California and the Ever-Changing Privacy Laws: The Brand-New California Privacy Rights Act

Clark Hill PLC

On November 3, 2020, Californians passed Proposition 24, also known as the California Privacy Rights Act (‘CPRA’). The CPRA expands the privacy protections contained in the California Consumer Privacy Act (CCPA) initially adopted in 2020. The CCPA will remain in force until January 1, 2023, when CPRA goes into effect, superseding the CCPA and providing consumers in California with new and expanded controlling rights over how businesses may use their personal information.

The CPRA makes one notable change that will benefit smaller businesses. A business falls under the purview of the CPRA if it buys, sells, or shares the personal information of 100,000 or more California consumers or households. This is double the previous threshold.

A business must also comply with the CPRA if it derives at least 50 percent or more of its annual revenue from selling or sharing the personal information of California consumers, and/or the business has gross revenue over $25 million in the preceding year.

The CPRA provides California consumers with the ability to instruct businesses not to use certain categories of sensitive information, such as biometric identifiers, race, health, religion, geolocation, sexual orientation, and other personal information. Businesses also cannot sell or share the personal information of consumers unless the consumer, who is at least 13 years of age and less than 16 years old, affirmatively authorizes the sale or sharing of the consumer’s information. If the consumer is less than 13 years old, the parents or guardians must affirmatively authorize the disclosure.

Businesses are also required to disclose, deliver, or correct inaccurate personal information or delete a consumer’s personal information within 45 days of receiving such a request from the consumer. The time period can be extended an additional 45 days when it is reasonably necessary for the business to comply. Consumers also have the right to opt out of a business’ sale or sharing of their personal information.

Another important provision in the CPRA provides funding for the California Privacy Protection Agency which would be charged with enforcing privacy laws. Once this new agency becomes fully operational, it is anticipated that investigations and enforcement actions of California consumer privacy violations will increase significantly.

Finally, and importantly, the CPRA expands the scope of a private cause of action granted to consumers by adding email addresses and passwords or security questions to the list of personal information, which, if subject to a data breach, may give rise to liability to affected consumers via a private cause of action.

The CPRA’s expansion of the CCPA’s privacy protections is not embraced by everyone. The ACLU, for one, was opposed to the law. It’s not hard to see why with provisions in the CPRA that permit businesses to charge consumers more for goods and services if they decide to opt-out of the sharing or selling of their personal information.

Nevertheless, California’s consumer privacy protection laws under the CCPA and now CPRA are the strongest in the country. Chances are that if Congress and other State legislatures propose new privacy legislation in the next few years, lawmakers will look to California’s laws as the blueprint.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Clark Hill PLC | Attorney Advertising

Written by:

Clark Hill PLC

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.