Just like I did for GDPR and CCPA, here is a cheat sheet for CPRA.
| Category | Topic | CPRA Provision | |
| 1 | Scope | Effective Date | January 1, 2023 with the following caveats: (1) the right of access shall only apply to personal information collected by a business on or after January 1, 2022 (2) extends the CCPA’s exemption re: the collection of personal data of a job application and/or employee and/or contractor by a business from an expiration date of January 1, 2021 to January 1, 2023 (3) the CPRA’s changes to the funding dynamics of the Consumer Privacy Fund, the regulation process, and the creation and funding of the California Privacy Protection agency all become operative on the effective date of the CPRA (i.e. 5 days after voting results are certified) |
| 2 | Scope | Who is Regulated? | A for-profit “Business” that “collects consumers’ personal information” and has the following thresholds: (1) gross revenue greater than $25 million in the preceding calendar year OR (2) buys/sells/shares personal information on over 100,000 consumers or households; OR (3) derives 50% or more of its revenue from selling or sharing consumer personal information. Also covers (a) any entity that controls or is controlled by a business and “shares common branding” with the business and “with whom the business shares consumers’ personal information”; (b) “a joint venture or partnership composed of businesses In which each business has at least a 40 percent interest”; and (c) any entity that does business in California and voluntarily certifies to the California Privacy Protection Agency that it is in compliance with the CRPA. [§ 1798.140(d)] |
| 3 | Scope | Who is Protected? | A “Consumer” that is a natural person who is California resident. [§ 1798.140(i)] Resident defined per Cal. Rev. Code § 17014 as (1) Every individual who is in this state for other than a temporary or transitory purpose. (2) Every individual domiciled in this state who is outside the state for a temporary or transitory purpose. |
| 4 | Scope | Do Children Get Special Protection? | Yes, “a business shall not sell or share the personal information” of children aged from 13-16 unless the child directly “opts-in” to the sale. For children under 13, a business requires parental consent to the sale or sharing of their child’s personal data. [§ 1798.120(c)-(d)] Furthermore, for children under 16 who did not give consent, businesses must “wait for at least 12 months before requesting the consumer’s consent again” or “until the consumer attains 16 years of age.” [§ 1798.135(a)] In addition, the Privacy Protection Agency can level administrative enforcement fines of $7500 per violation of the law in cases where the “business, service provider, contractor or other person has actual knowledge that the consumer is under 16 years of age.” [§ 1798.155(a)] Note that the provisions of the CPRA relating to children under 16 years of age shall only apply to the extent not in conflict with Children’s Online Privacy Protection Act (COPPA). [Sec. 30 Savings Clause] |
| 5 | Scope | Covers Employees? | No, not until January 1, 2023. Specifically, “the title shall not apply to … personal information that is collected by a business about a natural person in the course of the natural person acting as … an employee.” Nor shall the consumer rights (right of access, deletion, etc.) “apply to personal information reflecting a written or verbal communication or a transaction between the business” and the employee. Also applies to job applicants and contractors. [§§ 1798.145(m) – (n)] |
| 6 | Scope | What Information is Protected? | “Personal information” (PI) means “information that identifies, relates to, describes, is reasonably capable of being associated with …”a particular consumer or household. It then lists specific examples such as: (1) Identifiers such as a real name, alias, postal address, unique personal identifier (which can include a device), IP address, email address, account name, social security number, driver’s license number, and passport number; (2) Commercial information, including records of personal property, products or services purchased, or other purchasing or consuming histories or tendencies; (3) Biometrics; (4) Internet or other network activity information (e.g. browsing history); (5) Geolocation data; (6) Audio, electronic, visual, thermal, olfactory, or similar information; (7) Professional or employment-related information; (8) Education information as defined in FERPA; (9) Inferences drawn from any of the information above; and (10) Sensitive personal information (definition below) It does not include publicly available information, data that is lawfully obtained and truthful and a matter of public concern, and data that is “lawfully made available to the public by the consumer or from widely distributed media.” Does not apply to information that is deidentified. Nor does it apply to data already covered by federal privacy laws such as HIPAA, GLBA, FCRA and GLBA. [§§ 1798.140(v) and 1798.145(c)-(f)] |
| 7 | Scope | Additional Restrictions on Sensitive Data? | Yes. “Sensitive Personal Information” (SPI) includes a consumer’s: (1) social security, driver’s license, state ID card, or passport number; (2) account log-in (including access code and password), financial account, debit card, or credit card number (3) precise geolocation; (4) racial or ethnic origin, religious or philosophical beliefs, or union membership — ala the GDPR; (5) mail, email and text messages, unless the business is the intended recipient of the communication; (6) genetic and biometric data; (7) personal information collected and analyzed concerning a consumer’s health; (8) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation. [§ 1798.140(ae)] Businesses must inform consumers that they are collecting SPI, the purposes for collection, and whether SPI will be sold and shared as well as the length of time this data will be stored. Businesses cannot collect additional SPI for additional purposes that are incompatible with the disclosed purpose, and cannot store SPI beyond the expressed length of time. [§ 1798.100(a)] A consumer shall have the right at any time to limit the use of their SPI. [§ 1798.121(a)] A business must also either put on its homepage a clear link titled “Limit the Use of My SPI” or support an opt-out signal. As SPI is personal information, a consumer can also request that the business does not sell or share SPI, [§ 1798.135 (a)] as well respect the consumer’s rights re: personal information (right to access, delete, rectify, etc.). |
| 8 | Scope | Exemptions? | There are several exemptions for both businesses and types of personal data collected. For businesses: (1) Businesses that are non-profits and/or small businesses under $25m and/or don’t collect the requisite amount of personal data (per “Who is Regulated?” above) [§ 1798.140(d)] (2) Businesses should not be restricted in order to comply with civil, criminal or regulatory inquiry and/or a subpoena/summons by a government authority [§ 1798.145(a)] For types of personal data: (1) Usage of personal data in emergency situations [§ 1798.145(a)] (2) Personal data subject to sector-specific federal and/or state privacy laws such as GLBA, HIPAA, California’s Confidential Medical Information (CMI) Act [§§ 1798.145(c)-(f)] (3) Personal data involving ownership of motor vehicles (e.g. such as information collected for recalls) [§ 1798.145(g)] (4) Personal data involving job applicants, employees, contractors and owner/directors of businesses til January 1, 2021 [§ 1798.145(m)] (5) Personal data that is deidentified or aggregate data [§ 1798.145(a)] (6) Personal data collected as part of a clinical trial [§ 1798.145(c)] (7) Personal data collected outside of California involving non-California residents [§ 1798.145(a)] (8) Personal data involving grades, educational scores and educational test results [§ 1798.145(q)] (9) Personal data such as a photograph in a yearbook if consent given [§ 1798.145(r)] |
| 9 | Scope | Lawful Bases to Process Personal Data? | No. The US Constitution’s 1st Amendment in general lets a business collect data that it wants to (see Sorrell v. IMS Health Inc.). But the CRPA requires that a business disclose what categories and the purpose for which they are collecting personal information (see Right to be Informed below), so as long as the consumer is informed and they don’t opt out (or opt-in in the case of minors), the business can collect. CRPA also requires businesses to retain personal information for no longer than necessary. But note that Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. Sec. 45(a)(1). |
| 10 | Scope | Law is Protected from Watering Down? | Yes. The CPRA may be amended after its approval by the voters by a statute that is passed by a vote of a majority of the members of each house of the Legislature and signed by the Governor, provided that such amendments are “consistent with and further the purpose and intent” of the CPRA. |
| 11 | Individual Rights | Right to be Informed (aka Right to Know or Right to be Notified) | A business that “controls the collection” of PI and/or SPI shall, “at or before the point of collection,” inform the consumer the categories and purposes of PI and/or SPI “that are collected or used and whether such information is sold or shared.” PI and/or SPI shall not be collected for additional purposes that incompatible with the disclosed purpose for which that information is collected. The business needs to also inform of the length of time of the collection of that information. [§ 1798.100(a)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)] Besides having the right to know what personal information is sold and shared, consumers have the right to know to whom. [§ 1798.115(b)] |
| 12 | Individual Rights | Right to Access | “A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories” and “specific pieces of personal information the business it has collected.” [§ 1798.110(a)] This includes any third-parties the business has shared the personal data with. And that the business shall provide that information once they verified the consumer request. Furthermore, a business shall “disclose and deliver the required information to a consumer free of charge to the consumer” within a 45 day period of receiving a verifiable consumer request. The disclosure “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request,” and any right beyond the 12-month period “shall only apply to personal information collected on or after January 1, 2022.” [§ 1798.130(a)] A business “shall not be required to provide personal information to a consumer more than twice in a 12-month period.” [§ 1798.130(b)] |
