California voters have approved Proposition 24, the California Privacy Rights and Enforcement Act of 2020 (CPREA). Although this controversial ballot measure was meant to expand and make permanent the consumer protections within the California Consumer Privacy Act of 2018 (CCPA), privacy groups have expressed concern that the new law will place an unnecessary burden on businesses that are only now learning how to properly comply with the CCPA and that it may actually reduce consumer rights in important ways. Prop 24 was approved with 56 percent of the vote.
Given the essentially unlimited resources of large technology companies and other Silicon Valley-based opponents of the CCPA, the organizers behind Prop 24 feared that the California Legislature could weaken those protections in the future. The only way to reverse the voter-approved CPREA is through a future ballot initiative.
Among other things, the CPREA includes provisions that allow consumers to direct businesses not to share their personal information, remove the time period in which businesses can fix violations before being penalized and create a privacy protection agency to enforce the state's consumer data privacy laws.
What businesses are covered under the CPREA?
The CPREA modifies the criteria for covered businesses under the
CCPA to include businesses that:
- Earn $25 million in annual revenue. The CCPA has the same requirement.
- Alone or in combination with service partners annually buy, sell or share personal information of 100,000 or more consumers or households. The CCPA's threshold is 50,000 or more consumers, households or devices each year. It also does away with the "device" requirement, which has caused confusion due to persons who own multiple devices.
- Earn 50 percent or more of their annual revenue from selling or sharing consumers' personal information. "Sharing" is a term that relates primarily to use of a consumer's data for targeted advertising through service partners.
What are the primary changes to protection of customer
data?
The law goes into effect in January 2023 and has a "look
back" provision to January 2022. It provides consumers with
greater control over how businesses collect, use and share their
data. Covered businesses will be required to:
- Refrain from sharing or selling a consumer's personal information to third parties upon the consumer's request
- Disclose whether the business collects "sensitive personal information," the types of sensitive personal information collected, the purpose for which the sensitive personal information would be collected, and the length of time that the business intends to retain the sensitive personal information
- Provide consumers with the ability to opt out of having their sensitive personal information used or disclosed for advertising or marketing
- Correct a consumer's inaccurate personal information upon the consumer's request
- Obtain permission before collecting data from consumers who are younger than 16 years of age
- Obtain permission from a parent or guardian before collecting data from consumers who are younger than 13 years of age.
These requirements are in addition to the mandates of the CCPA, which requires covered businesses, upon the consumer's request, to:
- Disclose to the consumer the personal information that has been collected about the consumer and the commercial purpose of the information collected
- Refrain from selling a consumer's personal information to third parties
- Delete the consumer's personal information.
How is "sensitive personal information"
defined?
The CPREA expands a consumer's protectable data. It defines
"sensitive personal information" as personal information
that reveals:
- A consumer's social security, driver's license, state identification card or passport number
- A consumer's account log-in, financial account, debit card number or credit card number in combination with any required codes, passwords or credentials allowing access to an account
- A consumer's precise geolocation
- A consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership
- The contents of a consumer's mail, email and text messages (unless the business is the intended recipient of the communication)
- A consumer's genetic data
- A consumer's biometric information (for the purpose of identifying the consumer)
- Information concerning the consumer's health
- Information concerning a consumer's sex life or sexual orientation.
There are several exemptions for information used for certain purposes, including consumer credit reports, personal information collected for job applications, emergency contact information collected by a business and personal information needed to administer employment benefits. The consumer data requirements also cannot restrict a business's ability to comply with other laws or valid court orders and subpoenas.
What penalties are available?
The CPREA eliminates the CCPA's 30-day notice period to cure
violations and has adopted the following penalties:
- Up to $2,500 for each violation
- Up to $7,500 for each violation involving the information of a person under the age of 16
- Up to $750 per consumer per data breach incident or actual damages, whichever is greater.
Creation of the California Privacy Protection
Agency
The new California Privacy Protection Agency created by the CPREA
will initially consist of a five-member board with seats appointed
by the governor, the attorney general, the Senate rules committee
and the speaker of the Assembly. The new agency's duties will
include developing regulations, providing guidance to businesses
and consumers, investigating and adjudicating violations, assessing
penalties and promoting public awareness of consumers'
rights.
The controversy around Prop 24
Prop 24 has been controversial in terms of both the need for the
new law and its likely effect on data privacy. Supporters say that
the CPREA will create a system to better enforce the CCPA, give
consumers more control over most personal data, allow Californians
to shield their precise location from tracking, triple fines on
companies that violate the privacy of children and provide
increased ability to hold companies accountable for failure to
protect consumer data through regulatory enforcement and
litigation.
Opponents caution that because the CCPA just went into effect this year, additional time should be allowed before changing it. There is concern that the new law will place an unnecessary burden on businesses that are only now learning how to properly comply with the CCPA and doing so in the midst of a pandemic. Some privacy groups that supported the CCPA, such as the American Civil Liberties Union and the Consumer Federation of California, have opposed Prop 24 on the basis that it may actually reduce consumer rights in important ways. The concerns include the delay of a rule that allows workers to determine what information employers collect about them, the ability of companies to take a consumer's data when he or she leaves California, and the preference for an "opt-in" system for consumer data collected and sold rather than the ability to "opt out." Opponents also are critical of the "pay for privacy" section that allows businesses to charge more to a consumer who does not allow the business to use the consumer's data.
Regardless of the controversy, the CPREA will soon be law in California, and covered businesses should begin to plan for compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.