California Passes Prop 24 Amending the California Consumer Privacy Act

According to the California Secretary of State, Proposition 24 passed with 56.0% votes. Proposition 24, the California Privacy Rights Act (“CPRA”), amends the California Consumer Privacy Act of 2018 (“CCPA”) that became effective on January 1, 2020, and the enforcement by the Attorney General’s office began on July 1, 2020.

The CPRA amends the CCPA and brings California’s privacy laws closer to the EU’s Regulation 2016/679 (General Data Protection Regulation (“GDPR”)).

The CPRA will become effective on January 1, 2023, and it has a “look back” to January 2022.

A Summary Of The CPRA Imposed Additional Consumer Privacy Rights And Business Obligations.

  • Changes to the Threshold Requirement: While the $25 million in annual revenue threshold is unchanged, the CPRA changes the threshold level of the number of California residents’ personal information that a business buys, sells, or shares from 50,000 to 100,000.
  • Expanded the definition of “business” to include joint ventures or partnerships in which the business has at least a 40% interest.
  • Added “Sensitive Personal Information” Definition and Consumers’ Right To Limit Use and Disclosure of Sensitive Personal Information: The CPRA adds a new category of personal information, the sensitive personal information, which includes information related to a consumer’s social security number, driver’s license, state identification card, passport number, consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; a consumer’s precise geolocation; a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s mail, email and text messages; a consumer’s genetic data and processing of biometric information for the purpose of uniquely identifying a consumer; health information (not covered under HIPAA); and personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

The CPRA will give consumers the right, at any time, to direct the business that collects sensitive personal information to limit its use of such information.

  • Added “Sharing” in Addition to “Selling” and Expanded Right to Opt-Out of Data Sharing: The CPRA will limit the “sharing” of personal information. Under the CPRA, sharing is defined as transferring of personal information to a third-party for “cross-context behavioral advertising.” The CPRA will require a mechanism for the consumer to “opt-out” of business sharing consumers’ personal information with online ad networks. The type of mechanisms required may be described in future regulations.
  • Expanded Right to Access: Currently, under the CCPA right to access, California consumers can request access to all categories of personal information collected by companies over the previous 12 months. Beginning January 1, 2022, the CPRA will extend that 12-month window indefinitely. The CPRA will require that the businesses provide access to all categories of personal information collected “unless doing so proves impossible or would involve a disproportionate effort.”
  • Right to Correct Information: Under the CPRA, a consumer will have the right to direct a business to correct incorrect information.
  • Data Retention: Under the CPRA, “a business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”
  • Expands Employee and Business to Business Exemption: The CPRA extends the employee and business to business exemption until January 1, 2023, if no legislation addressing these issues is passed.
  • Expanded Scope of “Security Breach”: The CPRA will extend the security breach to unauthorized access of email addresses in combination with a password or security and answer that would permit access to the consumer’s account.
  • Enforcement and Fines: Primary enforcement responsibilities will remain vested with the state agency, with minor but significant changes. Specifically, the CPRA triples penalties for violations regarding minors under the age of 16 and removes the 30-day cure period that businesses can currently utilize under the CCPA.

The CPRA also establishes a Consumer Privacy Fund and a new enforcement agency, the Consumer Privacy Protection Agency, which would be vested with full administrative power, authority, and jurisdiction to implement and enforce “the CCPA, as amended by the CPRA.”

Important CPRA Takeaways for Businesses That Have to Comply With CCPA (the “Businesses”)

  • Good News for Businesses
    • The new threshold levels would exclude small businesses and start-ups because if a business receives or collects personal information of less than 100,000 California residents, does not have more than $25 million in annual revenue, and does not derive 50% or more of its revenue from selling or sharing personal information of California residents, it is not subject to the CCPA as amended by the CPRA.
    • Service Providers would not only be contractually liable but would also have statutory responsibility to process personal information in accordance with the CPRA and CCPA. This is good news for the Businesses that work with service providers, but may not be good news for service providers.
    • CPRA allows Businesses to offer additional incentives, such as loyalty, rewards, premium features, discounts or club card programs, to their customers who do not opt-out or do not exercise their rights under the CCPA as amended by CPRA.
    • Employee and business-to-business moratoria are extended to January 1, 2023.
  • Not Such Good News For Businesses
    • Out-of-state joint ventures and businesses in which the Business owns at least a 40% interest may be required to comply with CCPA as amended by the CPRA.
    • Businesses that collect sensitive personal information will need to more carefully negotiate vendor contracts with any third party companies that could have access to this data, such as CRM providers and payroll companies.
    • The use of tracking mechanisms to generate customized advertisements may become significantly more difficult.
    • The risk of getting sued is greater for the Businesses that offer customer accounts, because of the broader definition of “security breach.” To protect themselves, Businesses may need to make their login processes more secure, such as by requiring customers to use stronger passwords, periodically change their passwords, or by requiring multi-factor authentication. All of these steps can add “friction” to the account set up or login process and are sometimes unpopular with customers.
    • The penalties for non-compliance are going up.
    • The 30 day cure period is going away, so this may have stopped being a friendly effort to get your business into better compliance and become a more threatening situation.
    • And, perhaps worst news of all, the “necessary and proportionate” provision for data collection and retention means that it will be harder and harder to do the same things that businesses used to do with “big data.”

If you have any questions about this matter or any other privacy-related, please do not hesitate to reach out to Dawn Newton at dnewton@donahue.com or Shruti Bhutani Arora at sarora@donahue.com. Donahue Fitzgerald’s privacy attorneys are committed to providing your business with our best guidance and advice.