Prop 24: New Privacy Regulations Rock The State of California

A Special Report from Compliance & Privacy Partners

California Privacy Rights Act
The CPRA amends and expands the California Consumer Privacy Act (CCPA)—California’s current privacy law that itself is nearly brand new.

Californians took a step toward more privacy protections when they voted to pass Proposition 24 on November 3. The ballot created what’s known as the California Privacy Rights Act, known as the CPRA, which will expand and amend the previously-existing California Consumer Privacy Act (CCPA). So, what does this mean for Californians and companies that do business in the state? It can be confusing, so let’s take a closer look at some of the law’s major points.

The Background

California has a unique system of ballot propositions. It allows people and groups to go around the state government to get certain initiatives passed into law.

To appear on an official ballot, groups must file a proposal with the attorney general’s office. Then, they must receive a certain number of signatures supporting the measure by a specific date. Once those signatures are confirmed, the proposition can appear on the ballot.

In 2020 alone, there were 12 ballot measures on which Californians could vote. If a ballot measure passes, it becomes law in the state — regardless of how elected officials feel about it.

The group that supported the CPRA, Californians for Consumer Privacy, has also supported other privacy measures in the past. In 2018, they got enough signatures to get the CRPA on the ballot, but they agreed to withdraw that application in exchange for the state legislature passing the CCPA.

In the two years since its passage, the group wasn’t satisfied with how the CCPA turned out. So, it moved forward again with a ballot for the CPRA, which the group saw as a stronger law.

What Does CPRA Do?

This new law is now the baseline for all privacy laws within California. Only a further ballot measure would be able to repeal it. If lawmakers were to pass an amendment to it, the groups that support CPRA could sue to have that blocked.

The only other way that the law could be changed or modified is through a future ballot passage, or if the federal government or court system invalidated it. That could be done only if it were ruled unconstitutional, or if a federal privacy law pre-empted it.

Is CPRA Effective?

There is an adjustment period now that CPRA has passed. Most of the significant provisions won’t take effect for two more years — on January 1 of 2023. This gives businesses that are affected enough time to make necessary changes. The “Right to Know” provision of the law takes effect a year earlier, on the first of 2022.

In the meantime, businesses have to comply with the current CCPA until the CPRA is fully in effect.

What Are the Differences Between CPRA and CCPA?

There are several ways that the new law differs from the original one. It seeks to take consumer privacy one step further in many cases.

There are ten primary areas where the two are different.

1. Business Regulations

A “covered business” is redefined under CPRA. In some instances, the number of businesses covered will decrease from CCPA, while in others, it will increase. That’s because:

  • It will not be applied to as many small and mid-sized businesses as CCPA because the threshold for the number of households/consumers has been increased from 50,000 to 100,000.
  • Businesses that buy, sell, or share personal information are subject to the new CPRA. Companies that get at least half of their yearly revenue in this way are subject to the law.

2. Sensitive Personal Information

The law creates an entirely new dataset known as “sensitive personal information.” It’s now subject to full disclosure and limitation. Consumers also now have the right to limit the use of their personal information by businesses.

CCPA is much broader in how it treats sensitive personal information, but not so for CPRA. There are separate restrictions and requirements on this type of information, including:

  • A requirement to offer an opt-out for both disclosure and use of it
  • A required opt-in consent standard for disclosure and use of it
  • A requirement that limits the purpose of use
  • A requirement on full disclosure

See the differences between various privacy laws below.

3. New and Expanded Rights

CPRA not only modifies some of the privacy rights California consumers have under CCPA; it also creates brand new ones.

Some of the modified rights include:

  • Businesses have to notify third parties that they must delete personal information they buy or receive.
  • Data applicable under “Right to Know” is now expanded beyond just the previous 12 months if collected after January 1 of 2022.
  • Opt-outs must also include the sharing of personal information, not just the sale of it to third parties.
  • Businesses have to abide by the same opt-in selling rights to minors. In other words, they now must wait at least 12 months after a minor has declined to sell/share their personal information.
  • Consumers can request their personal information be transmitted in a specific way — as long as it is commonly used and structured.

Some of the new rights include:

  • Consumers can request corrections if any of their personal information is wrong.
  • Consumers can opt-out of technology that makes decision-making regarding personal information automated. In other words, they can’t be profiled based on a consumer’s health, interests, location, economic situation, etc.
  • Consumers can also request information about any automated decision-making technology.
  • Consumers can limit the use of their sensitive personal information. They can ban businesses from sending it to third parties altogether.
  • Cybersecurity audits and risk assessments are now mandatory for any activity that is labeled high-risk. These audits have to be submitted regularly to the California Privacy Protection Agency.

