Privacy regulation is here to stay in California and likely to only become more difficult for businesses in California. Despite the CCPA’s reputation as the most comprehensive privacy regulatory scheme in the United States, the CCPA is being modified again by both the Attorney General as well as the ballot initiative, Proposition 24, that is anticipated to be passed by voters in the upcoming election.
Third Set of Proposed Modifications to the CCPA
The Attorney General recently proposed a third set of modifications to the CCPA.1 These provide guidance on providing notice to consumers of their rights to opt-out of the sale of their personal information in offline settings, such as brick- and-mortar stores as well as for personal information collected over the phone.2 In addition, the modifications provide guidance on the submittal of consumer requests to opt-out. These requests should be “easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out”.3 A number of examples are provided of methods that should not be employed by businesses for the submittal of these consumer requests. Lastly, the proposed modifications address submittals of consumer requests by authorized agents - providing that businesses may require proof that any such agent was given signed permission by the consumer to submit such a request.4
Proposition 24 - The California Privacy Rights and Enforcement Act (CPRA)
The CPRA is proposing a number of revisions to the CCPA, creating a number of additional rights for consumers related to the use by businesses of consumer’s personal information without consent, as well as the use of sensitive personal information. It is further intended to protect the personal information of children under the age of 16 by imposing substantial penalties on businesses that do not comply with its requirements.
With respect to violations related to children’s private information, penalties under the CPRA are tripled over the statutory amounts currently imposed by the CCPA, ($2,500 for each violation, or $7,500 for each intentional violation).5 The CPRA would impose penalties up to $7,500 for “violations involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge is under 16 years of age”.6
It is important to keep in mind that even if passed, the CPRA will not become operative until January 1, 2023 and apply to personal information collected after January 1, 2022. The CCPA remains in effect until the CPRA is enforceable.
Why Does This Matter For Businesses
- Privacy regulation must be addressed by California businesses. If you are not already in compliance with the current CCPA requirements, now is the time to act. The Attorney General has been authorized to enforce CCPA actions since July 1st of this year.
- It is critical to have a plan that complies with current CCPA requirements, at a minimum. And compliance plans can easily be updated as these regulations develop.
- In addition to the statutory fines, it is imperative not to overlook the private right of action regarding data breaches set forth in the CCPA with suits that can be made by individual consumers in the event of a breach.
- The proposed CPRA reiterates that regulators and consumers are concerned about the protection of personal information, and even creates a new regulatory body to enforce California privacy rights – which will certainly result in an increase in enforcement actions.
1 See https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1 (Consumer Privacy - Version 3)_1.pdf
2 See proposed § 999.306 of the California Consumer Privacy Act Regulations.
3 Proposed § 999.315(h) of the California Consumer Privacy Act Regulations.
4 See proposed § 999.326 of the California Consumer Privacy Act Regulations.
5 California Civil Code section 1798.155(b).
6 Proposed California Civil Code section 1798.155(b) under the CPRA.