California voters support the California Privacy Rights Act
CCPA, we hardly knew ye. While support may not have matched pre-election polling, Californians passed Proposition 24, a ballot initiative that creates the California Privacy Rights Act (CPRA) and substantially expands the privacy rights of California consumers. If this sounds familiar, it should. Just over two years ago, then-Governor Jerry Brown signed the California Consumer Privacy Act (CCPA), — designed to enhance privacy rights and consumer protection for California residents, and it went into effect a short 11 months ago.
Why the need for change? In short, CPRA is seemingly the privacy law that was envisioned during the push for, and drafting of, the CCPA, but what came out of that push lacked the teeth that supporters envisioned. Recall that CCPA was born out of an effort to stave off a ballot initiative that would likely have proven even more onerous for business. Indeed, drafters of the CCPA set off on a hurried process that left-out key stakeholders in an effort to get something onto the governor’s desk that would satisfy the Alastair Mactaggart-backed group, Californians for Consumer Privacy. It worked — for a time. Not long after CCPA’s passage, however, Mactaggart set his eyes on drawing California’s privacy laws closer to the European Union’s General Data Protection Regulation.
Ask anyone who spent time preparing their business for CCPA compliance and they will tell you that it was not an easy lift. With the passage of CPRA, that lift just added a few pounds. Among the most notable changes, include:
- Expanding the CCPA’s “do not sell” provisions into something akin to “do not share”
- Creating a new state agency, the California Privacy Protection Agency, governed by an appointed, five-member board with “full administrative power, authority, and jurisdiction to implement and enforce” CPRA (and $10M in funding from the legislature)
- An expanded definition of “sensitive personal information” and an attendant level of restrictions on the use of such information
- New rights for consumers to correct inaccurate personal information, prevent businesses from storing data longer than necessary, limit businesses from collecting more data than necessary, and an expansion of the non-discrimination provisions to prevent retaliation against consumers who exercise their privacy rights
- Expanding the private right of action under CPRA to apply to the unauthorized access or disclosure of a consumer’s email address if it is combined with a password or security question that would permit access to the account and if the business failed to maintain reasonable security
- Permitting the California Privacy Protection Agency to administer fines of $2,500 for each statutory violation or up to $7,500 for intentional violations or violations involving a child’s personal information
Hope for amendments to the CPRA, in an effort to carve broad exceptions into its reach, are not likely to come to fruition. Since voters approved CPRA, it cannot be easily amended without requiring additional voter action. That stands in stark contrast to the legislatively enacted CCPA, which saw a number of significant amendments to its original text and is on its third set of proposed modifications as of mid-October 2020. Along those lines, keep an eye on the CPRA rulemaking process, as it now falls to the newly created California Privacy Protection Agency, rather than the California Attorney General’s Office.
Despite these changes, don’t throw out your CCPA notices just yet. The requirements for businesses subject to the CPRA do not go into effect until January 1, 2023, and they are not enforceable until July 1, 2023. Additionally, with the exception of the “Right to Know” requirements, many of CPRA’s substantive requirements only apply to personal information collected after January 1, 2022. In the meantime, CCPA remains operational.
Where do businesses begin? Start by assessing your compliance with CCPA. Enforcement is well under way and CCPA compliance may prove to be a necessary building block in driving toward CPRA compliance. From there, understand your data. What do you collect? Why? How is it stored and for how long? Answering these questions yields a more fruitful development of policy and procedure. Beyond that, look to your vendor relationships and how you have been internally operationalizing consumer privacy requirements.
Finally, keep an eye out for what 2021 may bring in terms of federal privacy legislation.
This is for informational purposes only. It is not intended to be legal advice and does not create or imply an attorney-client relationship.Download PDF