On November 3, 2020, California voters passed Proposition 24, also known as the California Privacy Rights Act of 2020 (CPRA). The proposition amends the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020 and significantly enhanced consumer privacy rights. The CPRA makes a number of changes to the CCPA, most of which will become effective on January 1, 2023. Before then, businesses will need to evaluate their policies and procedures to ensure compliance with the CPRA. Businesses that fail to do so could face significant liability, including administrative fines and monetary damages.
Changes to Coverage Thresholds. Currently, to qualify as a “business” for purposes of the CCPA, a business must satisfy at least one of three threshold requirements: (1) have an annual gross revenue in excess of $25 million; (2) annually buy, receive for the business’s commercial purposes, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derive 50 percent or more of its annual revenue from selling consumers’ personal information. The CPRA narrows the second requirement by (1) no longer counting devices and (2) increasing the annual threshold from 50,000 to 100,000 or more consumers or households. The CPRA also amends the first requirement by specifying that “annual gross revenue” is that of the “preceding calendar year” and broadens the third requirement by covering “selling or sharing” consumers’ personal information.
Disclosures Regarding Sensitive Personal Information. Currently, the CCPA requires that businesses inform consumers of the types of personal information collected and the purposes for which that information is collected. This requirement remains largely the same, but the CPRA also creates a new category of information referred to as “sensitive personal information,” which includes, for example, a consumer’s social security number and a consumer’s precise geolocation. The CPRA requires that businesses disclose the types of sensitive personal information collected, the purposes for which that information is collected, and whether that information is sold or shared.
Retention of Personal Information. The CPRA requires that businesses inform consumers how long the business intends to retain each category of personal information, or if that is not possible, how it determines the retention period. The CPRA also specifies that a business cannot retain personal information “longer than reasonably necessary.” The CCPA did not explicitly address data retention, so this standard will need to be developed further through regulations or case law.
Agreements with Third Parties. The CPRA requires businesses that disclose personal information to third parties to include certain terms in their agreements with those third parties. For example, the agreement must require that the third party comply with the relevant provisions of the CCPA and grant the business the right to ensure that the third party uses the disclosed information consistent with the business’s obligations under the CCPA.
Reasonable Security Procedures and Practices. The CPRA requires that businesses implement “reasonable security procedures and practices” to prevent unauthorized or illegal access, destruction, use, modification, or disclosure of consumers’ personal information, with the reasonableness being judged in light of the personal information collected by the business. The “California Data Breach Report,” prepared by the California Attorney General in 2016, identifies 20 controls for a “minimum level of information security,” such as “controlled use of administrative privileges,” and will likely serve as a good baseline for accessing the reasonableness of security procedures and practices.
Limit Sharing of Personal Data. Currently, the CCPA gives consumers the right to prevent businesses from selling their personal information. The CPRA expands this right by giving consumers the right to prevent sharing, in addition to selling, of their personal information.
Correct Personal Data. The CPRA requires that businesses inform consumers that they have the right to request that inaccurate personal information be corrected. Businesses are required to use “commercially reasonable efforts to correct the inaccurate information as directed by the consumer.”
Limit Use of “Sensitive” Personal Data. The CPRA gives consumers the right to limit businesses’ use of their sensitive personal information to certain enumerated purposes, such as using the information in the manner “reasonably expected” by consumers based on the goods or services provided. Businesses will want to put policies and procedures in place to ensure that they can segregate sensitive personal information from other personal information, so that they can appropriately limit the use of consumers’ sensitive personal information.
Eliminates Cure Period for Civil Penalties. Currently, a business is in violation of the CCPA and thus subject to civil penalties if it fails to cure any noncompliance within 30 days of being notified of such noncompliance. The CPRA eliminates the 30-day cure period and also permits a new, heightened penalty of up to $7,500 (as opposed to $2,500) for violations involving the personal information of consumers whom a business knows are under 16 years of age.
Broadens Private Right of Action. Currently, a consumer may bring suit under the CCPA if the consumer’s nonencrypted and nonredacted personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices” and the consumer gave the business 30 days to cure the violation. The CPRA expands this right of action to cover data breaches of email addresses along with information that would permit access to the account (e.g., a password or security question). And the CPRA clarifies that implementing reasonable security procedures and practices following a breach “does not constitute a cure with respect to that breach.”
Creates a New State Enforcement Agency. Effective December 2020, the CPRA created a new agency, the California Privacy Protection Agency (CPPA), which “is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018.” The agency will have broad authority to “investigate possible violations” of the CCPA. And if the agency determines that a violation has occurred, then it may require that the violator cease and desist violation of the CCPA and/or pay an administrative fine of up to $7,500 per violation, depending on the circumstances. An interested party may seek review of the agency’s decision in the state trial courts, subject to an abuse of discretion standard of review. The CPPA will be funded with at least $10 million annually, and the five members of its board must be appointed by March 16, 2021, 90 days from the CPRA’s effective date. Given that the CPPA will oversee enforcement of the CCPA in conjunction with the California Attorney General, which was previously only able to pursue a few cases per year due to limited resources, there will likely be an uptick in enforcement actions.