In November 2020, California voters approved the California Privacy Rights Act (CPRA) which strengthened provisions of the existing California Consumer Privacy Act (CCPA) and provided for the creation of a dedicated, well-staffed enforcement agency. The changes, which are effective on January 1, 2023, bring California’s privacy regulations closer to the consumer protections afforded by the European General Data Protection Regulation (GDPR), which has been in force for companies doing business in Europe since 2018.
CPRA also establishes a new consumer data privacy agency, which is poised to be the only privacy-focused regulatory authority in the United States. As part of its ability to collect a part of the fines and settlements it collects from companies that break the law, this agency will be equipped with a large annual budget which will increase commensurate with its level of enforcement. With recent changes to the political landscape in the United States, CPRA may also provide a blueprint for Congress to pass potential forthcoming Federal privacy legislation.