The California Privacy Rights Act (“CPRA”), also known as Proposition 24, became effective on January 1, 2023. Rather than acting as a complete overhaul of the California Consumer Privacy Act (“CCPA”), the CPRA further strengthens and expands upon the data privacy rights of Californian consumers established by the CCPA. The CPRA seeks to give consumers greater control over their personal information, for example, by granting them the ability to limit the use and disclosure of sensitive personal information.
Amendments and Evolution from the CCPA
The CPRA applies to a somewhat narrower set of businesses compared to the CCPA, as the CPRA doubled the CCPA's consumer and household data processing thresholds. It retains the extraterritorial scope, affecting not only businesses within California but also those interacting with Californian residents' data, unless that interaction takes place wholly outside of California. Below are a few other notable differences between the CPRA and the CCPA:
- California Privacy Protection Agency: The CPRA established the California Privacy Protection Agency (“CPPA”), an independent regulatory body responsible for enforcing the CPRA and ensuring compliance.
- Sensitive Personal Information: The CPRA introduces the concept of "Sensitive Personal Information," including data like Social Security numbers, financial account information, precise geolocation, and health-related information. While such data is "personal information" under the CCPA, the CPRA introduces new consumer choice and disclosure requirements for certain uses of Sensitive Personal Information.
- Data Retention Periods: Businesses under the CPRA are obligated to provide consumers with specific retention periods for each category of personal information collected (or at least the criteria used to determine retention), providing transparency about data retention.
B2B and Employee Data; Impact on Investment Advisers, Broker-Dealers and Other Financial Professionals
Previously, the CCPA generally exempted “personal information” (i.e., information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular person) about a business’s employees or business-to-business contacts, but those exemptions are no longer available. As a result, investment advisers, broker-dealers, fund managers, and other financial institutions subject to the CCPA that have employees in California may be subject to new compliance obligations under the CCPA. Similarly, subject to the exceptions described below, financial businesses that have clients, investors, or prospective clients or investors in California are subject to these same new obligations.
The CCPA still exempts non-public information that is subject to the Gramm-Leach-Bliley Act or California Financial Information Privacy Act, which address privacy concerns for financial institutions. While certain information collected by investment advisers, broker-dealers and fund managers may fall within those exemptions, they should analyze the CCPA's applicability to their operations.
The CPRA became effective on January 1, 2023, and the regulations implemented by the CPPA were set to become enforceable on July 1, 2023. However, on June 30, 2023, a California state court judge issued an injunction delaying enforcement of the regulations until March 29, 2024, one year after the first set of regulations were finalized. While enforcement of the regulations is postponed, the statute itself is still effective and enforceable.
The CPRA signals a shift towards more focused regulations and enforcement of data privacy practices in furtherance of an ongoing commitment to protecting consumers in the digital age. By expanding the scope of the CCPA, introducing new concepts, and establishing the CPPA, the CPRA sets higher standards for data protection and transparency. As financial professionals and businesses navigate the evolving landscape of data privacy, understanding the nuances of the CPRA is vital. Businesses operating in or interacting with Californian data (which is almost any financial professional or business with a practice that touches California in any way) should prioritize compliance efforts to navigate the evolving regulatory landscape.
For information on the CPRA and the operational changes we recommend, please see our prior article on this topic. For information on privacy laws generally (including those in California), please visit our Global Privacy & Cybersecurity Blog.
By the Investment Management and Broker-Dealer Team at Kilpatrick Townsend & Stockton
This content is provided by Kilpatrick Townsend & Stockton LLP for informational purposes only and is not intended to advertise our firm’s services, to solicit clients, or to provide legal advice. Viewers should not rely on the posted materials as advice about specific legal problems. Such advice can be rendered only by competent counsel familiar with the particular facts and circumstances involved. Posting and viewing of the materials on our website or in printed form is not intended to constitute the rendering of legal advice or to create an attorney-client relationship with the viewer. If Kilpatrick Townsend & Stockton LLP does not already represent you, and you send us an e-mail, your e-mail will not create an attorney-client relationship and will not be treated as privileged or confidential.
Attorney Advertising – Kilpatrick Townsend & Stockton LLP, 1100 Peachtree Street NE, Suite 2800, Atlanta, GA 30309 | 404-815-6500.
 See Cal. Chamber of Comm. V. Cal. Privacy Protection Agency, 34-2023-80004106-CU-WM-GDS (Cal. Sup. Ct. June 30, 2023).
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.