While most of the attention has been focused on the presidential and congressional races, the passage of down ballot propositions in California may substantially impact your business. By passing Proposition 24, Californians voted to amend and significantly expand the obligations on businesses already in effect under the California Consumer Privacy Act (CCPA) and to create and fund the California Privacy Protection Agency (CPPA) to take over administrative authority to implement and enforce the law.
The new amended law adds “Sensitive Personal Information” as a category of personal information that must be tracked and disclosed by a business, and creates additional consumer rights that companies must be able to honor including:
- right to correct personal information
- right to know length of data retention
- right to opt-out of advertisers using precise geolocation
- right to restrict usage of sensitive personal information
The law removes the original CCPA’s provision allowing businesses 30 days to cure violations before penalization, and expands the private right of action for data breaches to include unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security. The law also specifies that implementation of security procedures after a breach is not a cure.
The law introduces a new requirement that businesses must obtain permission before collecting information from consumers under 16 years of age, and permission from parents for consumers under 13 years of age. Previously, collection of this information did not require permission for collection, but the law required these practice be disclosed in the business’s public privacy statement and included restrictions around selling of this information.
While most of the law is set to take effect in 2023, businesses are still subject to the CCPA’s annual disclosure requirements, and the addition of many new requirements means that businesses should begin preparing for this transition early since establishing the IT infrastructure and operational procedures necessary to comply will require advance planning and budgeting, including a formal procedure to track privacy impacts from new vendors, products and processes.