This article seeks to elucidate the objectives, rights, and obligations of individuals and corporations under the California Privacy Rights Act, 2020 in light of its importance for Indian businesses operating in Canada.

Introduction:
The California Privacy Rights Act (CPRA) is the latest revision of California law that tightens privacy laws and safeguards the privacy of customers. The California Privacy Rights Act was proposed with the aim of making the privacy laws in the state of California even more powerful. In the November 2020 election, Californians approved the California Privacy Rights Act ballot proposition, updating and enhancing the current California Consumer Privacy Act (CCPA).

The proposition expands the rules established under the California Consumer Privacy Act. The new California state privacy legislation updates the California Consumer Privacy Act's current provisions, establishes new consumer rights, adds new requirements for companies that gather personal data from California residents, and establishes the California Privacy Protection Agency as a new enforcement authority. Together with the California Department of Justice, the agency will be responsible for monitoring and enforcing consumer privacy laws.

This change in law will require both businesses and individuals to comply with new norms and standards set by the newly proposed act. The initiative also mandates that businesses acquire consent from customers under the age of 16 and consent from a parent or legal guardian from customers under the age of 13 before collecting personal data.

In light of such changes taking place in the privacy laws of California, it is essential for business entities and individuals to update their modus operandi on processing personal data to suit the standards set by the California Privacy Rights Act, 2020. This article provides a comprehensive overview of the changes in the rights and obligations of consumers and organisations in view of the change in the Californian privacy rights law.

CPRA's Importance for Indian Entities

Understanding the California Privacy Rights Act (CPRA) is relevant for Indian multinational companies (MNCs) operating in Canada due to the extraterritorial reach of privacy laws and the potential impact on cross-border data transfers. The CPRA introduces significant changes to privacy regulations in California, which is home to numerous technology companies and a significant market for Indian MNCs.

Since California's privacy laws have a broad reach and affect companies that collect or process personal data of California residents, Indian MNCs with operations in Canada may have to comply with CPRA requirements if they handle data of Californian consumers. Being aware of CPRA's provisions, such as new consumer rights and obligations, can help Indian MNCs ensure compliance with California's privacy laws and navigate potential legal implications when handling personal data from California residents while operating in Canada.

Rights granted under CCPA, 2018

The General Data Protection Regulation (GDPR), introduced by the European Union, which garnered a lot of attention with its profusion of privacy-related rules and the possibility of significant fines for offenders, had a significant impact on the data protection and privacy arena in 2018. The California Consumer Privacy Act of 2018 acted as the most important of many other new laws enacted during that year for privacy rights.

The California Consumer Privacy Act is a state law created to strengthen Californians' rights to privacy and consumer protection. The Act became operative on January 1, 2020. It is the predecessor of the California Privacy Rights Act, 2020.

California consumers have the following rights under the CCPA:

• Access to their personal data.
• Understand the types of personal data being gathered.
• Choose not to have it shared or sold.
• Request for its removal, or if it's inaccurate, request for its correction.
• Exercise their rights without worrying about punishment or prejudice.

The California Consumer Privacy Act has, over time, lost its sheen and relevance, requiring a more stringent and updated Act to come into force instead. The CCPA will, therefore, be expanded and redefined as part of the California Privacy Rights Act in order to protect California citizens' rights. It will not only improve safety measures but also tighten the California Consumer Privacy Act.

Although the objectives and purview of the two laws are comparable, the California Privacy Rights Act was designed to improve the California Consumer Privacy Act's lax and ill-defined consumer protection requirements, lax enforcement, and patchy monitoring. Customers have more options to opt out, and enterprises must handle data privacy intentionally.

The California Consumer Privacy Act, therefore, builds upon the rights granted under the CCPA to increase the scope of privacy rights. CPRA restricts how corporations can collect, use, store, and disseminate personal data while also granting California residents and customers particular rights. Presently, the CPRA is widely recognised as the most comprehensive rule of its sort in the nation, and in some ways, it resembles the revolutionary General Data Protection Regulation (GDPR), 2018.

