Those with eagle eyes on data protection laws, both here and in the UK, will have noticed that it was confirmed in February 2024 that the California Privacy Protection Agency does indeed have the authority to enforce the regulations which implement the California Privacy Rights Act (CRPA).  The majority of the CPRA’s provisions have been in force since 1 January 2023 and made changes to the existing California Consumer Privacy Act (CCPA). The CRPA includes additional privacy protections for consumers.   

This is an important announcement as it overturns a decision which was made by a different US court previously, whereby the CPPA was not going to be able to enforce the regulations until March 2024.  

What does this mean for businesses?

What this means in practice is that companies who are “doing business” in California will need to ensure that their privacy practices are regularly reviewed to ensure they are compliant, to avoid the risk of any fines for non-compliance.  

If you are a business which falls under CCPA / CPRA then hopefully you have already considered the impact the scope of this has on your operations and legal agreements, but it certainly does no harm to check this is the case regularly. Importantly, it does also mean that if you are a UK business working with companies who are subject to the CCPA and CRPA you can expect to see compliant terms and conditions.  

What is the California Privacy Rights Act?

It clarifies existing provisions of the CCPA, creates new consumer rights, imposes additional obligations on businesses that collect personal information from Californian consumers, and it created a new enforcement agency called the California Privacy Protection Agency.

Much in the same way the UK GDRP protects personal data, the CCPA does the same and makes sure that companies who are doing business in California and are collecting personal data from Californian consumers comply with certain standards as follows:

• Right to opt out of sharing personal information
• Right to opt out of certain uses and disclosures of “sensitive personal information”
• Right to correct inaccurate personal information
• Right to enhanced transparency about a businesses’ information practices
• Authorises new regulations that will provide new rights with regard to automated decision-making

Overall, it is in place to protect personal data and it is clear that the California Privacy Protection Agency has the power to enforce it.  If you are a UK business which falls within the scope of these US laws, we can help to navigate the legal frameworks in place.