4. Behavioral Advertising

CPRA seeks to regulate all digital advertising. It will now separate digital advertising into two categories — non-personalized and cross-context behavioral.

Personal information that businesses want to share for cross-context behavior must be subject to the Right to Opt-Out, while the other is not. This first-party advertising, as it’s called, is designated for internal business use.

There were already many businesses who were treating the Right to Opt-Out under CCPA this way. So, they won’t be required to make many changes, if any at all, in this regard.

5. New Authority

CPRA will establish a new agency that will be tasked with enforcing the law. It will be called the California Privacy Protection Agency, or CPPA. The new body will have the power to make rules, enforce rules, and investigate instances of non-compliance.

Also, there will no longer be a 30-day “cure period,” as there is under the current CCPA. This means that once a business is notified of a potential violation by the state attorney general’s office, they must act right away.

This new law will also increase maximum penalties up to $7,500 for any violation that concerns a minor. That’s triple the current maximum under the CCPA.

6. GDPR Alignment

Some of the CPRA is structured after the General Data Protection Regulation (GDPR) law that has been in effect in Europe since 2018. The three main areas that are now codified are:

  • Data: Businesses have to limit the collection, retention, sharing, and use of personal information only to what is considered “reasonably necessary and proportionate” to their purpose. It also can’t be processed for undisclosed and/or incompatible uses.
  • Storage: Businesses always have to tell consumers how long they’re retaining their personal information, and they must do this for every category of personal information. They also can’t hold onto the information for longer than “reasonably necessary” for each purpose they disclose.
  • Purpose: If a business wants to change a purpose for why they collect and/or use personal information, they must issue a new consumer notice.

Businesses that don’t comply are now also subject to enforcement through the newly-created CPPA. A violation of any three of these codes is enough for enforcement, even if no other offense is committed.

7. Service Providers

CPRA creates a new category of businesses called “contractors,” which amends the definition of a “service provider.” Contractors must now not only abide by these regulations, but they must state that they understand them and will abide by them.

They must notify businesses if they work with any sub-contractor sub-service provider, and those parties must abide by the same rules in a similar written contract.

These contractors and service providers must help businesses if a consumer makes a request for privacy. Finally, companies have to hold service providers/contractors accountable (via contract) from combining the personal information they receive with other collected data.

8. Exemptions

The CPRA did grant some leeway to the state Legislature to work on regulations about business-to-business and employee exemptions. They now have until the start of 2023 to do so through a new bill. The Legislature could, of course, try to challenge this aspect of the CPRA, but they’d be in for a fight if they indeed tried to do so.

9. Consent Standard

A consent standard existed under CCPA, but it will now more closely align with the definition laid out under GDPR. This makes it much stricter, although some of this already existed under CCPA.

It includes:

  • Research exemptions
  • Financial incentive programs and an opt-in consent
  • Consent to disclosure and use by a secondary firm after already opting out
  • Minors having the power to opt-in to their personal information being shared or sold
  • Consent required to sell or share personal information following an opt-out

10. Data Breaches

The CCPA already has a private right of action in place for data breaches, and CPRA doesn’t alter that in any way.

What’s Next?

CPRA becomes fully effective on the first day of 2021. Starting around the mid-point of next year, the process of officially making the rules will begin. The Legislature has until July 1 of 2022, to adopt the final regulations under CPRA. One year after that, the CPPA will have full authority to enforce the new law.

CPRA is set to alter and expand California consumers’ privacy rights over the next few years. But there’s still a ways to go before everything is entirely in effect.

Turn Waves Of Regulation Into Oceans Of Opportunity with CAPP.

New regulations governing the use of consumer’s personally identifiable information (PII) needn’t be burdensome.  In fact, they can help protect your organization, reduce operating expenses, and identify opportunities for better governance that ensure you avoid fines, litigation exposure, and foster trust that enhances customer experiences. To learn more about how Compliance & Privacy Partners can help prepare you for the new wave of privacy regulations reach out to us at 323-413-7432 or email us at for a free consultation with a Certified Information Privacy Manager.


Pursuant to the requirements of Government Code section 11346.8, subdivision (c), and section 44 of Title 1 of the California Code of Regulations, the California Department of Justice (Department) is providing notice of a third set of proposed modifications made to the regulations regarding the California Consumer Privacy Act.    

The Department first published and noticed the proposed regulations for public comment on October 11, 2019.  On February 10, 2020 and March 11, 2020, the Department gave notice of modifications to the proposed regulations, based on comments received during the relevant comment periods.  The Department withdrew the following sections from the review of the Office Administrative Law (OAL) pursuant to Government Code section 11349.3, subd. (c):  999.305(a)(5), 999.306(b)(2), 999.315(c), and 999.326(c).  OAL approved the other sections submitted by the Department, effective August 14, 2020, and these provisions became final.

