In California, 12 statewide ballot propositions appeared on the ballot for the election on November 3, 2020. California voters passed Proposition 24, a ballot measure that amends the California Consumer Privacy Act (CCPA), now known as the California Privacy Rights Act of 2020 (CPRA).
However, in order to understand this new law (which will come into effect in 2023), we must understand the CCPA, which was passed in 2018 and only went into effect on January 1st of this year.
The CCPA is a consumer privacy law that gives consumers more control over their data. The CCPA impacts any for-profit business that does business in California, collects consumer data, and meets one of the following criteria:
Similar to privacy laws like the European GDPR (What is GDPR and Coalition’s policy cover?), the CCPA regulates how a business collects, uses, and discloses almost any kind of information about an individual. Specifically, the CCPA protects the right to know what information is collected, how it is used, the right to delete information, opt-out of the collection of the sale of the data, and the right to non-discrimination for exercising the rights protected by the CCPA.
In addition to the regulatory fines and penalties that can be brought by the Attorney General of California, individual California residents are able to bring class action lawsuits against a business for data breaches. Individuals whose data has been breached are not required to demonstrate proof of loss and can bring an action for payment of damages.
But in order to bring an action, the consumer must give 30 days written notice identifying the CCPA provisions violated. The 30-day “warning” gives the company time to “cure” the alleged breach and avoid suit. Additionally, the CCPA significantly broadens the definition of personal information thereby increasing the likelihood that a data breach will be subject to the new legislation.
While the CCPA has only been in effect for 10 months, Proposition 24 evolves the law in several ways. Some of the rules limit and others expand CCPA.
As a limiting factor, the proposition removes the devices from counting against an organization's number of records held. Further, it changes the threshold so that only businesses that buy, sell, or share the data of 100,000 CA individuals or households are subject to the rules (unless the company meets the threshold of #1 and #3).
The proposition also makes changes which expand the breadth of the CCPA. For example, the CPRA enables individual consumers to exert control over how each and every company uses their data and restricts commercial use of this data to the terms the consumer has explicitly agreed to.
And while the CCPA provided equal protection for consumers’ right to choose whether their data was used, by implementing a non-discrimination clause, Proposition 24 seems to remove that protection. Under Proposition 24, companies are permitted to charge more to consumers who opt-out of using their data, essentially enabling companies to put a monetary value on consumers’ data for those who opt-in.
These changes to the CCPA come at a greater cost to companies. Specifically, companies face far larger penalties and will not be given the opportunity to remediate issues before they’re brought to a suit. In fact, the violation of a minor’s privacy rights could mean a fine of 3x the current fine, and a company will not be given time to “cure” an issue and will face immediate penalties instead.
You may be asking yourself how Proposition 24 will accomplish all of this? The intent is to create the California Privacy Protection Agency and remove the power from the Department of Justice. This new agency would have a board appointed by the Governor, and would take over enforcement functions from the DOJ. Sadly, the money to fund this agency comes from the money “raised” from the penalties made against companies. This could be seen as an agency that is incentivized to penalize.
And while this agency will only have purview over companies that do business in California, there is always the possibility that this could set the precedent for other state laws, or eventually, a national standard. Until that time, companies will have to monitor (and comply with) the laws that each state puts in place.
While the 53-page law was generally created to target large entities that are consuming large amounts of data, it seems that smaller businesses will be caught in the crosshairs. Smaller businesses will arguably be the first to be fined given that they are less likely to have policies and procedures in place or can’t afford to provide the new opt-out feature.
What this means for organizations is that they will, at a minimum, need to update policies and procedures to enable correct handling and deletion of PII, ensure that use of any appropriately collected information is necessary and proportional, and ensure consumers can choose whether the information may be used for other purposes.
Many small to midsize organizations that do not already have a robust CCPA/GDPR compliance regimen in place may need to make substantial changes to be compliant come 2023. Contact us if you have questions about Proposition 24 and the impact the new CPRA may have on your data and your business.