Published: 8 December 2020

Reading time: About 3 minutes

It’s coming up to one year since the California Consumer Protection Act (CCPA) came into force, giving consumers more control over the personal information that businesses collect about them.  

It was the first law of its kind in the USA and empowerCalifornian residents when it comes to their personal information, much like the GDPR has done for consumer privacy in Europe.  

But things are going to change already. 

The Privacy Rights and Enforcement Act Initiative (CRPAappeared on the ballot for the general election in November 2020. 

The state voted to pass the initiative which builds upon the CCPA – and now results in an even more comprehensive and wide-reaching privacy scheme.  

It’s likely to transform the privacy landscape, not only in California, but across the USA. So, what’s changed?  

Here’s a snapshot of some of the big amendments which will affect organisations in the coming years: 

  • The CPRA has expanded the definition of personal information and now adds ‘Sensitive Personal information. This includes details such as financial information, ethnicity, driver’s license number or passport number (just like the GDPR). Therefore, organisations need to be able to find this information across their entire data estate, including unstructured data 
  • The Data Minimisation requirement means that organisations should not hold a consumer’s personal information or sensitive personal information for longer than is reasonably necessary for that disclosed purpose [for which it was collected].” Organisations will, therefore, have to revisit their data retention policies and must ensure data is not over or under-retained 
  • The Data Security obligation requires that organisations implement reasonable security procedures and practices to protect personal information from unauthorised or illegal access, destruction, use, modification, or disclosure. Businesses will, therefore, have to relook at their data management and understand where exactly information is stored and who has access to it.  
  • The California Privacy Protection Agency will be established to take responsibility for implementation and enforcement  and, crucially, will conduct audits on businessesAs such, it is imperative organisations have instant access to their information to ensure compliance for the purposes of such audits.  
  • Consumer rights expanded, including the new “right to correction” so that consumers can request that inaccurate personal information is amendedConsequently, organisations must be able to retrieve all information held on consumers to fulfil these new obligations.  

The Cure period” has also been removed (so businesses no longer have 30 days to remedy alleged violations)and fines have tripled when it comes to the privacy of children under 16 

The CPRA will come into effect in January 2023 – but organisations now need to look at, and plan for, further enhancements to their data management and compliance. 

Organisations need to truly understand the data they are holding and they need to be able to demonstrate compliance quickly and easily 

The CPRA is going to shake things up- so it’s time for organisations to be ahead of the game.  

For more information on how our Governance, Risk and Compliance platform can give you complete control over your unstructured data, contact us today on