The modifications are indicated by bold blue underline for proposed additions and red strike out for proposed deletions to the regulations that became effective on August 14, 2020.  This third set of modifications include the following changes:

  • Proposed section 999.306, subd. (b)(3), provides examples of how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method.
  • Proposed section 999.315, subd. (h), provides guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps.  It provides illustrative examples of methods designed with the purpose or substantial effect of subverting or impairing a consumer’s choice to opt-out.
  • Proposed section 999.326, subd. (a), clarifies the proof that a business may require an authorized agent to provide, as well as what the business may require a consumer to do to verify their request.
  • Proposed section 999.332, subd. (a), clarifies that businesses subject to either section 999.330, section 999.331, or both of these sections are required to include a description of the processes set forth in those sections in their privacy policies.

This Notice, the text of the third set of proposed modifications to the regulations, and a comparison of the text as approved by the Office of Administrative Law with the currently proposed modifications are available at  The originally proposed regulations and all documents relating to the rulemaking package, including previous modifications to the proposed regulations, are also available at this website.

The Department will accept written comments regarding the proposed changes between Tuesday, October 13, 2020 and Wednesday, October 28, 2020. Please limit comments to the additions indicated in bold blue underline and the deletions indicated in red strike out.  All written comments on the underlined changes must be submitted to the Department no later than 5:00 p.m. on October 28, 2020 by email to, or by mail to the address listed below.

It’s Not The Crime, It’s The Cover Up – Former Uber Security Chief Charged Over Covering Up 2016 Data Breach

The federal prosecutors in the United States have charged Uber’s former chief security officer, Joe Sullivan, for covering up a massive data breach that the ride-hailing company suffered in 2016.

According to the press release published by the U.S. Department of Justice, Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach” that also involved paying hackers $100,000 ransom to keep the incident secret.

“A criminal complaint was filed today in federal court charging Joseph Sullivan with obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies,” it says.

The 2016 Uber’s data breach exposed names, email addresses, phone numbers of 57 million Uber riders and drivers, and driver license numbers of around 600,000 drivers.

The company revealed this information to the public almost a year later in 2017, immediately after Sullivan left his job at Uber in November.

Later it was reported that two hackers, Brandon Charles Glover of Florida and Vasile Mereacre of Toronto, were behind the incident to whom Sullivan approved paying money in exchange for promises to delete data of customers they had stolen.

All this started when Sullivan, as a representative for Uber, in 2016 was responding to FTC inquiries regarding a previous data breach incident in 2014, and during the same time, Brandon and Vasile contacted him regarding the new data breach.

“On November 14, 2016, approximately 10 days after providing his testimony to the FTC, Sullivan received an email from a hacker informing him that Uber had been breached again.”

“Sullivan’s team was able to confirm the breach within 24 hours of his receipt of the email. Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC.”

According to court documents, the ransom amount was paid through a bug bounty program in an attempt to document the blackmailing payment as bounty for white-hat hackers who point out security issues but have not compromised data.

“Uber paid the hackers $100,000 in BitCoin in December 2016, despite the fact that the hackers refused to provide their true names (at that time),” federal prosecutors said. “In addition, Sullivan sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data.”

“Moreover, after Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained. Uber’s new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017.”

Just last year, both hackers were pleaded guilty to several counts of charges for hacking and blackmailing Uber, LinkedIn, and other U.S. corporations.

In 2018, British and Dutch data protection regulators also fined Uber with $1.1 million for failing to protect its customers’ personal information during a 2016 cyber attack.

Now, if Sullivan found guilty of cover-up charges, he could face up to eight years in prison, as well as potential fines of up to $500,000.

California Privacy Act – What Businesses Need To Do, Now.

After much anticipation, the California Attorney General (AG) announced in early June 2020 that the final California Consumer Protection Act (CCPA) regulations were being submitted to the Office of Administrative Law (OAL) for review. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

Because enforcement of the CCPA began on July 1, 2020, now is the time for covered businesses and service providers to size-up their compliance efforts. Although there are many issues that remain unclear, the regulations may provide a road map to the AG’s enforcement priorities. Among the issues addressed by the final regulations—as well as the AG’s “Final Statement of Reasons” which accompanied those regulations— are the following:

