CPRACalifornia Passes Proposition 24 on Consumer Privacy

California Passes Proposition 24 on Consumer Privacy

Businesses that have worked hard to implement California Consumer Privacy Act (CCPA) compliance initiatives will have a whole new set of privacy standards to comply with in the very near future.  California’s Proposition 24, also known as the California Privacy Rights Act (CPRA), has passed, expanding the state’s consumer privacy regulations. 

The CCPA, which passed only two years ago, the final regulations of which were just released earlier this year, will remain in effect until the CPRA becomes effective on January 1, 2023.  The CPRA expands the CCPA, adding new privacy rights aimed at strengthening consumer privacy. 

Among the changes introduced by the CPRA is the creation of a new, five-member agency with regulatory authority for enforcement of both the CCPA and CPRA.  The California Privacy Protection Agency will take over enforcement authority from the California Attorney General and dramatically change the way privacy rights are handled.  The Agency will be empowered to issue guidelines and impose fines on businesses who fail to comply. The Agency is slated to take over on July 1, 2021.

What is new in the CPRA? 

The CPRA modifies the CCPA in some meaningful ways by introducing new privacy rights and obligations pertaining to certain categories of personal information.  The updates will likely have a significant impact on companies that do business in California.  

New provisions of the CPRA include:

  • Sensitive Personal Information. The CPRA introduces a newly defined category of personal information that includes things like social security number, driver’s license number, passport number, sexual orientation, biometric data, health and financial information, and precise geolocation.
  • Additional Consumer Rights.  In addition to the rights conferred upon consumers under the CCPA, under the CPRA consumers will have additional rights, including the right to:
    • correct personal information;
    • know the length of data retention;
    • opt-out of geolocation utilization;
    • limit businesses from collecting more data than necessary;
    • restrict usage of sensitive personal information;
    • know what personal information is sold or shared and to whom;
    • prevent retaliation for exercising privacy rights.
  • Sharing of Data.  Of note, the CPRA allows consumers to opt out of the sharing of their personal information (rather than sale) for “cross-context behavioral advertising.”  This change is intended to close a perceived loophole in the CCPA that some businesses have relied on to avoid compliance.  This means businesses who do not sell data but share for digital advertising purposes may have to comply.
  • Expanded Breach Liability.  The CPRA adds a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security.
  • Disclosure Obligations.  Businesses will be required to disclose the duration they will retain each category of personal information, the purpose for which they retain the personal information, and the volume collected.  Misrepresentations would constitute a statutory violation.
  • Increased Penalties for Children’s Personal Information.  The CPRA triples the maximum penalties for any violations concerning children’s personal information (under the age of 16).  The new penalties may go up to $7,500 per intentional violation.
  • Third Party Requirements.  Businesses that share personal information with third-party service providers are required under the CPRA to enter into contracts extending the CPRA privacy requirements to the third parties.
  • Covered Business.  The CPRA also slightly updates who is a covered business required to comply, increasing the threshold from buying, selling, or sharing personal information from 50,000 California consumers/households to 100,000.

Certain exemptions from the CCPA are retained in the CPRA, including exemptions for medical information or protected health information covered by HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act).  In addition, the CPRA extends the CCPA’s exemption for employee information and business to business data until January 1, 2023.

What impact will the CPRA have?

The CPRA becomes effective on January 1, 2023.  The CPRA will apply to personal information collected on or after January 1, 2022.  While many details still need to be clarified and defined through regulation, the impact of the CPRA will likely be significant as the concept of sharing is much broader in scope than selling.  The passage of another stringent privacy law in California may boost the likelihood of a comprehensive federal privacy law in the near term.

Beckage’s California Privacy Team continues to actively monitor the updates to the privacy landscape and the impacts the new data privacy law will have. The CPRA underscores the importance of operationalizing robust data security and privacy practices that can stand the test of time and adapt to the evolving consumer privacy landscape.  To learn more about the impact the CCPA and the CPRA may have on your business reach out to our team of attorneys.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

PrivacyData Breach Compliance Under the CCPA – What You Need to Know

Data Breach Compliance Under the CCPA – What You Need to Know

The California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020 and with it came expanded data breach laws and an increased risk of litigation. Attorney General enforcement of privacy-related suits cannot be initiated until six months after final regulations are approved by the California Attorney General or July 1 (whichever comes first), however data breaches are subject to enforcement via plaintiff private right of action now.

In fact, substantial data breach litigation has already begun under the CCPA, primarily in the form of consumer class actions brought in federal courts in California.

Businesses should be aware and prepared to comply with the data breach compliance requirements of the CCPA in the event of a data breach incident, as discussed below, or risk facing litigation.

Breach Defined

The CCPA provides consumers with a limited private right of action when “nonencrypted and nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Violations are subject to penalties of $100 to $750 per incident, actual damages, and injunctive relief.

