Enforcement of California’s New Data Privacy Rules Delayed

By Valerie Nussenblatt

The California courts have extended the effectiveness date of the regulations introduced under the California Private Rights Act (“CPRA”) from July 1, 2023 to March 29, 2024. This new deadline provides businesses extra time to comply with the state's new privacy rules. 

New privacy rules

Passed in November 2020, the CPRA is a ballot initiative that amends and extends the California Consumer Privacy Act of 2018 (“CCPA”) and includes additional privacy protections for consumers.

In addition to the right to opt out of the sale of personal information that was introduced by the CCPA, the CPRA introduced two new consumer rights: (1) the right to opt out of the “sharing” of their personal information, and also (2) the right to limit the use of their sensitive personal information (including precise geolocation and other identity data). The update that added the sharing of data particularly targets cross-context behavioral advertising where personal data is given to third parties to track and advertise. Under the new rules, sharing data is considered “selling” data and companies are subjected to data transaction rules that require disclosure to consumers that a company is sharing consumers’ data with third parties.

In addition to updating privacy policies, businesses should have an efficient and functioning system for receiving and processing opt-out requests. As with the existing right to opt out of the sale of personal information under the CCPA, businesses must present consumers with a simple way to submit these requests, which must be processed within 15 business days.

Who do these new rules apply to?

The law applies to any business with sufficient connection to California. It applies to companies that do business in the State of California, collect consumers’ personal information and that satisfy at least one of the following:

(1)   the company buys, receives, sells or shares the personal information of 100,000 or more consumers or households in a year,

(2)   derives more than half of annual revenue from selling or sharing consumers’ personal information, or

(3)   has at least $25 million in gross annual revenue in the preceding calendar year.

Personal information reflecting business-to-business transactions are covered by the new rules. Personal information of employees or business contacts that a business collects to provide or receive a product or service to and from another business are now covered under the CPRA.

In the context of private fund managers, California privacy rules will reach prospective institutional investors, not only individual investors, if the investors have California employees or agents from whom the private fund manager collects personal information. A private fund manager who has the personal phone number of a California representative of a prospect pension plan investor would be in scope of the law.

The CPRA also extended the application of California data privacy law to human resource data for California employers. Nearly all businesses with employees who are California residents are required to have a comprehensive data privacy compliance program that includes a notice at collection, an online privacy policy for employees and procedures so that employees may exercise their new data rights.

For more information, contact Valerie Nussenblatt, grIP Director at Valerie@gripventure.com