Overview of the CPRA

California voters overwhelmingly adopted the California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, when it was placed on the general election ballot on November 3, 2020. The California Consumer Privacy Act (CCPA) of 2018, which laid the groundwork for consumer privacy rules, is built upon this proposition, which broadens the state of California's consumer privacy statute.

The California Privacy Rights Act establishes a thorough data protection framework that is comparable to data protection regulations in many other regions of the globe, such as the General Data Protection Regulation of the European Union, marking a significant divergence from past U.S. legislation pertaining to HR individuals' data.

The majority of employers conducting business in California will be subject to much stricter privacy and information security requirements under the California Privacy Rights Act, 2020. The private data of California residents who are employees, independent contractors, business people, job applicants, and board members, as well as the dependents of employees who receive benefits from their employer, will be subject to this novel, coherent, and comprehensive legal framework.

By enshrining more provisions in California state law, the proposition expands consumers' rights to limit the use of "sensitive personal information," which includes precise geolocation, ethnicity, race, religion, private conversations, genetic data, sexual orientation, and medical details, as well as to avoid businesses from disclosing their personal information to third parties and to rectify inaccurate personal information.

The Act establishes the California Privacy Protection Agency as a special agency charged with carrying out and enforcing state privacy laws, looking into infractions, and punishing offenders. The Act also eliminates the predetermined window of time during which businesses can correct violations without incurring penalties; forbids companies from keeping personal data on customers for longer than is necessary; increases threefold the maximum fines for breaches involving kids below the age of 16 (up to $7,500), and allows for civil penalties for the theft of account login information.

On January 1, 2023, a considerable expansion of employers' data responsibilities took effect, necessitating significant modifications to the current private data handling policies, processes, and practices of the HR individuals. Till the compliance date, a large majority of covered firms required a good deal of this time to deal with the CPRA's expanded obligations.

The CPRA also stipulates a 12-month lookback timeframe for HR personnel who want to use their new rights to inquire about how the business manages their personal information. In order to be able to react to employees' demands for CPRA rights, companies must start preparing their human resources data as of January 1, 2022. It is also provided that the legislature would be unable to repeal the legislation, and any changes they do make must be congruous with and promote the motives and objectives of the Act.

Subjects of the CPRA

No matter where they are based, any company that conducts business in California and gathers customers' personal information is subject to the California Privacy Rights Act. These companies must fulfil either of the following two conditions for the CPRA to be applicable to them, as laid down under Section 1798.140(d)(1) of the Act:

• Exceeded the gross revenue of $25 million in the preceding calendar year as of January 1 of the present calendar year, or
• Obtains 50% or more of its yearly revenue from the sale or sharing of consumer data; or
• Purchases, sells, or shares the personal information of 0.1 million or more consumers or households annually.

If any of the aforementioned criteria is satisfied, then the company is considered to be a "business" under the California Privacy Rights Act.

Objectives of the CPRA

The purpose of the Act is to provide Californians with the right to:

• Know who is gathering their personal information as well as that of their children, how it is being used, and to whom it is accessible.
• Have their privacy interests protected, even if they are workers, business persons, or independent contractors.
• Limit the usage of their sensitive personal information and exercise control over how it is used.
• Have access to and control over their personal data, including the ability to move, update, and delete it.
• Utilizing readily available self-serve methods, people can exercise their privacy rights.
• Exercising their right to privacy without suffering consequences.
• Profit from the usage of your personal data by corporations.
• Hold companies responsible if they don't adopt appropriate information security measures.

References:

• https://oag.ca.gov/system/files/initiatives/pdfs/29_1.pdf
• https://ccpa-info.com/california-consumer-privacy-act-full-text/
• https://www.itgovernanceusa.com/california-consumer-privacy
• https://www.mondaq.com/unitedstates/privacy-protection/1192382/from-ccpa-to-cpra-what-are-the-key-takeaways
• https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california-consumer-privacy-act-ccpa/
• https://www.itgovernanceusa.com/california-consumer-privacy
• https://www.mwe.com/insights/california-privacy-rights-act-takes-effectsort-of/

Written By: Tejaswini Kaushal, a student at Dr. Ram Manohar Lohiya National Law University, Lucknow.>