On January 1, 2020, the California Consumer Privacy Act (“CCPA”) became effective, ushering in a new era of privacy legislation in the United States. After a long and circuitous journey, on August 14, 2020, the Office of Administrative Law approved the underlying regulations and filed them with the Secretary of State, making them effective immediately. Just as businesses began to get their arms around the legislation and regulations, Californians were asked to vote on a ballot initiative, officially known as Proposition 24, to expand the CCPA.
The legislation at issue in Proposition 24 is the California Privacy Rights and Enforcement Act of 2020 (“CPREA”). The CPREA was sponsored by Californians for Consumer Privacy. This group — headed by Alastair Mactaggart and advised by several prominent Californians— is the same group whose prior initiative led the California Legislature to pass the CCPA. Not satisfied with their earlier efforts, Californians for Consumer Privacy pushed the CPREA to supplement the privacy protections imposed on companies collecting personal information from consumers. On November 3rd, those additional privacy protections became a reality as Californians voted by a margin of 56% to adopt the CPREA.
One of the more significant changes is that the CPREA establishes a new sub-category of personal information called “sensitive personal information.” Sensitive personal information includes data relating to a consumer’s biometric identification, finances, health, and exact location. Businesses collecting sensitive personal information will be required to notify the consumer at or before the time of collection of: (1) the category of information the business will collect; (2) the retention period; and (3) whether the information will be sold by the business. In addition, businesses will also be required to provide a “Limit the Use of My Sensitive Personal Information” link for consumers.
The CPREA also provides consumers with greater control over how businesses collect, use and share their data. For example, consumers may request that a business correct inaccurate personal information maintained by that business. Consumers who are younger than 16 years of age must give their permission before a business can collect their personal information, or, if the consumer is younger than 13 years of age, permission must be obtained from a parent or guardian.
The legislation also establishes a new agency, the California Privacy Protection Agency, to enforce the law. It will initially consist of a five-member board with seats appointed by the Governor, the Attorney General, the Senate Rules Committee and the Speaker of the Assembly. The new agency’s duties will include developing regulations, providing guidance to businesses and consumers, investigating and adjudicating violations, assessing penalties and promoting public awareness of consumers’ rights.
These are but a few of the significant, new requirements that will be imposed upon the business community by the CPREA. The following chart, prepared by the Californians for Consumer Privacy, compares the significant components of the CCPA and CPREA.
Each red “X” (with its corresponding green “√”) reflects a new hurdle for those doing business in California. So, although the legislation will not take effect until 2023, given the breadth of the requirements, businesses should not delay their efforts to develop a plan to comply with the CPREA.