HOW THE PASSING OF PROPOSITION 24 WILL CHANGE THE CCPA
In 2018, California adopted the most extensive privacy provisions in the United States, the California Consumer Privacy Act of 2018 (CCPA.) Emulating provisions adopted in Europe’s General Data Protection Regulation (GDPR), the CCPA gives California consumers of certain, generally larger, businesses rights relating to the use and sale of personal information like names, addresses or internet purchasing history. In general, the CCPA provides consumers with the right to learn what categories of personal information are collected or sold; to request businesses delete their personal information or opt-out of the sale of their personal information; and creates liability for failing to reasonably protect consumers’ personal information.
California residents voted 56%-44% in the November 2020 election to amend and expand the CCPA through the passage of Proposition 24, the California Privacy Rights Act (CPRA). Proposition 24 imports more of the GDPR’s provisions, providing additional consumer privacy rights over sensitive information. It also expands penalties established through the CCPA, and creates a new agency in California to oversee and enforce consumer data privacy laws. Most of the provisions of CPRA go into effect on January 1, 2023, although the creation of the new state agency and requirements for developing new regulations will immediately go into effect. Businesses must comply with the regulatory provisions of the CCPA until those new regulations are in place.
Most notably, the proposition 1) creates a new administrative enforcement agency and eliminates the existing 30-day period to cure CCPA violations to avoid penalties; 2) slightly narrows which businesses are subject to the consumer data privacy requirements; and 3) provides customers with new data privacy rights, including limiting the sharing of personal data.
Changes to Administrative Enforcement Procedures and Penalties
Under the existing CCPA, a business can be penalized for violation of the regulations only if it does not cure any alleged noncompliance within 30 days after being formally notified by the California Attorney General’s office. Prop 24 creates a separate agency to enforce the CPRA – the California Privacy Protection Agency — and eliminates the existing 30 day opportunity to cure compliance oversights (but provides instead for discretion in whether to impose penalties or allow time to cure), effective January 2023. As a result, all businesses subject to the CPRA will need to be in compliance with the CPRA to avoid the potential issuance of administrative fines once the provisions go into effect in 2023. The new California Privacy Protection Agency will be responsible for investigating violations and assessing administrative penalties, although violations will still be subject to enforcement actions brought by the Attorney General as well. Among other changes, Prop 24 also increases the penalty up to $7,500 on businesses that violate the consumer privacy rights of minors.
Changes which Businesses Must Comply with Consumer Data Privacy Laws
Proposition 24 changes which type of businesses will be subject to California’s consumer data privacy requirements. To be subjected to the CPRA, a business must either:
- Derive at least 50% of its annual revenue from selling or sharing (as opposed to just selling under CCPA) the personal information of California consumers;
- Have gross revenue over $25 million (unchanged); or
- Buy, sell, or share the personal information of more than 100,000 (increased from 50,000 under CCPA) California consumers/households. (Helpfully, the standard now counts only California consumers or households; the CCPA also counted “devices.”)
Other notable changes include:
- Delays the applicability of the CCPA to personal information of a business’s own employees and other business-to-business communications until 2023.
- Requires rulemaking for the protection of trade secrets from disclosure as a result of a consumer request.
- Expands consumer “right to know” requests beyond the prior 12-months, beginning with data collected after January 1, 2022.