CPRACalifornia Passes Proposition 24 on Consumer Privacy

California Passes Proposition 24 on Consumer Privacy

Businesses that have worked hard to implement California Consumer Privacy Act (CCPA) compliance initiatives will have a whole new set of privacy standards to comply with in the very near future.  California’s Proposition 24, also known as the California Privacy Rights Act (CPRA), has passed, expanding the state’s consumer privacy regulations. 

The CCPA, which passed only two years ago, the final regulations of which were just released earlier this year, will remain in effect until the CPRA becomes effective on January 1, 2023.  The CPRA expands the CCPA, adding new privacy rights aimed at strengthening consumer privacy. 

Among the changes introduced by the CPRA is the creation of a new, five-member agency with regulatory authority for enforcement of both the CCPA and CPRA.  The California Privacy Protection Agency will take over enforcement authority from the California Attorney General and dramatically change the way privacy rights are handled.  The Agency will be empowered to issue guidelines and impose fines on businesses who fail to comply. The Agency is slated to take over on July 1, 2021.

What is new in the CPRA? 

The CPRA modifies the CCPA in some meaningful ways by introducing new privacy rights and obligations pertaining to certain categories of personal information.  The updates will likely have a significant impact on companies that do business in California.  

New provisions of the CPRA include:

  • Sensitive Personal Information. The CPRA introduces a newly defined category of personal information that includes things like social security number, driver’s license number, passport number, sexual orientation, biometric data, health and financial information, and precise geolocation.
  • Additional Consumer Rights.  In addition to the rights conferred upon consumers under the CCPA, under the CPRA consumers will have additional rights, including the right to:
    • correct personal information;
    • know the length of data retention;
    • opt-out of geolocation utilization;
    • limit businesses from collecting more data than necessary;
    • restrict usage of sensitive personal information;
    • know what personal information is sold or shared and to whom;
    • prevent retaliation for exercising privacy rights.
  • Sharing of Data.  Of note, the CPRA allows consumers to opt out of the sharing of their personal information (rather than sale) for “cross-context behavioral advertising.”  This change is intended to close a perceived loophole in the CCPA that some businesses have relied on to avoid compliance.  This means businesses who do not sell data but share for digital advertising purposes may have to comply.
  • Expanded Breach Liability.  The CPRA adds a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security.
  • Disclosure Obligations.  Businesses will be required to disclose the duration they will retain each category of personal information, the purpose for which they retain the personal information, and the volume collected.  Misrepresentations would constitute a statutory violation.
  • Increased Penalties for Children’s Personal Information.  The CPRA triples the maximum penalties for any violations concerning children’s personal information (under the age of 16).  The new penalties may go up to $7,500 per intentional violation.
  • Third Party Requirements.  Businesses that share personal information with third-party service providers are required under the CPRA to enter into contracts extending the CPRA privacy requirements to the third parties.
  • Covered Business.  The CPRA also slightly updates who is a covered business required to comply, increasing the threshold from buying, selling, or sharing personal information from 50,000 California consumers/households to 100,000.

Certain exemptions from the CCPA are retained in the CPRA, including exemptions for medical information or protected health information covered by HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act).  In addition, the CPRA extends the CCPA’s exemption for employee information and business to business data until January 1, 2023.

What impact will the CPRA have?

The CPRA becomes effective on January 1, 2023.  The CPRA will apply to personal information collected on or after January 1, 2022.  While many details still need to be clarified and defined through regulation, the impact of the CPRA will likely be significant as the concept of sharing is much broader in scope than selling.  The passage of another stringent privacy law in California may boost the likelihood of a comprehensive federal privacy law in the near term.

Beckage’s California Privacy Team continues to actively monitor the updates to the privacy landscape and the impacts the new data privacy law will have. The CPRA underscores the importance of operationalizing robust data security and privacy practices that can stand the test of time and adapt to the evolving consumer privacy landscape.  To learn more about the impact the CCPA and the CPRA may have on your business reach out to our team of attorneys.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.