Personal Information Defined

In order for a data breach to be actionable, the information breached must be personal information as narrowly defined by California’s data breach notification law, Section 1798.81.5, not the broad definition included in the CCPA.  For the private right of action for data breaches, personal information means:

An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements…:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.

This narrower definition of personal information should work to limit the availability of CCPA’s private right of action.

What Constitutes “Reasonable Security?”

The CCPA does not define “reasonable security” and the California Attorney General has not yet offered guidance on the subject. However, some California regulators have endorsed certain security measures as providing “reasonable security” in contexts outside of the CCPA.  

For example, the former California Attorney General, Senator Kamala Harris, provided clear guidance on what she considered reasonable security in the February 2016 California Data Breach Report. As highlighted in the report, covered entities should look to the Center for Internet Security’s list of 20 Critical Controls (“CIS Controls”) as a potential baseline security standard for reference. The CIS Controls consist of twenty key actions, including authentication, incident-response plans, data-protection policies, and other security safeguards. Although these CIS Controls are not prescriptive safeguards for CCPA compliance, they are a good place to start.

Notice and Cure Period

Before bringing an action for a security breach, the CCPA requires consumers to provide covered businesses with 30 days written notice, identifying the specific provisions the business allegedly violated. Businesses then have 30 days to address and resolve the violations without penalty. Businesses who fail to cure the violation open themselves up to civil action for monetary damages, injunctive relief, and any other relief the court deems proper.

CCPA Prohibition

The CCPA does appear to prohibit the commencement of lawsuits which leverage the CCPA to state other claims. The CCPA explicitly prohibits consumers from using alleged CCPA violations “to serve as the basis for a private right of action under any other law,” thus prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes. However, as described in other blogs, this has not stopped plaintiffs from bringing just these types of claims. Judicial decisions are required on the scope and enforceability of the CCPA’s prohibition on non-CCPA claims.

Takeaway

Businesses should continue to follow CCPA developments and carefully monitor related litigation in the coming months for further clarity on enforcement and compliance. CCPA data breach litigation is expected to considerably increase as plaintiffs take advantage of the CCPA’s private right of action for data breaches resulting from a company’s failure to implement and maintain “reasonable” security measure. Beckage will continue to provide updates as they become available. Additionally, AG enforcement of the CCPA data breach and privacy provisions is expected to commence soon, providing an additional layer of enforcement activity that businesses must be aware of. The Beckage team will continue to provide timely updates on the CCPA landscape and potential claims, and is available to discuss practical low-cost, high-impact tips for mitigating CCPA litigation risk.  

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Update: CCPA Takes Effect, AG Releases AdvisoryUpdate: CCPA Takes Effect, AG Releases Advisory

Update: CCPA Takes Effect, AG Releases Advisory

As the groundbreaking California Consumer Privacy Act (CCPA) took effect on January 1, many were still working to understand the new requirements for businesses and rights bestowed to consumers. The California attorney general (AG) followed up on January 6 with a CCPA advisory pressrelease reviewing the regulations and restating that California residents are now afforded new, more stringent, data privacy rights. The CCPA has been bignews for anyone who does business in California. But the million-dollar question for New York-based companies that handle CA consumer data is whether the CCPA applies to them.  While we still await clarity on many of the key components of the Act, the recent advisory does provide some useful reminders for businesses to think about.

Read More
Looking Back: Top Privacy and Cybersecurity Headlines from 2019Looking Back: Top Privacy and Cybersecurity Headlines from 2019

Looking Back: Top Privacy and Cybersecurity Headlines from 2019

In the fast-paced, ever-evolving world of privacy and cybersecurity law, gathering the biggest news from 2019 was no small feat – from new laws and landmark cases, to major technological developments and international guidelines, it was a busy year for anyone trying to stay up to date. But Beckage has narrowed down the top privacy and cybersecurity stories that shaped last year:

Read More
Yesterday California Attorney General Published Proposed Regulations As States Privacy Law CCPA Effective Date Rapidly ApproachesYesterday California Attorney General Published Proposed Regulations As States Privacy Law CCPA Effective Date Rapidly Approaches

Yesterday California Attorney General Published Proposed Regulations As States Privacy Law CCPA Effective Date Rapidly Approaches

With only a few months left before the landmark California Consumer Protection Act (CCPA) takes effect, yesterday the California Attorney General announced Proposed Regulations implementing the CCPA. By way of background, the CCPA comes into effect January 1, 2020 and will put some of the strictest guidelines the US has seen regarding the collection and processing of personal information of California residents. While the law addresses the processing of personal information of California residents, the CCPA is likely to have far reaching impacts on businesses across the nation, including New York-based businesses. The text of the CCPA can be found here.

Read More
1 2