The Election Results Are In: The Next Phase of California Privacy Law

Hodgson Russ LLP

On January 1, 2020, the California Consumer Privacy Act (“CCPA”) became effective, ushering in a new era of privacy legislation in the United States. After a long and circuitous journey, on August 14, 2020, the Office of Administrative Law approved the underlying regulations and filed them with the Secretary of State, making them effective immediately. Just as businesses began to get their arms around the legislation and regulations, Californians were asked to vote on a ballot initiative, officially known as Proposition 24, to expand the CCPA.

The legislation at issue in Proposition 24 is the California Privacy Rights and Enforcement Act of 2020 (“CPREA”). The CPREA was sponsored by Californians for Consumer Privacy. This group — headed by Alastair Mactaggart and advised by several prominent Californians— is the same group whose prior initiative led the California Legislature to pass the CCPA. Not satisfied with their earlier efforts, Californians for Consumer Privacy pushed the CPREA to supplement the privacy protections imposed on companies collecting personal information from consumers. On November 3rd, those additional privacy protections became a reality as Californians voted by a margin of 56% to adopt the CPREA.

One of the more significant changes is that the CPREA establishes a new sub-category of personal information called “sensitive personal information.” Sensitive personal information includes data relating to a consumer’s biometric identification, finances, health, and exact location. Businesses collecting sensitive personal information will be required to notify the consumer at or before the time of collection of: (1) the category of information the business will collect; (2) the retention period; and (3) whether the information will be sold by the business. In addition, businesses will also be required to provide a “Limit the Use of My Sensitive Personal Information” link for consumers.

The CPREA also provides consumers with greater control over how businesses collect, use and share their data. For example, consumers may request that a business correct inaccurate personal information maintained by that business. Consumers who are younger than 16 years of age must give their permission before a business can collect their personal information, or, if the consumer is younger than 13 years of age, permission must be obtained from a parent or guardian.

The legislation also establishes a new agency, the California Privacy Protection Agency, to enforce the law. It will initially consist of a five-member board with seats appointed by the Governor, the Attorney General, the Senate Rules Committee and the Speaker of the Assembly. The new agency’s duties will include developing regulations, providing guidance to businesses and consumers, investigating and adjudicating violations, assessing penalties and promoting public awareness of consumers’ rights.

These are but a few of the significant, new requirements that will be imposed upon the business community by the CPREA. The following chart, prepared by the Californians for Consumer Privacy, compares the significant components of the CCPA and CPREA.

Components

Existing

New

Right to Know What Information a Business has Collected About You

Right to Say No to Sale of Your Info

Right to Delete Your Information

Data Security: Businesses Required to Keep Your Info Safe

Data Portability: Right to Access Your Information in Portable Format

Special Protections for Minors

Requires Easy “Do Not Sell My Info” Button for Consumers

Provides Ability to Browser with No Pop-ups or Sale of Your Information

Penalties if Email Plus Password Stolen Due to Negligence

Right to Restrict Use of Sensitive Personal Information

Right to Correct Your Data

Storage Limitation: Right to Prevent Companies from Storing Info Longer than Necessary

Data Minimization: Right to Prevent Companies from Collecting More Info than Necessary

Right to Opt Out of Advertisers Using Precise Geolocation (< than 1/3 mile)

Ability to Override Privacy in Emergencies (Threat of Injury / Death to a Consumer)

Provides Transparency Around “Profiling” and “Automated Decision Making”

Establishes California Privacy Protection Agency to Protect Consumers

Restrictions on Onward Transfer to Protect Your Personal Information

Requires High Risk Data Processors to Perform Regular Cybersecurity Audits

Requires High Risk Data Processors to Preform Regular Risk Assessments

Appoints Chief Auditor with Power to Audit Businesses’ Data Practices

Protects California Privacy Law from being Weakened in Legislature

Each red “X” (with its corresponding green “√”) reflects a new hurdle for those doing business in California. So, although the legislation will not take effect until 2023, given the breadth of the requirements, businesses should not delay their efforts to develop a plan to comply with the CPREA.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hodgson Russ LLP | Attorney Advertising

Written by:

Hodgson Russ LLP
Contact
more
less

Hodgson Russ LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.