November 4, 2020

Proposition 24 and the California Privacy Rights Act of 2020 (CPRA) Modify and Expand the CCPA

Before we could know the efficacy of the California Consumer Privacy Act of 2018 (CCPA), which became effective January 1, 2020, California residents passed Proposition 24, the California Privacy Rights Act of 2020 (CPRA), which takes effect January 1, 2023. The CPRA makes several amendments to the CCPA, such as granting new rights to consumers, imposing greater penalties on businesses for certain violation, and creating a new state enforcement agency.  The CPRA also enacts protections for the personal information of children under the age of 16.

While the CPRA will not take effect until January 1, 2023, it is important for businesses to understand how the CCPA will be impacted. The chart below is not exhaustive, but highlights some of these changes:

Modification

Effect on the CCPA

Broadens and Restricts the Entities Subject to the Act

In addition to businesses that buy or sell personal information, the CPRA expands the CCPA’s reach to include businesses that share personal information. The CPRA, however, narrows the application of the CCPA to only those businesses that buy, sell, or share the personal information of 100,000 or more consumers or households, which is an increase from the original 50,000 threshold. This will limit the applicability to small and midsize businesses.

Broadens the Type of Personal Information Subject to the Act

CCPA will now apply to a new dataset called “sensitive personal information,” which may include Social Security Numbers, driver’s license numbers, account log-in or debit/credit card information in combination with a password or PIN, among other pieces of information. This category is subject to new disclosure and purpose limitation requirements.

Consumers Have the Right to Opt-Out of Cross-Context Behavioral Advertising

Consumers will now have the right to opt-out of “cross-context behavioral advertising,” or the collection of a consumer’s activities across different websites or even different devices for the purposes of personalized and targeted advertising. Consumers have this right regardless of whether the “cross-context behavioral advertising” constitutes a “sale” of personal information.

Business-to-Business and Employee Data

The CCPA’s exemption of business-to-business and employee data was set to expire January 1, 2021, but the CPRA extends these exemptions until January 1, 2023. 

However, businesses must disclose to job applicants, employees, and independent contractors the categories of personal information that are collected and for what purpose. The CPRA also extends anti-discrimination and anti-retaliation rights to employees who exercise their rights.

Large Fines for Violations Involving Children’s Data

Fines are tripled for violations involving children’s information.  The CCPA currently fines businesses $2,500 for each violation and $7,500 for intentional violations. Starting January 1, 2023, violations involving children’s data are fined the same as intentional violations.

Removal of Notice-and-Cure

Business will no longer be allowed a 30-day period to cure violations following notice of a violation.

California Privacy Protection Agency: New State Enforcement Agency

Allocates $10 million per year to a new state agency to investigate and enforce against violations of consumer privacy laws.

Once the CPRA takes effect, consumers should be presented with at least three opt-out choices:

  1. A global opt-out from the sale and sharing of personal information;
  2. A choice to “Limit the Use of My Sensitive Personal Information”; and
  3. A choice for “Do Not Sell/Share” and “Limit the Use of my Sensitive Personal Information” for “Cross-Context Behavioral Advertising.”

Businesses must be vigilant about getting privacy compliance and privacy implementation correct on the first try since they will no longer have the ability to cure violations.

The above discussion is not exhaustive of all of the implications of the CPRA’s effect on the CCPA. Businesses should carefully evaluate privacy practices in light of these changes and adjust their policies and procedures accordingly.