Just months after the dust has settled from the California Consumer Privacy Act (CCPA) going into effect, all eyes are back on California as they head to the polls to determine its future.
Meet the California Privacy Rights Act (CPRA). Started by the same group who introduced CCPA, this initiative has been officially added to the November 3 ballot.
And while, if passed, it won’t be implemented until 2023, there are still a few things to be aware of ahead of the election.
Read on to learn more about CPRA, what this means for nonprofits and the key provisions to keep an eye on.
What is CPRA?
CPRA originated as a ballot initiative sponsored by Californians for Consumer Privacy. Once it received the necessary 600k resident signatures, it qualified for the November 3 ballot.
Building on CCPA’s framework, CPRA significantly strengthens many of the provisions CCPA put into place on January 1, 2020.
If passed, these tightened regulations will go into effect January 1, 2023.
What does this mean for nonprofits?
Although nonprofits are exempt from the provisions, it’s clear that when it comes to user data, there is a growing expectation that nonprofits are acting as responsible stewards of their donor’s information.
Nonprofits must respect donor intentions and privacy when requested. They must also be aware of agency, vendor and other supplier policies regarding donor data management.
Key provisions to be aware of
What changes can you expect under CPRA? We talked to The Nonprofit Alliance CEO Shannon McCracken, who shared the key provisions we should be aware of:
1. “Sensitive personal information”
This is stricter than the former definition of “personal information.” In addition to the traditional points that normally fall under this description, like SSN or financial information, it also includes precise geolocation, race/ethnicity, religion, and more.
2. Expanded consumer rights
Under CCPA, California consumers gained the right to know and delete their personal information. CPRA would now give them the right to correct personal information, too.
3. Formation of the California Privacy Protection Agency
When CCPA was introduced and implemented, there was concern that there was not enough budget or manpower to fully enforce compliance. The formation of this agency would address that concern and would be funded in part by penalties assessed for non-compliance.
4. Extended moratorium on employee data
CPRA extends the moratorium on employee data until at least 1/1/23. Under CCPA, it could expire as soon as 1/1/21.
5. Expanded liability for data breaches
Under CPRA, private right of action is expanded to include breaches that provide unauthorized access or disclosure of an email address and password or security question.
Growing data privacy concerns
Data regulation and consumer privacy concerns are gaining steam across the globe and will be a big draw for voters as the head to the polls.
These regulations are slow moving at the federal level, but it’s likely we can see them in the near future. In the meantime, many other states are making moves to introduce their own legislation.
Because of this, it’s critical that nonprofits proactively maintain quality data records, evaluate vendor partnerships and stay knowledgeable on the latest legislation.
Note: The above content is informative in nature and is not intended as legal advice. As a company that provides professional fundraising consulting services, we retain counsel to ensure compliance with fundraising laws in each applicable state. Questions related to the California Privacy Rights Act of 2020 (CPRA) for U.S.-based nonprofit should be directed to counsel that is competent to address such matters.