This article seeks to elucidate the
objectives, rights, and obligations of individuals and corporations under the
California Privacy Rights Act, 2020 in light of its importance for Indian
businesses operating in Canada.
The California Privacy Rights Act (CPRA) is the latest revision of California
law that tightens privacy laws and safeguards the privacy of customers. The
California Privacy Rights Act was proposed with the aim of making the privacy
laws in the state of California even more powerful. In the November 2020
election, Californians approved the California Privacy Rights Act ballot
proposition, updating and enhancing the current California Consumer Privacy Act
The proposition expands the rules established under the California Consumer
Privacy Act. The new California state privacy legislation updates the California
Consumer Privacy Act's current provisions, establishes new consumer rights, adds
new requirements for companies that gather personal data from California
residents, and establishes the California Privacy Protection Agency as a new
enforcement authority. Together with the California Department of Justice, the
agency will be responsible for monitoring and enforcing consumer privacy laws.
This change in law will require both businesses and individuals to comply with
new norms and standards set by the newly proposed act. The initiative also
mandates that businesses acquire consent from customers under the age of 16 and
consent from a parent or legal guardian from customers under the age of 13
before collecting personal data.
In light of such changes taking place in the
privacy laws of California, it is essential for business entities and
individuals to update their modus operandi on processing personal data to suit
the standards set by the California Privacy Rights Act, 2020. This article
provides a comprehensive overview of the changes in the rights and obligations
of consumers and organisations in view of the change in the Californian privacy
CPRA's Importance for Indian Entities
Understanding the California Privacy Rights Act (CPRA) is relevant for Indian
multinational companies (MNCs) operating in Canada due to the extraterritorial
reach of privacy laws and the potential impact on cross-border data transfers.
The CPRA introduces significant changes to privacy regulations in California,
which is home to numerous technology companies and a significant market for
Since California's privacy laws have a broad reach and affect
companies that collect or process personal data of California residents, Indian MNCs with operations in Canada may have to comply with CPRA requirements if they
handle data of Californian consumers. Being aware of CPRA's provisions, such as
new consumer rights and obligations, can help Indian MNCs ensure compliance with
California's privacy laws and navigate potential legal implications when
handling personal data from California residents while operating in Canada.
Rights granted under CCPA, 2018
The General Data Protection Regulation (GDPR), introduced by the European Union,
which garnered a lot of attention with its profusion of privacy-related rules
and the possibility of significant fines for offenders, had a significant impact
on the data protection and privacy arena in 2018. The California Consumer
Privacy Act of 2018 acted as the most important of many other new laws enacted
during that year for privacy rights.
The California Consumer Privacy Act is a state law created to strengthen
Californians' rights to privacy and consumer protection. The Act became
operative on January 1, 2020. It is the predecessor of the California Privacy
Rights Act, 2020.
California consumers have the following rights under the CCPA:
- Access to their personal data.
- Understand the types of personal data being gathered.
- Choose not to have it shared or sold.
- Request for its removal, or if it's inaccurate, request for its correction.
- Exercise their rights without worrying about punishment or prejudice.
The California Consumer Privacy Act has, over time, lost its sheen and
relevance, requiring a more stringent and updated Act to come into force
instead. The CCPA will, therefore, be expanded and redefined as part of the
California Privacy Rights Act in order to protect California citizens' rights.
It will not only improve safety measures but also tighten the California
Consumer Privacy Act.
Although the objectives and purview of the two laws are
comparable, the California Privacy Rights Act was designed to improve the
California Consumer Privacy Act's lax and ill-defined consumer protection
requirements, lax enforcement, and patchy monitoring. Customers have more
options to opt out, and enterprises must handle data privacy intentionally.
The California Consumer Privacy Act, therefore, builds upon the rights granted
under the CCPA to increase the scope of privacy rights. CPRA restricts how
corporations can collect, use, store, and disseminate personal data while also
granting California residents and customers particular rights. Presently, the
CPRA is widely recognised as the most comprehensive rule of its sort in the
nation, and in some ways, it resembles the revolutionary General Data Protection
Regulation (GDPR), 2018.
