While the Nation Focused on the Presidential Race, California Expanded Its Privacy Laws and “Yes” Non-California Businesses Are Likely Impacted

Dickinson Wright
Contact

Dickinson Wright

While the eyes of the nation were keenly focused on the Presidential race, California voters passed Proposition 24, the California Privacy Rights Act (CPRA), which will further reinforce and redefine the state’s California Consumer Privacy Act (CCPA), which went into effect January 1, 2020.

In a nutshell, the CPRA closes a number of loopholes in the CCPA, strengthening consumer privacy protections and requiring the creation of a privacy enforcement agency, the California Privacy Protection Agency (the Agency). The Agency will assume the California Department of Justice – Office of the Attorney General’s responsibility for taking enforcement actions under California’s privacy laws, be a regulator, and issue guidelines for entities and organizations subject to the laws. The Agency will be installed by either July 1, 2021, or six months after the CCPA is ready to make rules, whichever occurs later.

Another key point is that the CPRA removed the ability of businesses to fix violations before being penalized. In addition, and on top of the notice and data subject right requirements now in effect under the CCPA, the CPRA will require businesses to do all of the following:

  • Avoid sharing a consumer’s personal information upon the consumer’s request;
  • Provide consumers an opt-out option for having their sensitive personal information, which is defined in the CCPA, used or disclosed for advertising or marketing purposes;
  • Obtain permission before collecting data from consumers under the age of 16;
  • Obtain permission from a parent/guardian before collecting data from consumers under the age of 13; and
  • Correct a consumer’s inaccurate personal information upon the consumer’s request.

The new requirements with respect to minor consumer data contain some elements required under the Children’s Online Privacy Protection Act (COPPA) but adds some significant protections, including permission prior to collection. 

The installation of the Agency will mean that businesses will need to review their privacy policies and procedures, ensuring they are compliant, or risk being sent a notice for negligence, audit, enforcement, etc. Businesses must also have an end-to-end automated solution that can fully process data subject requests rights, which includes their right to know, right to delete, and right to opt-out of the sale of their personal information, and provide consumers a seamless interaction when exercising their privacy rights.

Other provisions include further extensions of the employee exception and the business-to-business exceptions in the CCPA to January 1, 2023. (We discussed these exceptions in more detail late last year in our piece titled “CCPA Amendments Pass Adding Some Clarity to Scope and Industry Breathing Room Especially to B2B Businesses.”)

As a reminder, the CCPA, and now the CPRA, does not just apply to companies doing business in California. Rather, it applies to any business that has gross revenue of $25 million, that has the personal data of more than 50,000 “consumers, households, or devices”, or earns more than half its revenue selling consumers’ personal data.

These changes, which will not go into full force and effect until January 2023 (with a “look back” period to data collected on or after January 2022), bring California more in line with the European Union’s General Data Protection Regulation (GDPR) and further solidifies California as having the strongest legislative consumer privacy protections in the United States. For businesses, it means they will need to review their privacy policies and procedures, specifically their data subject right notifications and request structures, and modify them as necessary to comply with the new legal requirements.

Unlike the CCPA, the CPRA cannot be repealed by the California legislature, but may be amended. It is also important to remember that, while the CPRA has passed, there are many details that will be further clarified and defined through regulation. So, while many businesses may want to get started on their compliance, starting too early and/or going too far may result in spending more money to make changes or fixes once the regulations are issued. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson Wright | Attorney Advertising

Written by:

Dickinson Wright
Contact
more
less

Dickinson Wright on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.