  • Privacy Policy: A business’ privacy policy must inform consumers of their rights under the CCPA and how they can submit requests to know or delete personal information. In addition, the privacy policy should disclose the categories of personal information collected, the categories of personal information disclosed for a business purpose or sold to a third party and provide on a per category basis the categories of third parties to whom the information was disclosed or sold.
  • Required Notices: The final regulations detail the information that should be included in the various notices. They also require business to use “plain, straightforward language” and a format that draws the consumer’s attention to the notice. In addition, the AG clarified that the regulations do “not require a cookie banner, but rather leave it to businesses to determine the formats that will best achieve the result in particular environments. In other words, it appears that the use and nature of tracking technologies can be disclosed in the privacy policy assuming that policy is readily available to the public.
  • Service Providers: The regulations require that service providers use the personal information they receive from businesses “to process or maintain personal information on behalf of the business … and in compliance with the written contract for services required by the CCPA,” except in certain narrowly-defined circumstances, such as building or improving the quality of their services. If an entity qualifies as a service provider, the transfer of information from a business to them is not deemed a sale. Moreover, the Final Statement of Reasons clarifies that service providers do not lose their status as service providers merely because they collect consumers’ personal information directly, if that collection is performed at the business’s direction and on behalf of that business.
  • Subcontractors: The regulations provide that service providers may hire subcontractors, as long as the subcontractors meet all the requirements for a “service provider” set forth in the CCPA and the regulations.
  • User-Enabled Privacy Controls: Businesses must honor privacy controls that clearly communicate or signal that the consumer intends to opt out of the sale of personal information.
  • Training and Recordkeeping: The regulations require training for all individuals responsible for handling consumer inquiries. Businesses must also retain records of consumer requests and how the business responded to such request for 24 months.
  • No Discrimination: A business cannot discriminate against a consumer for exercising his or her rights under the CCPA.

Read the latest regulations here.

CCPA Regulations Update


Update to Proposed Text

Pursuant to the requirements of Government Code section 11346.8, subdivision (c), and section 44 of Title 1 of the California Code of Regulations, the California Department of Justice (Department) is providing notice of changes made to the proposed regulations regarding the California Consumer Privacy Act, which were published and noticed for public comment on October 11, 2019.  These changes are in response to comments received regarding the proposed regulations and/or to clarify and conform the proposed regulations to existing law.  The originally proposed regulations, this Notice, the text of the proposed regulations as modified, and a comparison of the text as originally proposed with the modifications, are available at

Update to Documents and Other Information Relied Upon

Pursuant to the requirements of Government Code sections 11346.8, subdivision (d), 11346.9, subdivision (a)(1), and 11347.1, the Department is also providing notice that documents and other information which the Department has relied upon in adopting the proposed regulations have been added to the rulemaking file and are available for public inspection and comment.

The documents and information added to the rulemaking file are as follows:

Accenture Interactive, See people, not patterns. (2019). Available at

Cranor, et al., Design and Evaluation of a Usable Icon and Tagline to Signal an Opt-Out of the Sale of Personal Information as Required by CCPA (February 4, 2020).

Douglis, et al., How the CCPA impacts civil litigation (January 28, 2020).  Available at

Duffy, et al., Retail Loyalty Programs Will Survive Calif. Privacy Law (September 26, 2019), Law360.  Available at

Paternoster, Leon, Getting round GDPR with dark patters. A case study: Techradar (August 12, 2018).  Available at

Simon, et al., Summary of Key Findings from California Privacy Survey (October 16, 2019), Goodwin Simon Strategic Research.  Available at

World Wide Web Consortium, Web Content Accessibility Guidelines, version 2.1 (June 5, 2018).  Available at

The Department is also providing notice that it will not be including the following study in the rulemaking file.

Javelin Strategy & Research, 2019 Identity Fraud Study: Fraudsters Seek New Targets and Victims Bear the Brunt (March 6, 2019).

The entire rulemaking file, which includes the documents referenced above, is available for inspection and copying throughout the rulemaking process during business hours at the location listed below.  In addition, some of the documents are available at

The Department will accept written comments regarding the proposed changes or materials added to the rulemaking file between Friday, February 7, 2020 and Monday, February 24, 2020. All written comments must be submitted to the Department no later than 5:00 p.m. on February 24, 2020 by email to, or by mail at the address listed below.

Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013

All timely comments received that pertain to the changes to the proposed regulations or the new materials added will be reviewed and responded to by the Department’s staff as part of the compilation of the rulemaking file.  Please limit written comments to those items.

NSA Releases Guidance on Mitigating Cloud Vulnerabilities

Original release date: January 24, 2020

The National Security Agency (NSA) has released an information sheet with guidance on mitigating cloud vulnerabilities. NSA identifies cloud security components and discusses threat actors, cloud vulnerabilities, and potential mitigation measures.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators and users to review NSA’s guidance on Mitigating Cloud Vulnerabilities and CISA’s page on APTs Targeting IT Service Provider Customers and Analysis Report on Microsoft Office 365 and other Cloud Security Observations for information on implementing a defense-in-depth strategy to protect infrastructure assets.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit to learn more.