Confidently erase data in active environments and from used IT assets.
Boost services throughout the device lifecycle—from first sale to end-of-life.
Expedite processes, recover more marketable product, and increase services.
Home » Resources » What You Need to Know as the California Privacy Rights Act (CPRA) Takes Effect in January 2023
California continues to move ahead on the data privacy frontier. With new requirements just around the corner, we look at the potential impact of the new California Privacy Rights Act (CPRA)—and how those requirements will fit with existing laws.
George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. With significant legal experience in international organizations focused on technology and software, George specializes in data privacy and data governance, data classification, intellectual property management and technology partnership.
CPRA enforcement officially starts on January 1, 2023, and will expand the state’s consumer privacy laws. It builds on the current California Consumer Privacy Act (CCPA), enacted in 2020 to establish the first foundation for consumer privacy regulations in California.
With the two laws instituted within a short time—and with similar sounding acronyms—it is essential to understand how these statutes differ and relate to each other.
The CCPA has been the first comprehensive privacy law passed by a state legislature in the United States and is quickly becoming one of the leading data privacy laws in the country. It empowers California consumers to see the information a company has saved on them and a complete list of all third parties who can access that data. CCPA also allows data breach victims to sue companies that have compromised their personal information.
The CCPA also includes the right to know what personal information is being processed by a company, the right to delete personal information, and the right to opt out of the sale of such information.
The CPRA amends and further builds on the CCPA, adding privacy protections for California consumers that we explain in more detail below. It will replace certain aspects of the CCPA and creates additional obligations to companies operating in California that fall under its scope. Any aspects of the CCPA that the CPRA does not address will remain unchanged.
Also, while CPRA officially takes effect at the beginning of 2023, it will retroactively apply to any personal information collected during the 2022 calendar year.
These laws apply to any for-profit entity doing business in California that collects, shares, or sells California consumers’ personal data. Affected companies must have an annual gross revenue of more than $25 million, collect the personal information of at least 50,000 consumers, or derive at least half of their annual revenue from selling consumer personal information.
The CPRA will increase this threshold. Any organization that processes the personal information of more than 100,000 or more consumers in California will fall under the scope of the new law.
Let’s look at the practical concerns businesses will face:
The emergence of the CPRA creates additional requirements for companies to manage personal data. These laws affect not only California-based companies, but any vendor that sells in the States.
Note: On October 28 and 29, 2022, the California Privacy Protection Agency (CPPA) conducted a meeting to review and propose certain amendments to the California Privacy Rights Act draft bill. The proposed changes contain several changes to the initial CPRA draft. The consultations rounds are still ongoing at the time of writing this article. The CPPA Board also authorized agency staff to take all the steps necessary to prepare and give notice on such modifications to proposed regulatory amendments before submitting final regulations to the office of Administrative Law by year end.
Blancco’s data erasure solutions provide simple, straightforward methods for meeting new data destruction requirements.Experience our solutions in your environment to see how.