November 29, 2022

Volume XII, Number 333


November 28, 2022

Subscribe to Latest Legal News and Analysis

New California Privacy Initiative to Appear on November Ballot – Get Ready for CCPA 2.0

Just as businesses are gearing up for the start of enforcement of the California Consumer Privacy Act (“CCPA”), California cleared the way for the California Privacy Rights Act (“CPRA”). The CPRA is an initiative imposing greater privacy restrictions on businesses holding consumer data, to be voted on as part of California’s November 2020 ballot. The certification came following a Sacramento County Superior Court order compelling all 58 California counties to complete their verification of signatures in time so that the CPRA would be included on the 2020 ballot as well as an announcement by the Secretary of State affirming that it had received more than 623,212 valid signatures and that the CPRA was eligible for the 2020 ballot.

At its basic level, the CPRA strengthens the CCPA by creating new privacy rights, obligations, and enforcement mechanisms. Among these changes, the CPRA mandates the following:

  • Businesses must limit the use and disclosure of an expanded list of sensitive personal information (including data related to race, ethnicity, religion, personal communications, health information, and sexual orientation).

  • Businesses must give consumer notice that the consumer’s information may be sold and that the consumer has a right to opt-out of such sale.

  • Businesses will need to defend against private consumer litigation as the CPRA explicitly grants consumers a right to bring a private civil action for certain CPRA breaches.

  • Businesses will be subject to enforcement actions from, and regulations promulgated by, a newly created California Privacy Protection Agency.

The CPRA and the creation of the California Privacy Protection Agency would undoubtedly expand privacy regulations and enforcement actions. There has been little polling on the CPRA, but a survey commissioned by the Californians for Consumer Privacy (the sponsors of the ballot initiative) shows strong support for enhanced privacy legislation.  While the CPRA, if passed, would not go into effect until January 1, 2023, businesses will want to keep a close watch on developments in order to have as much time as possible to prepare if the measure is approved.   Watch this space.

©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume X, Number 181

About this Author

Cynthia Larose Privacy Attorney Mintz Levin
Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...


Kevin represents clients in acquisition and financing transactions and general corporate matters. He has experience negotiating merger and acquisition (M&A) transactions and debt and equity financings as well as licensing and technology transactions. His practice also includes a focus on start-ups, including company formation and structuring.

 Prior to joining Mintz, Kevin was a corporate associate with a Bay Area law firm focusing on start-up companies and their investors. Kevin focused on M&A transactions, including mergers, asset purchases, and stock purchases. He also...