Just months after the dust settled from the California Consumer Privacy Act (CCPA) going into effect, all eyes were back on California as they headed to the polls to determine the future of the data privacy law.
The California Privacy Rights Act (CPRA), started by the same group who introduced CCPA, was officially approved by voters as Proposition 24 on Nov. 3, 2020.
With implementation of this law less than a year away, read on to learn more about CPRA, what this means for nonprofits and the key provisions to keep an eye on.
CPRA originated as a ballot initiative sponsored by Californians for Consumer Privacy. Once it received the necessary 600,000 resident signatures, it qualified for the ballot.
Building on CCPA’s framework, CPRA significantly strengthens many of the provisions CCPA put into place on Jan. 1, 2020.
These tightened regulations will go into effect Jan. 1, 2023.
Although nonprofits are exempt from the provisions, it’s clear that when it comes to user data, there is a growing expectation that nonprofits must act as responsible stewards of their donor’s information.
Nonprofits must respect donor intentions and privacy when requested. They must also be aware of agency, vendor and other supplier policies regarding donor data management.
What changes can you expect under CPRA? We talked to The Nonprofit Alliance CEO Shannon McCracken, who shared the key provisions we should be aware of:
This is stricter than the former definition of “personal information.” In addition to the traditional points that normally fall under this description, like social security number or financial information, it also includes precise geolocation, race/ethnicity, religion and more.
Under CCPA, California consumers gained the right to know and delete their personal information. CPRA will now give them the right to correct personal information, too.
When CCPA was introduced and implemented, there was concern that there was not enough budget or manpower to fully enforce compliance. The formation of this agency will address that concern and will be funded in part by penalties assessed for noncompliance.
CPRA extends the moratorium on employee data until at least 1/1/23. Under CCPA, it would have expired by 1/1/21.
Under CPRA, private right of action is expanded to include breaches that provide unauthorized access or disclosure of an email address and password or security question.
Data regulation and consumer privacy concerns are gaining steam across the globe and will continue to be a hot topic.
These regulations have been slow-moving at the federal level, but it’s likely we can see them in the near future. In the meantime, many other states are making moves to introduce their own legislation.
Because of this, it’s critical that nonprofits proactively maintain quality data records, evaluate vendor partnerships and stay knowledgeable on the latest legislation.
Check out these related pieces:
Note: The above content is informative in nature and is not intended as legal advice. As a company that provides professional fundraising consulting services, we retain counsel to ensure compliance with fundraising laws in each applicable state. Questions related to the California Privacy Rights Act of 2020 (CPRA) for U.S.-based nonprofits should be directed to counsel that is competent to address such matters.