Overview of the CPRA
California voters overwhelmingly adopted the California Privacy Rights Act of
2020 (CPRA), also known as Proposition 24, when it was placed on the general
election ballot on November 3, 2020. The California Consumer Privacy Act (CCPA)
of 2018, which laid the groundwork for consumer privacy rules, is built upon
this proposition, which broadens the state of California's consumer privacy
The California Privacy Rights Act establishes a thorough data
protection framework that is comparable to data protection regulations in many
other regions of the globe, such as the General Data Protection Regulation of
the European Union, marking a significant divergence from past U.S. legislation
pertaining to HR individuals' data.
The majority of employers conducting business in California will be subject to
much stricter privacy and information security requirements under the California
Privacy Rights Act, 2020. The private data of California residents who are
employees, independent contractors, business people, job applicants, and board
members, as well as the dependents of employees who receive benefits from their
employer, will be subject to this novel, coherent, and comprehensive legal
By enshrining more provisions in California state law, the
proposition expands consumers' rights to limit the use of "sensitive personal
information," which includes precise geolocation, ethnicity, race, religion,
private conversations, genetic data, sexual orientation, and medical details, as
well as to avoid businesses from disclosing their personal information to third
parties and to rectify inaccurate personal information.
The Act establishes the California Privacy Protection Agency as a special agency
charged with carrying out and enforcing state privacy laws, looking into
infractions, and punishing offenders. The Act also eliminates the predetermined
window of time during which businesses can correct violations without incurring
penalties; forbids companies from keeping personal data on customers for longer
than is necessary; increases threefold the maximum fines for breaches involving
kids below the age of 16 (up to $7,500), and allows for civil penalties for the
theft of account login information.
On January 1, 2023, a considerable expansion of employers' data responsibilities
took effect, necessitating significant modifications to the current private data
handling policies, processes, and practices of the HR individuals. Till the
compliance date, a large majority of covered firms required a good deal of this
time to deal with the CPRA's expanded obligations.
The CPRA also stipulates a
12-month lookback timeframe for HR personnel who want to use their new rights to
inquire about how the business manages their personal information. In order to
be able to react to employees' demands for CPRA rights, companies must start
preparing their human resources data as of January 1, 2022. It is also provided
that the legislature would be unable to repeal the legislation, and any changes
they do make must be congruous with and promote the motives and objectives of
Subjects of the CPRA
No matter where they are based, any company that conducts business in California
and gathers customers' personal information is subject to the California Privacy
Rights Act. These companies must fulfil either of the following two conditions
for the CPRA to be applicable to them, as laid down under Section 1798.140(d)(1)
of the Act:
- Exceeded the gross revenue of $25 million in the preceding calendar year as of January 1 of the present calendar year, or
- Obtains 50% or more of its yearly revenue from the sale or sharing of consumer data; or
- Purchases, sells, or shares the personal information of 0.1 million or more consumers or households annually.
If any of the aforementioned criteria is satisfied, then the company is considered to be a "business" under the California Privacy Rights Act.
Objectives of the CPRAThe purpose of the Act is to provide Californians with the right to:
- Know who is gathering their personal information as well as that of their children, how it is being used, and to whom it is accessible.
- Have their privacy interests protected, even if they are workers, business persons, or independent contractors.
- Limit the usage of their sensitive personal information and exercise control over how it is used.
- Have access to and control over their personal data, including the ability to move, update, and delete it.
- Utilizing readily available self-serve methods, people can exercise their privacy rights.
- Exercising their right to privacy without suffering consequences.
- Profit from the usage of your personal data by corporations.
- Hold companies responsible if they don't adopt appropriate information security measures.
Written By: Tejaswini Kaushal,
a student at Dr. Ram Manohar Lohiya National Law University, Lucknow.>