The majority of CPRA amendments took effect on Jan. 1, 2023, and introduced new data minimization obligations into the CCPA. As a result, the CCPA now requires a business’ collection, use, retention, and sharing of a California resident’s personal information to be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” (Cal. Civ. Code § 1798.100(c)). Businesses that fail to comply with the CCPA could face litigation that is damaging to the organization’s finances and reputation. Moreover, non-compliance can also lead to fines of up to $2,500 per violation or $7,500 for violations that are intentional or involve children, with each impacted consumer potentially giving rise to a separate violation.
Businesses that have not finalized their compliance programs have some relief. The amendments that the CPRA introduced shall not be enforced until July 1, 2023, and regulators cannot look back to violations occurring before this date to enforce any provision added or amended by the CPRA (Cal. Civ. Code § 1798.185(d)). But July is just a few short months away, and compliance with the amended CCPA, in particular the data minimization requirements, will likely take businesses significant time and resources.