Privacy and data protection law in California, U.S.
This article is about a privacy and data protection law in California. For the other California law also abbreviated CPRA, see California Public Records Act.
The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, is a California ballot proposition that was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020.[1][2][3] This proposition expands California's consumer privacy law and builds upon the California Consumer Privacy Act (CCPA) of 2018, which established a foundation for consumer privacy regulations.[4]
The proposition enshrines more provisions in California state law, allowing consumers to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses' usage of "sensitive personal information", which includes precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information. The Act creates the California Privacy Protection Agency as a dedicated agency to implement and enforce state privacy laws, investigate violations, and assess penalties of violators.[5] The Act also removes the set time period in which businesses can correct violations without penalty, prohibits businesses from holding onto personal data for longer than necessary, triples the maximum fines for violations involving children under the age of 16 (up to $7,500), and authorizes civil penalties for the theft of specified login information.[6][7]
The California Privacy Rights Act took effect on January 1, 2023, applying to personal data collected on or after January 1, 2022.[8] The law cannot be repealed by the state legislature, and any amendments made by the legislature must be “consistent with and further the purpose and intent” of the Act.[9]
