California Consumer Privacy Act

The California Privacy Rights Act (CPRA) is going on the November ballot and, if passed, will bring California data protection law closer to the European Union’s General Data Protection Reguation (GDPR), implementing concepts such as:

  • data minimization
  • retention limitation
  • sensitive information limitation
  • data protection risk assessments; and
  • strong buttoning down of downstream service providers


On the first day the California Consumer Privacy Act became enforceable, California Attorney General Xavier Becerra issued the following public statement:

“Today we begin enforcement of the California Consumer Privacy Act (CCPA), a first-of-its-kind data privacy law in America. We encourage every Californians to know their rights to internet privacy and every business to know

The California Privacy Rights Act (CPRA) is on its way (if approved by voters in November), but what does this mean for you?

  •  First: Assess your core California Consumer Privacy Act (CCPA) compliance, enforcement starts tomorrow. July 1, 2020.
  • Second: Look beyond the consumer facing CCPA “must haves” and button down other CCPA

For companies scrambling to button up their California Consumer Privacy Act (CCPA) compliance by the July 1 enforcement date,  some news out of the state capital of Sacramento:

Per a memorandum issued June 24, 2020 by the California Secretary of State, the California Privacy Rights Act (CPRA), often dubbed “CCPA 2.0”, has collected a sufficient

A comment requested that the California Attorney General clarify the specific requirements for making privacy notices “easy to read and understandable to the average consumer” under the California Consumer Privacy Act regulations.

The Attorney General responded:
  • The provisions of Section 999.305(a)(2) are sufficient to make this clear.
  • Also, notices cannot be misleading.
  •  European Union: 

A comment asks the California Attorney General if directing a consumer to an online form could constitute a valid notice at collection under the recently finalized California Consumer Privacy Act regulations.

The Attorney General says it can’t confirm or deny.

The AG says nothing prevents a business from directing a consumer to a place where