| 13 | Individual Rights | Right to Correct (aka Right to Rectification) | “A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer correct such inaccurate personal information.” [§ 1798.106(a)] |
| 14 | Individual Rights | Right to Delete (aka Right to Erasure or Right to be Forgotten) | “A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” [§ 1798.105(a)] The business must also notify any service providers or contractors, as well as to “notify all third parties to whom the business has sold or shared that information,” to also delete the consumer’s personal information from their records. A service provider or contractor is not required to fulfill a deletion requested submitted directly by the consumer. [§ 1798.105(c)] There are 8 exceptions in [§ 1798.105(d)] including performing the contractual obligations that exist between business and consumer, help insure security and integrity, debugging, the exercise of free speech, and engage in research that conforms to applicable ethics and privacy laws. |
| 15 | Individual Rights | Right to Restrict Processing | N/A, with exception of the right to opt-out of the selling and sharing of personal information and also the limiting use of sensitive personal information (see below). |
| 16 | Individual Rights | Right to Data Portability | As part of a consumer’s Right to Access, a business shall “provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format, which also may be transmitted to another entity at the consumer’s request without hindrance.” [§ 1798.130 (a)] |
| 17 | Individual Rights | Right to Object to Processing | N/A, with exception of the right to opt-out of the selling and sharing of personal information and also the limiting use of sensitive personal information (see below). |
| 18 | Individual Rights | Right to “Opt Out” of Sale and Sharing of Personal Information (aka Right to Say No) | “A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information. This right may be referred to as the right to opt-out of sale or sharing.” [§ 1798.120(a)] |
| 19 | Individual Rights | Right to Limit Use of Sensitive Personal Information (including Precise Geolocation) | “A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.” [§ 1798.121 (a)] Recall that sensitive personal information includes precise geolocation. |
| 20 | Individual Rights | Right to Reject Automated Decision Making and Profiling | The CPRA leaves the possibility of this right being issued as a regulation by the Privacy Protection Agency. [§ 1798.185 (a)] |
| 21 | Individual Rights | Right of No Retaliation (aka Right to not be Discriminated Against) | The CPRA states that if a consumer requests access or any of their individual rights, they can’t be discriminated against. Examples include (and directly quoted from [§ 1798.125(a)]): (1) Denying goods or services to the consumer. (2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. (3) Providing a different level or quality of goods or services to the consumer. (4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. The CPRA specifically states that this right “does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs.” |
| 22 | Obligations | Privacy Policy Disclosure | A business that “controls the collection” of PI and/or SPI shall, “at or before the point of collection,” inform the consumer the categories and purposes of PI and/or SPI “that are collected or used and whether such information is sold or shared.” PI and/or SPI shall not be collected for additional purposes that incompatible with the disclosed purpose for which that information is collected. The business needs to also inform of the length of time of the collection of that information. [§ 1798.100(a)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)] Businesses must also tell consumer not only what personal information is sold and shared, but they must disclose to consumers to whom. [§ 1798.115(b)] |
| 23 | Obligations | Data Protection by Design and Default | A business shall not collect additional categories of PI and/or SPI that are “incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice.” [§ 1798.100(a)] Clearly a business must design their systems and apps to identify not only what data is personal but what is sensitive information. A business shall not collect this data “for longer than is reasonably necessary for that disclosed purpose” (i.e. principle of storage limitation). Furthermore, the “business’s collection … of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed” (i.e. data or purpose minimization, aka principle of proportionality). [§ 1798.100(c)] Finally, a business must also “implement reasonable … procedures and practices appropriate to the nature of the personal information to protect.” [§ 1798.100(e)] |
| 24 | Obligations | Written Contracts with Processors / Service Providers / Contractors / Third Parties | “A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with such third party, service provider, or contractor.” The contract must include that the PI used, sold or shared is only for a limited and specified purpose and those entities must also comply with the CPRA’s obligations re: the protection of PI and the rights of consumers over their PI. [§ 1798.100(d)] The definition of contractor and service provider does specify that a business can enforce via contract the ability for the business to monitor “compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.” [§ 1798.140(ag)] Furthermore, both service providers and contractors must assist businesses in complying with the CCPA, e.g. verified consumer deletion requests [§ 1798.105(c)]. But “a service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor.” A contractor or service provider that engages another entity to assist in the processing of a business’s personal information must “notify the business of such engagement.” [§ 1798.140(ag)] |
