On November 3, California citizens approved the California Privacy Rights and Enforcement Act (the CPRA), a comprehensive privacy law that amends another privacy law that went into effect in the state on January 1, the California Consumer Privacy Act (CCPA). The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.Most privacy attorneys agree that the CPRA was created with the European Union\u2019s General Data Protection Regulation (GDPR) in mind, adding teeth to the stipulations that existed in the CCPA. Consumers will be able to correct inaccurate personal information that business hold, and fines are steep for violating the children\u2019s data protection requirements under the CPRA. Most of the law\u2019s provisions will go into effect on January 1, 2023, with some provisions requiring a look-back to 2022.The CPRA defines \u201csensitive personal information\u201d to include an expansive range of data elements, including government-issued identifiers such as drivers licenses, passports, and Social Security numbers as well as financial account information, geolocation, race, ethnicity, religion, union membership, personal communications, genetic and biometric data, health information, and information about sex life or sexual orientation.One key change in the CCPA requirements in the CPRA is an extension of an exemption for businesses in terms of their employees\u2019 data. The CPRA gives businesses the exemption from meeting the consumer privacy requirements' tough standards for their employees until January 1, 2023. However, businesses will have to comply with certain aspects of employee privacy protection between now and then.The CPRA has several other expansive provisions that will grant consumers substantial privacy rights, including limiting business use of their data to the specific purposes for which it has been obtained, increased breach liability, storage limitations, and data minimization.Other states expected to enact CPRA-like lawsPrior to the COVID pandemic, \u201cApproximately eight other states had a copycat version of the CCPA in the works,\u201d Peter Stockburger, partner in the Data, Privacy and Cybersecurity practice at global law firm Dentons, tells CSO. Among those states are Virginia, Florida, New Hampshire, Washington, Nebraska, New York, Maryland and North Dakota.Washington appears to be the farthest along, pushing toward 2021 enactment. Although up for consideration when the next legislative session begins in January, no required action has been specified yet in Washington. What is clear is that the privacy moves in Washington and the other states have been spurred by the CCPA\u2019s tougher privacy trailblazing.The CPRA, however, is the \u201cfirst of its kind in terms of saying you have to have a lawful and business purpose for what you're going to do with the data. That sort of processing restriction is European; that\u2019s what the GDPR requires,\u201d Stockburger says. \u201cIf that becomes a trend in the States, that's going to radically change how people handle data and what they do with the data.\u201dUnlike the CCPA, this requirement could make the CPRA a tougher piece of legislation to copy in other states. \u201cRight now, it's sort of a free-for-all when you get data, as long as you're telling people what you do, you can do with it as you wish so long as you're not doing anything unlawful or you're not doing something where you're supposed to obtain consent. That's a big change. I don't know that other states are going to follow that,\u201d Stockburger says.Not all experts think the tougher rules of CPRA will be a harder sell in other states. \u201cI expect that we\u2019ll see several other states propose CPRA copycat legislation in 2021, just as many states proposed CCPA copycat legislation in 2019 and 2020,\u201d Laura Jehl, global head of McDermott\u2019s Privacy and Cybersecurity Practice, tells CSO. \u201cCPRA is intended to strengthen, streamline and otherwise improve CCPA, as well as to better conform the law in some respects to the EU GDPR, so I would expect states that are interested in adopting comprehensive data privacy laws to use CPRA as a basis.\u201d\u201cI also expect that they won\u2019t copy all aspects of CPRA and that they\u2019ll include some components that aren\u2019t in CPRA,\u201d Jehl adds, \u201cwhich means that US privacy compliance is about to get even more complicated.\u201dCOVID-19 pushed privacy laws to low priorityThe COVID-19 crisis has derailed a lot of legislative activity across the country, making it difficult to get a solid sense of where privacy initiatives are headed. \u201cThe challenge you're going to find is that post-pandemic most of the state legislatures said anything that's not COVID related is not being considered,\u201d Stockburger says. After the pandemic recedes from its urgent priority status, many states could kick new legislative efforts into gear. \u201cNext year, that's when you're going to see big new developments and introductions,\u201d he says.Will federal privacy legislation preempt the state laws?Another question that remains is whether the federal government will step in to create a more consistent privacy law framework. In the past, Silicon Valley giants stood staunchly opposed to the stringent provisions of the CCPA and sought a national privacy law to preempt and water down the CCPA\u2019s requirements. However, their resistance has weakened over the past several years.\u201cAt the federal level, there's just a real challenge in getting any type of omnibus legislative efforts pushed through,\u201d Stockburger says. \u201cThat\u2019s been a challenge since probably 2016 when the Democrats got whooped in the midterms, and since then, we've had divided Congress.\u201dThe strange lack of desire by the public to push for privacy protections has added to the partisan gridlock. \u201cI don't think there's a lot of public pressure on it. You've got several fits and starts at the federal level. I think any federal data privacy law is going to have to be pretty principle-based and generic in terms of everybody has a right to know, but it's subject to state regulation or something to that effect,\u201d Stockburger predicts.