On November 5th, California voters passed Proposition 24, a ballot initiative that expands consumer rights and regulatory enforcement authority under the California Consumer Privacy Act of 2018 (CCPA). The ballot initiative, titled the California Privacy Rights Act of 2020 (CPRA), imposes new compliance obligations on affected businesses less than a year after the CCPA went into effect. Even though the CPRA is not effective until Jan. 1, 2023 (and will not be enforceable until six months after that), businesses should immediately begin revising their privacy policies and procedures given the complexities of the new law and the fact that the CPRA applies to personal information collected by a business on or after Jan. 1, 2022.
Among other things, the CPRA does the following:
- Establishes the California Privacy Protection Agency: The California Privacy Protection Agency is a new agency dedicated to enforcing the state’s consumer data privacy laws. Previously, the state’s attorney general’s office was tasked with implementing and enforcing the CCPA, but the attorney general’s office stated that it only had the resources to pursue a couple of cases each year. The California Privacy Protection Agency is a stand-alone agency dedicated to protecting privacy and will investigate and adjudicate potential violations, assess penalties for violations and assume rulemaking authority.
- Defines a new category of “sensitive personal information:” “Sensitive personal information” includes a consumer’s social security, driver’s license, state identification and passport numbers, a consumer’s account log-in, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account, a consumer’s precise geolocation, a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership, the contents of a consumer’s mail, email and text messages (unless the business is the intended recipient of the communication), a consumer’s genetic data, the processing of biometric information for the purpose of uniquely identifying a consumer and personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
- Limits businesses’ use of sensitive personal information: The CPRA requires businesses to disclose whether the business collects sensitive personal information, the types of sensitive personal information collected, the purpose for which the sensitive personal information would be collected and the length of time that the business intends to retain the sensitive personal information. Further, the CPRA allows consumers to opt-out of having their sensitive personal information used or disclosed for advertising or marketing.
- Requires businesses to correct a consumer’s inaccurate personal information upon the consumer’s request: Under the CPRA, a business must correct any inaccurate personal information maintained by the business upon the consumer’s request.
- Prohibits businesses from sharing or selling a consumer’s personal information to third parties if requested by a consumer: Under the CPRA, a consumer may, at any time, direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information.
- Imposes additional protections for children’s data: The CPRA prohibits businesses from selling or sharing the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the child (in the case of children 13-16 years old) or the child’s parent or guardian (in the case of children who are less than 13 years of age) affirmatively authorize the sale or sharing of the personal information. In addition, the CPRA triples maximum penalties for violations concerning consumers under the age of 16.
- Limits the length of time in which businesses may retain consumers’ personal information and sensitive personal information: The CPRA prohibits businesses from retaining a consumer’s personal information or sensitive personal information for longer than reasonably necessary for the disclosed purpose for which the information was collected. This provision likely will lead to specific rulemaking or litigation on what is “reasonably necessary.”
- Requires businesses to adopt reasonable security measures with respect to personal information: The CPRA expressly requires businesses to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification or disclosure. This section, due to the “reasonable security practices and procedures” term, will also be subject to significant disagreements and disputes.
The CPRA just passed, but businesses have a short window of time to implement new policies and procedures that are compliant with this new law. If you would like assistance in crafting these policies or procedures or in interpreting the CPRA, please feel free to contact Mark Rasch (mdr@kjk.com /301.547.6925), Andrew Wilber (ajw@kjk.com / 216.736.7298) or any member of KJK’s Cybersecurity, Data Breach, and Privacy Team.
KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.