Who do you think the most powerful person in California is?

Gavin?

Chamath?

Arnold?!

Since 2018 it’s probably been Alastair Mactaggart.

Mactaggart has been the champion of data privacy regulations in California, which will significantly impact online businesses around the world. In 2018, Mactaggart proposed a ballot initiative aimed at creating an online privacy environment similar to that of the GDPR in the EU. This led to the Consumer Rights to Privacy Act of 2018. Mactaggart calculated that the market capitalization of his opposition was around $6 trillion. Needless to say, he had an uphill battle to enact any real change.

Naturally, tech companies were hostile to any proposed legislation that would reduce the income they were earning from their unregulated collection and sale of user information. Not to mention the threat of regulatory fines and a private right to action for harmed users. Even consumers were concerned that the cost of the services they were receiving would increase.

The temperature changed after the Cambridge Analytica scandal. Suddenly Mactaggart’s ballot initiative was overwhelmingly supported by the public. The dangers of unbridled collection and use of data were put on full display. Of course, the California legislature didn’t want a real estate mogul to draft the privacy laws for the state. So, the legislature came to an agreement with Mactaggart. If they could draft the law in about a week, Mactaggart would remove the ballot initiative. Mactaggart agreed that he would remove his ballot initiative if the legislature’s bill was agreeable, essentially giving him a veto power akin to the governor. The legislature rushed to create AB-375, which was enacted and almost immediately amended by SB-1121 to iron out all the inconsistencies and adopt more comprehensive policies. This has since become known as the CCPA, which became effective as of January 1, 2020.

Unhappy with the legislation and regulation of the CCPA, Mactaggart went back on his promise to the legislature. He formed Californians for Consumer Privacy which brought forth Proposition 24. It received the necessary number of signatures to qualify it for the 2020 ballot. It then passed by a 56% vote of the electorate, creating the California Privacy Rights Act (CPRA).

Now, on January 1, 2023, the CPRA, which effectively amends the CCPA, will become effective and, on that date, become an even stricter version of the strictest privacy law in the United States. Now most companies will need to update their privacy policy and their internal policies regarding how they interact with user data. Why? Because, with more opportunities for fines, and an expanded private right to action, which could include class action lawsuits, real money is on the line.

The CPRA is going to cost some people some money.

The good news is that, anticipating the burden it places on small businesses to comply, the CPRA raises the thresholds to fall under the purview of the law. Now, for a business to be subject to the CPRA, one of the following must apply:

(A) it has annual gross revenues in excess of $25 million in the preceding calendar year,

(B) it buys, sells, or shares the personal information of 100,000 or more consumers or households per year, or

(C) it derives 50% or more of its annual revenues from selling or sharing consumers’ personal information (regardless of total volume).

The CPRA also expands on the rights granted to data subjects in the CCPA by adding new requirements for sensitive personal information, as well as rights to correct, access, and control their data.

The changes that the CPRA makes to our data and privacy laws in the U.S. are too great to cover all of it here. Give us a call to talk through what the CPRA means for your business. Do some research. Make sure you know what applies to you and make sure you’re ready for the changes coming on New Years Day, 2023.