California voters approved Proposition 24, also known as the California Privacy Rights Act (CPRA), in November 2020. The ballot initiative, which passed with approximately 56% support from voters, expands the California Consumer Privacy Act (CCPA), establishes a new privacy regulatory agency, provides new rights for consumers, and imposes new obligations on businesses. The CPRA’s enforcement date is January 1, 2023, but because businesses will need to disclose their data processing activities over the previous year, the practical impact of the CPRA begins on January 1, 2022. Therefore, most companies would be wise to start preparing for the CPRA now.
We have identified the 10 most significant changes introduced by the CPRA, in priority ranking, and a corresponding “task list” for privacy leaders to consider for the rest of 2021:
Sensitive personal information” means personal information that reveals:
§ 1798.140(ae). Any notice obligations will now apply to the business that controls the collection of personal information — similar to a GDPR “data controller” — not the company that collects the information itself. These notice requirements are in addition to the now-explicit requirement that such notices describe whether the information is shared or sold. § 1798.100(a).
Together, the Do-Not-Track provision and the new “sharing” definition mean that the CPRA will likely have a significant impact on the entire ad-tech ecosystem that currently tracks user behavior and preferences across most modern web sites, social media and physical stores.
Consumers will have the right to correct inaccurate personal information, and businesses will be required to use commercially reasonable efforts to correct any mistakes. New regulations will determine the all-important question regarding what is “inaccurate.” § 1798.106.
In addition, consumers will have a new right to limit the use and disclosure of sensitive personal information. Specifically, consumers will have the right to tell a business to use sensitive personal information only to perform the services or provide the goods requested § 1798.121.
Businesses also should consider how they will respond to California consumers who exercise their new privacy rights. Responding to do-not-share requests will be broader and more complex than responding to do-not-sell requests. Businesses also will need to field new requests to correct information or limit the use of sensitive data. Finally, with more privacy laws looming, many U.S. businesses will need to consider whether they should take a national approach to privacy requests or remain focused on California residents. Multinational businesses likewise may need to consider whether to take a “global” privacy approach or adopt a jurisdiction-specific U.K./European/ Brazilian/Chinese/Californian/etc. model.
For any business that has substantial contact with California consumers, the CPRA presents many challenges. Because a one-year lookback will apply to any privacy policies and/or notices, companies would do well not to wait until 2023 to commence their compliance efforts. They can and should start on those efforts now.