Earlier this year the California Consumer Protection Act took effect. At its heart, the CCPA is a privacy law granting California citizens the right to control the personal data companies collect even after collected. Important to companies in Florida is that the California Attorney General has taken the position that the CCPA applies regardless of the location of the company collecting the information or its systems. With the election this week, the citizens of California have doubled-down on the CCPA via Proposition 24.
Proposition 24, to be known as the California Privacy Rights Act of 2020 (“CPRA”), is an effort to tighten the privacy controls put in place by the CCPA. The CPRA has been criticized as a poorly written bundle of steps forward and back. Telling is that the Electronic Frontiers Foundation (EFF) has refused to take a stance on the law with the EFF being somewhat similar to the much older American Civil Liberties Union (ACLU). Indeed, the ACLU criticized the CPRA as creating a loophole where companies can incentivize users via an affinity program to give up rights under the CPRA.
“So what does it do?” you ask. It attempts to plug a hole in the CCPA that allowed companies to ignore opt-out requests because companies “shared” consumer data rather than “sold” it. Likewise, it removes targeted advertising as a permitted business purpose that permitted companies to ignore opt-out requests.
The CPRA provides a list of what information is “personal data” via the rubric of “sensitive personal data” which includes social security number, driver’s license number, passport information, financial account information, precise geographic location, race, ethnicity, religious/philosophical beliefs, union membership, information about sex life/sexual orientation, genetic data, health information, biometric information used to uniquely identify a consumer (but not if it doesn’t identify an individual), and the content of a consumer’s communications with an intended recipient other than the business (think Gmail).
Conversely, excluded from sensitive personal information is information made publicly available, including that which is made known to another person but has not restricted its availability to a wider audience, such as Facebook posts. Also excluded is information available from public government records and in the general media. As you can see from the above, whether your Facebook posts should be commercially exploitable is debatable.
With respect to the collection of sensitive personal data, companies are required conspicuously to disclose what information the company is collecting, how it is going to be used, and whether it will be sold or shared. Likewise, the CPRA attempts to prevent companies from requiring pay-to-play like schemes where a choice to limit collection results in a purposeful downgrade in the functionality of the site. Similarly, the CPRA reinforces the CCPA existing requirement that before a company may put such information to a new use, it must first obtain express consumer consent.
There are also requirements for companies to have in place reasonable security with what is reasonable being dependent on the sensitivity of the information collected. While the CCPA technically is only enforceable by the California Attorney General (this limitation is not as tight as it may superficially seem), the CPRA specifies that a new California privacy enforcement agency is to be created and funded with at least $10 million per year.
Many aspects of the CPRA will take effect—barring unforeseen action—on January 1, 2023, but only data collected after January 1, 2022 would be covered by the CPRA. That said, such data would still be covered by the CCPA as and if applicable, regardless. Interestingly, for its steps forward, one of the steps back is that the CPRA exempts companies who obtain information on less than 100,000 Californians and made less than $25 million in revenue the year before—a large loophole given that numerosity and revenue do not directly correlate with privacy protection.
Presumably, you are now asking, so why do I as a business in Florida care? First, given that the CPRA now creates an enforcement agency, it is likely that the CPRA will be more rigorously enforced including against out of state offenders. Second, the CPRA is perhaps and likely is a bellwether of things to come as the pendulum swings towards greater privacy rights in the United States. Finally, while privacy is an amorphous concept, consumers generally prefer to patronize companies that are not “icky” or “creepy” as many of the current privacy infringements are described. I don’t want my news website advertising lawnmowers to me because it knows I was shopping them on the hardware store website. Just like I don’t want to have to accept geotrackers that identify when I am traveling and then advertise to me. Florida man is now subject to further legislation from California via the interconnectedness of the world wide web.