| 25 | Obligations | Maintain Records of Processing Activities | The Privacy Protection Agency will create regulations “specifying record keeping requirements for businesses to ensure compliance with this title.” [§ 1798.199.40] It is implied that records need to be maintained re: what personal information is shared or sold with which third parties. Also, a “business may maintain a confidential record of deletion requests.” [§ 1798.105(c)] Furthermore, a business should document their security procedures and practices to show compliance of implementing reasonable security procedures. [§ 1798.150(a)] |
| 26 | Obligations | Respond to Rights Requests | A business must respond to a “verifiable consumer request.” [§ 1798.140(ak)] Furthermore, a business must “disclose and deliver the required information to a consumer free of charge within 45 days” and can extend the 45 days once. [§ 1798.130(a)] This information must be provided “free of charge to the consumer” but “shall not be required to provide personal information to a consumer more than twice in a 12-month period.” [§ 1798.130(a)] Businesses must also respond to other rights requests (e.g. deletions, do not sell, etc.) with no limitations. [§ 1798.105(c), 1798.120(d)] |
| 27 | Obligations | New Homepage Links Required (e.g. do not sell/share personal information, limit use of sensitive personal information) | A business must “provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell or Share My Personal Information,” as well as a link titled “Limit the Use of My Sensitive Personal Information” to Internet Web page(s) that enable a consumer, or a person authorized by the consumer, to opt-out of the sale and sharing of the consumer’s personal information and/or limiting the use of their SPI. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.” [§ 1798.135(a)] A business may support on their web page and mobile application an “opt-out preference signal” that automatically indicates the consumer’s intent to opt-out and/or limit usage. The technical specifications of this “opt-out signal preference” will be defined via regulations created by the Privacy Protection Agency. [§ 1798.135(b)] |
| 28 | Obligations | Implement Appropriate Security Measures | “A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.” [§ 1798.100(e)] In addition, the Privacy Protection Agency will issue regulations “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to: … perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent.” [§ 1798.185(a)] Furthermore, existing California law states that “a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” [§ 1798.81.5] |
| 29 | Obligations | Security Breach Notification | N/A, but California has an existing (and separate) data breach notification law § 1798.82. |
| 30 | Obligations | Data Protection Impact Analysis | The Privacy Protection Agency will issue regulations “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent” … and (B) “submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal Information.” [§ 1798.185(a)] |
| 31 | Obligations | Data Protection Officers | N/A |
| 32 | Obligations | Adhere to the Rules of Cross-Border Data Transfers | N/A |
| 33 | Enforcement | Dedicated Supervisory Authority | The CPRA establishes Privacy Protection Agency (PPA), whose primary mission is to “protect the fundamental privacy rights of natural persons with respect to the use of their personal information” [§ 1798.199.40] and is vested with full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act. [§ 1798.199.10] The PPA has a 5 member board who appoints an executive director. [§ 1798.199.30] The PPA enforces the CPRA through administrative actions, and is also tasked to “promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information.” [§ 1798.199.40]. The PPA is funded through the Consumer Privacy Fund, with annual budget of $10 million from the State’s General Fund. [§ 1798.199.195] The regulations associated with the CPRA will be adopted by the California Attorney General with “broad public participation” [§ 1798.185] but once the PPA is operational will assume ownership of the regulation process [§ 1798.199.40] |
| 34 | Enforcement | Penalties (Civil Fines) | “Upon the sworn complaint of any person or on its own initiative,” the PPA “may investigate possible violations of this title relating to any business, service provider, contractor, or person.” [§ 1798.199.45] Violators of the CPRA will be given 30 day notice by the PPA [§ 1798.199.50], and when the PPA “determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred.” If the PPA determines a violation has occurred, it can issue a cease and desist order, as well order an entity to “pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state.” [§ 1798.199.55] The PPA “may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records or other items material to the performance” of the PPA’s duties. [§ 1798.199.65] |
