California voters have approved Proposition 24, known as the California Privacy Rights Act (CPRA). CPRA aims to reinforce and redefine parts of the California Consumer Privacy Act (CCPA), which significantly complicated the data privacy framework within the United States when it began to regulate how companies can collect and use consumers’ personal data.
The passage of Proposition 24 and the eventual establishment of a brand-new state agency, the California Privacy Protection Agency (PPA), to enforce the CPRA and related data protection laws, is a major milestone for data privacy in the U.S. that further complicates the compliance landscape for businesses that do business in California.
The CPRA will place additional compliance burdens on businesses and will go into effect in 2023. The new law provides additional protections for sensitive personal information, expands CCPA’s opt-out rights to include new types of information sharing, and requires businesses to provide additional mechanisms for individuals to access, correct, or delete data, with a particular emphasis on information used by automated decision-making systems.
The CPRA also doubles the threshold amount of personal information that a business must process in order for it to be subject to the law, from 50,000 consumers or households up to 100,000 consumers or households.
Additional Consumer Rights and Business Obligations
The most significant changes in the CPRA are that it expands the right to opt-out of sharing of information and establishes new rights to limit businesses’ use of sensitive personal information. “Sensitive personal information” is a newly defined term that includes information about sexual orientation, race, ethnicity, precise geolocation, and health conditions.
- Expanded Opt-Out Right. The CCPA previously allowed California residents to request to opt-out of the sale of their personal information. The CPRA expands this out-out right to include both the “sale” and “sharing” of their information including disclosing personal information to third parties for “cross-context behavioral advertising.”
- Expanded Right to Access. The CCPA allowed California consumers to request access to all categories of personal information collected by companies over the preceding 12 months. The new law does away with the 12-month window. Businesses will now be required to provide access to all categories of personal information collected on the individual at any time, “unless doing so proves impossible or would involve a disproportionate effort.”
- Correction Right. A California consumer has the right to request a business correct inaccurate personal information that a business maintains, and the business collecting this information must “use commercially reasonable efforts” to correct the inaccurate information upon request and disclose to the consumer their right to request a correction.
- Limited Uses of Sensitive Information. California consumers have a new right to limit the use and disclosure of sensitive personal information, including information relating to sexual orientation, race, ethnicity, precise geolocation, and health conditions. Upon request, businesses must not only stop selling or sharing sensitive information, but limit any internal use of such information.
- Data Minimization. The CPRA provides for a new general obligation that a business’s collection, use, retention, and sharing of a consumer’s personal information “shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”
- Additional Notification Obligations. In addition to informing consumers of the categories of personal information collected, businesses must now disclose the categories of sensitive personal information collected, purposes of such collection, if that information is sold or shared, and the time that the business intends to keep each category of information.
- Loyalty Programs. The CPRA clarifies that the CCPA’s anti-discrimination provision does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs in exchange for consumers agreeing to provide their personal information to the business.
Expanded Enforcement Mechanisms
Under the CPRA, California must create a state agency, the California Privacy Protection Agency (PPA), to enforce the CPRA and related data protection laws by 2023.
This expands the enforcement power that was previously limited to the state attorney general’s office. A five-seat board will govern this new agency, with seats appointed by the governor, state attorney general, state Senate rules committee, and speaker of the state Assembly.
The makeup of the new board will determine how the CPRA’s new requirements are interpreted and enforced.
The CPRA also triples penalties for violations involving minors under the age of 16 and removes the 30-day cure period currently available to companies under the CCPA. The CCPA’s narrow private right of action for security breaches remains unaltered.
The timeline for funding, rulemaking, and enforcement for the PPA is as follows:
- Certification of Passage. Votes on Proposition 24 may be counted as late as November 20, which is the deadline for California to receive mail-in ballots postmarked by November 3. Analysts do not expect mail-in ballots to change the outcome of Proposition 24’s passage.
- Funding of PPA (2020): The CPRA becomes effective five days after the California Secretary of State files “the statement of the vote for the election.” Funding efforts and establishment of the PPA are therefore likely to begin late this year or early 2021.
- Adopting Regulations (2021–2022): The new agency may begin exercising its rulemaking authority as early as July 1, 2021, or six months after the agency provides notice to the Attorney General that it is prepared to begin rulemaking. The Agency is expected to adopt final regulations by July 1, 2022.
- Obligations Effective (January 1, 2023): Businesses must comply with the CPRA’s obligations by January 1, 2023. Obligations under the CPRA will apply to all personal information collected by a business on or after January 1, 2022.
- Enforcement (July 1, 2023): Civil and administrative enforcement of the CPRA’s provisions may commence on July 1, 2023, and shall only apply to violations occurring on or after that date. Importantly, there is no gap between CCPA and CPRA enforcement. The CCPA will continue to be enforceable until the same provisions of the CPRA become enforceable.
Adams and Reese’s Privacy, Cybersecurity and Data Management Team will continue to monitor the California legislature’s action on Proposition 24 and the eventual PPA board’s regulatory actions.