It goes without saying that November 3rd 2020 was an important day for the future of the nation, but it was also a significant day for the future of California privacy law. On Tuesday, a strong majority of California voters supported Proposition 24, a ballot measure which aims to expand and enhance the California Consumer Privacy Act (“CCPA”). The CCPA took effect in January and companies are still grappling with its compliance. Companies have overhauled their privacy programs and policies and designed new systems to comply with the CCPA, but now it looks like they will be back to the drawing board.
Proposition 24, titled the California Privacy Rights Act of 2020 (CPRA) (unofficially dubbed CCPA 2.0), amends the CCPA, which has been criticized for over broad definitions and ambiguous language. The CPRA expands the privacy rights of California residents and increases compliance obligations for companies.
Here are a few key aspects of the CPRA:
- New type of personal information – “sensitive personal information”. This new subset of personal information includes data elements such as social security number, driver license number, and financial account number. However, perhaps following the General Data Protection Regulation (GDPR) in the European Union, the term also includes, without limitation, a consumer’s racial or ethnic origin, religious beliefs, union membership, the contents of a consumer’s email and text messages (unless the business is an intended recipient), genetic information, and a consumers sex life and sexual orientation.
- New rights for consumers: limiting uses and disclosures and correcting inaccurate personal information. For the new subset of personal information, sensitive personal information, California consumers will have the right to request limitations on the use and disclosure of that information. Also, consumers also will have the right to ask businesses to correct inaccurate personal information maintained by the business.
- Changes to the Notice at Collection. Several changes and clarifications were made to the requirement to provide consumers a notice at collection. For example, the notice must now include a retention period for each category of personal information and sensitive personal information, or include criteria for determining the retention period if setting a retention period is not possible.
- Enhanced protections for children’s data. The CPRA triples fines for collecting and selling information of minors under 16 years of age.
- Creates enforcement arm. Establishes the California Privacy Protection Agency that, in addition to the California Department of Justice, will enforce and implement consumer privacy laws and impose fines.
- Adds data retention requirement. Prohibits businesses’ retention of personal information or sensitive personal information for longer than reasonably necessary for the disclosed purpose for which the information was collected.
- Adds a specific data security requirement. Prior to the CPRA, the CCPA did not expressly require businesses to maintain reasonable safeguards to protect personal information, although it added a private right of action for data breaches cause by a failure to maintain reasonable safeguards. The CPRA expressly requires businesses to implement reasonable security procedures and practices to protect personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code 1798.81.5.
- Expands written agreement requirements. Businesses collecting personal information and then sharing/selling it to a third party, or disclosing it to a contractor or service provider will need to enter into written agreements that contain certain required provisions. A couple of the required provisions include (i) obligating the third party, contractor, or service provider to comply with CCPA/CPRA as applicable, and (ii) granting the business the right to take reasonable steps to ensure the third party, contractor, service uses the personal information consistent with CCPA/CPRA.
- Increased exposure to liability in the event of a data breach. The CCPA included a private right of action in the event a business experienced a data breach affecting a subset of personal information due to the failure to have reasonable safeguards to protect that information, and the failure to cure following notice. The CPRA adds a consumer’s email with password or security question to the subset of personal information that, if breached, could trigger a private right of action, if a hacker was able to access a consumer’s email account. Also, the CPRA clarifies that implementing and maintaining reasonable security procedures and practices to protect personal information under Cal. Civ. Code 1798.81.5 following a breach will not be a cure with respect to that breach.
- Extension of the employee personal information and “B2B” (business to business) exemptions. In September the California assembly passed AB1281, which extended the CCPA’s exemptions for employee personal information and “B2B” personal information to January 1, 2022 (both exemptions were set to sunset on January 1, 2021). The CPRA now extends that exemption until January 1, 2023. Note, that some employee and “B2B” personal information remains subject to the CCPA’s private right of action, if that personal information is involved in a data breach and reasonable safeguards were not put in place.
The CPRA becomes effective on or after January 1, 2022 (other than for access requests), but will not be operative until January 1, 2023.
“We are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data,” Alastair Mactaggart, chair of Californians for Consumer Privacy and Proposition 24 sponsor, said in a statement.
Companies will have to once again review their privacy programs and likely amend further to comply with CPRA’s new requirements. That said, the CPRA generally becomes operative January 1, 2023, and during that time California regulators are expected to provide additional information on compliance and enforcement implications of the new law.
Companies should continue to monitor CCPA/CPRA developments, and ensure their privacy programs and procedures remain aligned with current compliance requirements.