UPCOMING COMPLIANCE DATE UNDER THE CALIFORNIA PRIVACY RIGHTS ACT OF 2020

May 16, 2023

The California Privacy Rights Act of 2020 (CPRA) has introduced a new body of rules to ensure a higher level of protection of consumers' personal information. In a notable change, the CPRA also introduces new privacy rights for employees and extends data privacy protections to consumer data exchanged in a business-to-business context.

Effective July 1, 2023, businesses that fail to comply with the provisions of the CPRA and the Regulations adopted by the California Privacy Protection Agency may be subject to an Agency enforcement action. There is no longer a 30-day right to cure a violation of California's privacy law.

Key Takeaways

Scope. Entities that do business in California and (i) as of January 1 of the preceding calendar year, had annual worldwide gross revenues in excess of $25 million, or (ii) buy, sell or share the personal information of 100,000 or more California consumers or households or (iii) derive 50 percent or more of their annual revenues from selling or sharing consumers' personal information are subject to the CPRA.

Consumer Rights. Consumers have a right to correct inaccuracies in their personal information, in addition to their right to know, delete, and obtain a copy of their personal information, and to opt-out of the sale or sharing of that information. Consumers also have the right to limit the use and disclosure of certain types of personal information selectively (e.g., they may choose to specifically exclude disclosure of gender or ethnic origin, etc.).

New Obligations for Businesses. Businesses must limit their collection of personal

information to information that is reasonably necessary and proportionate, and must implement reasonable security procedures.

Contract Requirements. Contracts between a business and its service providers,

contractors, and third parties must include specific provisions to safeguard consumers' personal information.

Privacy Policy. Businesses should assess whether their Privacy Policy and procedures for California residents satisfy the requirements of the CPRA and the Regulations, including provisions pertaining to the categories of personal information they collect, a consumer's right to act on that information (including sensitive personal information), opt-out rights and required notices, and whether the Policy meets certain style and accessibility requirements.

We are available to analyze and discuss with you, in collaboration with our counsel in California, the implementation of appropriate compliance measures to satisfy the requirements of the CPRA and the Regulations.

Contacting Pavia & Harcourt LLP

Questions regarding matters discussed in this publication may be directed to Giovanni Spinelli at [email protected] or Joseph Chioffi at [email protected].

About Pavia & Harcourt LLP

Established in 1951, Pavia & Harcourt LLP is a business law firm concentrating in international commercial and corporate transactions, banking, media and entertainment, real estate, litigation and arbitration, intellectual property, estate planning and administration, and matrimonial law. We are based in New York City.

This publication by Pavia & Harcourt LLP is for information purposes only. It does not constitute legal or other professional advice or opinions on specific facts or matters, nor does its distribution establish an attorney-client relationship. This material may constitute Attorney Advertising as defined by the New York Court Rules. As required by New York law, we hereby advise you that prior results do not guarantee a similar outcome.