California Voters Make CCPA 2.0 a Reality – California Privacy Rights Act Ballot Measure Passes

November 10, 2020 On November 3, 2020, California voters approved Proposition 24, otherwise known as the California Privacy Rights Act (CPRA), a ballot measure that will expand the privacy protections for California residents under the existing California Consumer Privacy Act (CCPA). Effective January 1, 2023, the CPRA significantly amends the CCPA by expanding consumer rights, heightening privacy protections, and establishing an enforcement agency dedicated to protecting consumers through vigorous enforcement of the law. 

By: Scarlett Scanlan, Bryan M. Thompson, and Elizabeth R. Dill

On November 3, 2020, California voters approved Proposition 24, otherwise known as the California Privacy Rights Act (CPRA), a ballot measure that will expand the privacy protections for California residents under the existing California Consumer Privacy Act (CCPA). Effective January 1, 2023, the CPRA significantly amends the CCPA by expanding consumer rights, heightening privacy protections, and establishing an enforcement agency dedicated to protecting consumers through vigorous enforcement of the law. 

The CPRA’s approval by California voters adds further complication to the already complex privacy compliance landscape for businesses that operate or have customers in the Golden State. In subsequent Digital Insights posts, we will provide in-depth analyses about the CPRA’s terms and how it will fundamentally amend the CCPA and, consequently, alter businesses’ California privacy compliance efforts. For now, we address some key aspects of the new legislation that businesses subject to the CCPA should be aware of.

Modified Definition of a Subject Business 

The CPRA modifies the CCPA’s thresholds of “businesses” that are subject to its provisions:

  • The CPRA clarifies the revenue threshold for subject businesses to those that have annual gross revenues in excess of $25 million in the proceeding calendar year;
  • Under the CCPA, a subject business is one that buys or sells OR receives or shares personal information of 50,000 or more consumers, households, or devices for commercial purposes. The CPRA raises that threshold to 100,000, and removes from its definition businesses that only receive information (as opposed to those that buy, sell, or share personal information), reducing the CCPA’s applicability to small and medium size businesses.
  • The CPRA expands the CCPA’s applicability to include businesses that generate most of their revenue from sharing personal information (rather than selling it), which is defined as sharing with third parties for purposes of cross-context behavioral advertising.     

New Category of Personal Information 

Akin to the European Union’s General Data Protection Regulation (GDPR), the CPRA seeks to add protection for individuals’ “sensitive personal information.” “Sensitive personal information” includes an individual’s race, ethnicity, religion, genetic information, sexual orientation, precise geolocation, union membership, content of nonpublic communications (such as mail, email and text messages), sex life, or sexual orientation information, in addition to government identifiers (such as Social Security numbers and driver’s licenses) and financial account and login information.

New and Expanded Consumer Rights 

  • Right to Correction: Consumers may request any correction of their personal information held by a business if that information is inaccurate.
  • Right to Opt Out of Automated Decision Making Technology: The CPRA authorizes regulations allowing consumers to opt out of the automated decision making technology, including “profiling” in connection with decisions related to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, or movements.
  • Right to Access Information About Automated Decision Making: The CPRA authorizes regulations that allow consumers to make access requests seeking meaningful information about the logic involved in the automated decision making process and a description of the likely outcome of that process. 
  • Right to Restrict Sensitive Personal Information: Consumers may limit the use and disclosure of sensitive personal information for certain secondary purposes, including prohibiting businesses from disclosing sensitive personal information to third parties, subject to exceptions.

Modified Consumer Rights

  • Modified Right to Delete: Businesses are now required to notify third parties to delete any consumer personal information bought or received, subject to specific exceptions.
  • Expanded Right to Opt Out: The CCPA already grants consumers the right to opt out of the sale of their personal information to third parties, which implicitly includes sensitive personal information. However, the opt-out right now covers “sharing” of personal information for cross-context behavioral advertising.
  • Strengthened Opt-In Rights for Minors: Extends the opt-in right to explicitly include the sharing of personal information for behavioral advertising purposes. As with the opt-out right, businesses must wait 12 months before asking a minor for consent to sell or share his or her personal information after the minor has declined to provide it.
  • Expanded Right to Data Portability: Consumers may request that the business transmit specific pieces of personal information to another entity, to the extent it is technically feasible for the business to provide the personal information in a structured, commonly used, and machine-readable format.

Enforcement 

Under the CPRA, California will create a specific state agency dedicated to implementing and enforcing the CCPA, the first of its kind in the United States and akin to EU data protection authorities. Currently, enforcement of the CCPA is one of many responsibilities of the California Attorney General. The CPRA grants that authority to the California Privacy Protection Agency (CPPA), which will have administrative power as well as authority and jurisdiction to enforce the CCPA. Penalties will be tripled for violations regarding minors under the age of 16.

Critically, the CPRA expands the CCPA’s private right of action for consumers to cover a breach of an email address in combination with a password and security question and answer permitting access to the email account. Most notably, the CPRA would remove the 30-day cure period that businesses currently enjoy under the CCPA after being formally notified by the Attorney General of an alleged violation, eliminating the right of businesses to come into compliance before facing penalties. 

Exemptions 

The CPRA extends business-to-business (B2B) exemption to January 1, 2023, which will allow the California Legislature to address employee and B2B privacy questions in a separate bill. Under the CCPA, these exemptions sunset January 1, 2022.

We will continue to monitor developments around the implementation of this new law. Subscribe to this blog for further updates and analysis on how the CPRA will amend the CCPA and impact businesses operating in California.