In 2018, California became the first state to approve a comprehensive law that sought to enhance privacy rights and consumer protection by imposing new privacy obligations on certain businesses that collect information of California consumers. Although passed in 2018, the California Consumer Privacy Act of 2018 (CCPA) only recently became effective in January 2020 and enforceable by the California Attorney General based on regulations that were approved this past August.
While the CCPA has only recently taken effect, it could be significantly amended tomorrow by Proposition 24 - the ballot initiative that could cement the California Privacy Rights Act (CPRA) into law. Having large support from state residents, the CPRA is intended to bring data protection in California closer to its European counterpart – the General Data Protection Regulation (GDPR). Should it pass, the CPRA will become operative January 1, 2023, but until then the CCPA will remain in full force and effect.
Some of the biggest changes of the CPRA include:
- The establishment of a new enforcement agency, the California Privacy Protection Agency, which would be tasked with enforcing the CPRA. The new agency would be funded with $10 million to “monitor compliance and enforcement of consumer privacy rights.” It is also to be governed by a five-member board of experts in privacy, technology, and consumer rights.
- This is a significant change from the CCPA which is currently monitored by the Attorney General and is not provided a budget for compliance and enforcement.
- A new right of correction for consumers, which allows consumers to correct inaccurate personal information held about them by a business and requires businesses to inform consumers of this right.
- An expanded private right of action for data breaches applicable to consumers whose email addresses, together with a password or security question that would permit access to the account, are compromised.
- The extension of the CCPA’s employee and business-to-business personal information exemptions until 2023. These exemptions are currently set to expire on January 1, 2021.
- A requirement that businesses performing “high risk processing” meet an annual set of risk assessment and independent audits, including a cybersecurity audit.
- An expansion of fines for breach of data on minors with a $7500 per incident penalty.
- An obligation for businesses to inform consumers if they have been “profiling” them using automated processes (like the GDPR).
- An expanded opt-out right for consumers, granting them the right to opt-out of any sharing of their data with third parties.
- The elimination of the CCPA’s 30-day cure window, in which a business can cure an identified gap in the businesses’ privacy processes, before the enforcement agency can take action.
The foregoing highlights some of the key proposed changes that would take effect if the CPRA is passed tomorrow. But there are additional changes the CPRA includes aligning it closer with the European GDPR. Business should begin looking at current policies and procedures to determine what changes may be necessary to become compliant.
We will continue to provide updates as more information becomes known about the CPRA, as well as other fast-moving developments in data privacy laws