By now, most US-based businesses have at least heard of the California Consumer Privacy Act (“CCPA”), and if you haven’t, you should contact your attorney soon because enforcement begins on July 1, 2020.
But just as enforcement starts to ramp up, Alastair Mactaggart, the man responsible for the CCPA, has successfully lobbied for the addition of the California Privacy Rights Act (“CPRA”), also known as the “CCPA 2.0,” on the November 2020 ballot in California. The CPRA adds more individual rights in California and brings it closer in line with the European Union’s General Data Protection Regulation (“GDPR”).
A critical but often overlooked (in the US) aspect of EU privacy law is the concept of cross-border data transfers. Simply put, personal data cannot be sent from the EU to the US without appropriate safeguards in place. One such safeguard could be a finding that the US provides adequate data privacy protections in general. Unfortunately, because of the US’s sectoral approach to privacy, EU regulators have made no such determination. Thus, the goal of the CPRA is for California to achieve a first-of-its-kind, state-level adequacy decision, which would allow the transfer of such data from the EU to California.
If the CPRA ballot measure passes, which most experts expect, the law would become effective on January 1, 2023 (unless the federal government steps in with similar, preemptive legislation). While 30 months may seem like a long time, businesses governed by the CCPA should consider the ramifications of the CPRA and start weaving in compliance; that is, if you’re working on CCPA compliance already, it’s more efficient to work the CPRA’s requirements into your new privacy program now.
For more information data privacy matters, please contact a Kerr Russell attorney.
Jeffrey A. May practices in the areas of general business law, intellectual property, and litigation with a focus on the increasingly important area of Cybersecurity and Data Privacy Law. He is credentialed as a Certified Information Privacy Professional/United States (CIPP/US). He has prior experience owning and operating a technology-based business. His experience and education allow him to assist clients with a wide range of business issues and litigation matters. Jeffrey helps clients identify and mitigate risks related to data security incidents and breaches. He also helps with information technology policies and practices, and data sharing arrangements with third parties.
Other posts to consider: