most significant changes worked by the CPRA is the elimination of the 30-day “cure period” businesses have under the CCPA to fix any violations identified by the California Attorney General. This means a failure to comply with California’s complicated and often ambiguous requirements will likely become much more costly.

The CPRA’s most significant changes in this alert, found on Steptoe’s website.