On Election Day, Californians chose not only the direction of their government but also the direction of some of the laws that government will administer. With 56% of voters approving it thus far, Proposition 24, also known as the California Privacy Rights Act (CPRA), is on its way to replacing key components of the California Consumer Privacy Act (CCPA), one of the more robust data privacy laws in the country.
While the CPRA is not without controversy, it raises the stakes for non-compliance and encourages businesses, including cryptocurrency exchanges, to take additional steps to respect user privacy. It also has the potential to bring those businesses closer to complying with the General Data Protection Act, the European Union privacy law that goes further than the CPRA.
“The silver lining is that an exchange that has been attempting to achieve compliance under the GDPR (e.g., employing accepted hashing techniques to effectuate data ‘deletions’) could use some of those same measures to demonstrate compliance under the CPRA,” said Steven Blickensderfer, a technology and privacy lawyer at the firm Carlton Fields. “In effect, the CPRA may force exchanges to look globally and think holistically about their privacy compliance, which may not be a bad thing after all.”
The CCPA vs. the CPRA
The CCPA was the first law of its kind in the United States. The law empowers California consumers to know when private companies collect, share or sell their data and to stop that sale if necessary. It applies to companies with annual gross revenue of more than $25 million or that possess information on 50,000 or more consumers.
The CPRA adds additional protections for sensitive data including biometric data, location data and racial data, among others. A new state agency with a budget of $10 million will enforce the law, set to go into effect in 2023. Previously, this task had fallen to the arguably understaffed California Attorney General’s office.