On November 3, 2020, Californians passed Proposition 24, also known as the California Privacy Rights Act (‘CPRA’). The CPRA expands the privacy protections contained in the California Consumer Privacy Act (CCPA) initially adopted in 2020. The CCPA will remain in force until January 1, 2023, when CPRA goes into effect, superseding the CCPA and providing consumers in California with new and expanded controlling rights over how businesses may use their personal information.
The CPRA makes one notable change that will benefit smaller businesses. A business falls under the purview of the CPRA if it buys, sells, or shares the personal information of 100,000 or more California consumers or households. This is double the previous threshold.
A business must also comply with the CPRA if it derives at least 50 percent or more of its annual revenue from selling or sharing the personal information of California consumers, and/or the business has gross revenue over $25 million in the preceding year.
The CPRA provides California consumers with the ability to instruct businesses not to use certain categories of sensitive information, such as biometric identifiers, race, health, religion, geolocation, sexual orientation, and other personal information. Businesses also cannot sell or share the personal information of consumers unless the consumer, who is at least 13 years of age and less than 16 years old, affirmatively authorizes the sale or sharing of the consumer’s information. If the consumer is less than 13 years old, the parents or guardians must affirmatively authorize the disclosure.
Businesses are also required to disclose, deliver, or correct inaccurate personal information or delete a consumer’s personal information within 45 days of receiving such a request from the consumer. The time period can be extended an additional 45 days when it is reasonably necessary for the business to comply. Consumers also have the right to opt out of a business’ sale or sharing of their personal information.
Another important provision in the CPRA provides funding for the California Privacy Protection Agency which would be charged with enforcing privacy laws. Once this new agency becomes fully operational, it is anticipated that investigations and enforcement actions of California consumer privacy violations will increase significantly.
Finally, and importantly, the CPRA expands the scope of a private cause of action granted to consumers by adding email addresses and passwords or security questions to the list of personal information, which, if subject to a data breach, may give rise to liability to affected consumers via a private cause of action.
The CPRA’s expansion of the CCPA’s privacy protections is not embraced by everyone. The ACLU, for one, was opposed to the law. It’s not hard to see why with provisions in the CPRA that permit businesses to charge consumers more for goods and services if they decide to opt-out of the sharing or selling of their personal information.
Nevertheless, California’s consumer privacy protection laws under the CCPA and now CPRA are the strongest in the country. Chances are that if Congress and other State legislatures propose new privacy legislation in the next few years, lawmakers will look to California’s laws as the blueprint.