The California Privacy Rights Act of 2020 (CPRA) has introduced a new body of rules to
ensure a higher level of protection of consumers’ personal information. In a notable change,
the CPRA also introduces new privacy rights for employees and extends data privacy
protections to consumer data exchanged in a business-to-business context.
Effective July 1, 2023, businesses that fail to comply with the provisions of the CPRA and
the Regulations adopted by the California Privacy Protection Agency may be subject to an
Agency enforcement action. There is no longer a 30-day right to cure a violation of California’s
privacy law.
Key Takeaways
Scope. Entities that do business in California and (i) as of January 1 of the preceding
calendar year, had annual worldwide gross revenues in excess of $25 million, or (ii) buy, sell or
share the personal information of 100,000 or more California consumers or households or (iii)
derive 50 percent or more of their annual revenues from selling or sharing consumers’ personal
information are subject to the CPRA.
Consumer Rights. Consumers have a right to correct inaccuracies in their personal
information, in addition to their right to know, delete, and obtain a copy of their personal
information, and to opt-out of the sale or sharing of that information. Consumers also have the
right to limit the use and disclosure of certain types of personal information selectively (e.g., they
may choose to specifically exclude disclosure of gender or ethnic origin, etc.).
New Obligations for Businesses. Businesses must limit their collection of personal
information to information that is reasonably necessary and proportionate, and must implement
reasonable security procedures.
Contract Requirements. Contracts between a business and its service providers,
contractors, and third parties must include specific provisions to safeguard consumers’ personal
information.
Privacy Policy. Businesses should assess whether their Privacy Policy and procedures
for California residents satisfy the requirements of the CPRA and the Regulations, including
provisions pertaining to the categories of personal information they collect, a consumer’s right to
act on that information (including sensitive personal information), opt-out rights and required
notices, and whether the Policy meets certain style and accessibility requirements.
We are available to analyze and discuss with you, in collaboration with our counsel in
California, the implementation of appropriate compliance measures to satisfy the requirements of
the CPRA and the Regulations.
Contacting Pavia & Harcourt LLP
Questions regarding matters discussed in this publication may be directed to Giovanni Spinelli at
[email protected] or Joseph Chioffi at [email protected].
About Pavia & Harcourt LLP
Established in 1951, Pavia & Harcourt LLP is a business law firm concentrating in international
commercial and corporate transactions, banking, media and entertainment, real estate, litigation
and arbitration, intellectual property, estate planning and administration, and matrimonial law. We
are based in New York City.
This publication by Pavia & Harcourt LLP is for information purposes only. It does not constitute legal or other professional advice or opinions on specific facts or matters, nor does its distribution establish an attorney-client relationship. This material may constitute Attorney Advertising as defined by the New York Court Rules. As required by New York law, we hereby advise you that prior results do not guarantee a similar outcome.
Return to Top