| 35 | Enforcement | Penalties (Private Rights of Action) | The CPRA enables a consumer’s private right of action if their “nonencrypted and nonredacted personal information” or “whose email address in combination with a password or security question and answer that would permit access to the account” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Damages may be “not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.” [§ 1798.150(a)] There is not another right of action beyond a breach occurring (e.g. no private right of action if a business is not deleting their information upon request). Furthermore, the definition of “personal information” is from a narrower definition of personal information found in [§ 1798.81.5]. Note that “actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated” but the “implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach.” [§ 1798.150(b)] |
Tom Kemp's Blog 
[…] Having provided comparisons of the scope, individual rights, business obligations and enforcement provisions of the GDPR, CCPA and CPRA, and having provided nitty-gritty detailed GDPR vs. CCPA, GDPR vs. CPRA and CCPA vs. CPRA comparisons, let’s put a fork in this. So, here is my final posting on this topic — an executive summary of the three privacy laws. If you want more context behind a given cell, then check out the cheat sheets for GDPR, CCPA and CPRA. […]
LikeLike
[…] threshold has been met in the random sampling process of the 930,000 ballot signatures for the California Privacy Rights Act (“CPRA”) and the CPRA will in fact be on the ballot in California in November as a […]
LikeLike
[…] — which is one of the many significant ways that privacy rights are greatly enhanced by the California Privacy Rights Act of 2020 (CPRA). As you may recall the CPRA is on the ballot in California as Proposition 24 and is […]
LikeLike
[…] the first published article that argued in opposition to California Proposition 24. Prop 24 is the California Privacy Rights Act of 2020 (CPRA) that is on the ballot this November. CPRA represents the “Version 2.0” of current […]
LikeLike
[…] Voter Information Guide for the November 3, 2020, General Election in California. Prop 24 is the California Privacy Rights Act of 2020 (CPRA) which represents “Version 2.0” of current California privacy law that is known as […]
LikeLike
[…] this blog post I am going to discuss how passage of the California Privacy Rights Act of 2020 (CPRA) — on the ballot as Proposition 24 — is a critical lynch pin to finally getting a […]
LikeLike
[…] Information Guide for the November 3, 2020, General Election in California. Prop 24 is the California Privacy Rights Act of 2020 (CPRA) which represents “Version 2.0” of current California privacy law that is known as […]
LikeLike
[…] a serious problem with the misuse of geolocation in apps. A few months back when I was reviewing the California Privacy Rights Act (CPRA) — now on the ballot in California as Proposition 24 — I saw that the CPRA included geolocation […]
LikeLike
[…] Proposition 24 (aka the California Privacy Rights Act of 2020 or CPRA) resoundingly passed this past November with over 9.3 million votes — the 7th […]
LikeLike
[…] Proposition 24 (aka the California Privacy Rights Act of 2020 or CPRA) provides additional rights to consumers (e.g. right to correct personal data, […]
LikeLike
[…] the last few weeks, I have been working with Alastair Mactaggart on a “Resource Center” for the California Privacy Rights Act (aka the “CPRA” which was enacted into law with the passage of Proposition 24). Alastair […]
LikeLike
[…] the full text of the CPRA with over 175 annotations as well as a comparison of the text of the CPRA compared to the […]
LikeLike
[…] with the California Consumer Privacy Act (CCPA) and in 2020 through passage of Prop 24 with the California Privacy Rights Act (CPRA) — let’s take a look if the CCPA and CPRA make a major dent in Surveillance […]
LikeLike
[…] bill also represents the first major legislative enhancement to the recently passed California Privacy Right Act (CPRA), so I thought this would be a good topic to drill down in a blog post. I also had a small […]
LikeLike
[…] the passage of Proposition 24 (aka the California Privacy Rights Act aka the CPRA aka “V2” of the California Consumer Privacy Act), the California Privacy […]
LikeLike
[…] enhance, and align the California Data Broker Register with the California Privacy Rights Act (CPRA aka Prop 24) has been adopted by State Senator Josh Becker and introduced as California Senate Bill […]
LikeLike
[…] I will highlight two areas of improvements that I think will better harmonize this bill with the California Privacy Rights Act (CPRA) and make it even stronger. The good news is that 5Rights is very receptive to my […]
LikeLike
[…] and leading the campaign marketing efforts in 2020 to pass California Proposition 24 — the California Privacy Rights Act (CPRA). I have also proposed SB 1059, a bill to enhance the California Data Broker registry […]
LikeLike
[…] but will (a) give an overview of the proposed bill and (b) discuss AB 1651 in the context of the California Privacy Rights Act (CPRA) vis a vis the employee-employer exemption. I will leverage some of the text of this […]
LikeLike