Proposition 24 Expands Digital Privacy Regulation in California
California voters passed ballot measure Proposition 24, or the California Privacy Rights Act (CPRA), on November 3, 2020. The CPRA builds upon the California Consumer Privacy Act (CCPA) passed in 2018. The CCPA is already one of the strongest privacy laws in the country. The CPRA will come into effect on January 1, 2023. Enforcement will begin on July 1, 2023, giving lawmakers over two years to sort out the details for smooth implementation.
The new legislation gives Californians the right to know what data businesses are collecting about them. It also prohibits businesses from selling that data. Specifically, consumers have the power to tell businesses not to disclose certain categories of identifying information. These categories include race, health, religious affiliation, location, sexual orientation, and biometrics. If the affected individual is younger than 16 years old, the law triples the fines for violations.
Proposition 24 Supporters and Critics
A number of prominent individuals and organizations supported Proposition 24. These supporters included the NAACP of California, Andrew Yang, privacy advocate Shoshana Zuboff, and many California state politicians. There were also a number of vocal critics, most notably the American Civil Liberties Union (ACLU). The ACLU has expressed concerns that under the CPRA, businesses will charge consumers who opt out more than those who do not. From the ACLU’s viewpoint, lower income individuals would have less access to digital privacy protection measures.
A number of states have attempted to pass ballot measures enhancing digital privacy with varying degrees of success. However, none are quite as strong as the CPRA. The passage of California’s newest privacy law, although not in effect until January 1, 2023, could spur legislation on the federal level.
Although the intent of Proposition 24 is to strengthen digital privacy protection, critics express a number of reservations with its drafting. They point out that the CPRA contains many ambiguous provisions and it adds significantly more compliance obligations for companies. Moreover, the CPRA establishes a new administrative enforcement agency called the California Privacy Protection Agency (CalPPA). This agency will have rulemaking, auditing, investigation, and enforcement authority. As a consequence, even minor violations may be at risk of enforcement action by the CalPPA.
Although the CPRA is widely compared with Europe’s General Data Protection Regulation (GDPR), it only includes a small fraction of the data privacy requirements addressed by the GDPR. The GDPR, which covers the European Union, has been in effect since 2018. Enforcement was initially limited, but has increased since mid-2019. In particular, larger fines have started to pick up one year after the GDPR’s passage. Observers predict that the CPRA will follow a similar pattern with respect to enforcement.
Proposition 24 Includes New and Revised Consumer Rights
Some of the key new measures of the CPRA pertaining to new and revised consumer rights include:
- Right to Limit Use of Sensitive Information: The CPRA includes the right to opt-out of data sale or sharing of personal information. The distinction between “selling” and “sharing” data is that “sharing” involves disclosure to a third party without the exchange of monetary value. The CPRA also includes the right to opt-out from secondary use of sensitive information. Companies that disclose sensitive information from secondary use are required to include a “Limit the use of my sensitive personal information” link on their homepage.
- Right of Correction: The CPRA gives consumers a new right to request a company to correct personal information.
- Right to Delete: The CPRA expands the ability of consumers to request deletion of personal data.
Some of the key new measures of Proposition 24 relating to data security include:
- Data Retention: The CPRA mandates that companies explicitly state in their privacy notices the criteria for determining the data retention period.
- Reasonable Security: The CPRA expands the ability of individuals to bring a private right of action for a data breach. The scope of data that could qualify for a private right of action now includes compromise of a consumer’s email in combination with a password that would enable access to the consumer’s account.
Additional Third-Party Obligations
Some of the key new changes to the CPRA relating to third-party obligations:
- New “Contractor” Category: The CPRA introduces a new category of “contractors”, which is distinguishable from the existing definitions of “third parties” and “service providers.” It also imposes more specific contracting requirements for businesses selling or sharing personal data with service providers, contractors, and third parties.
- Children: For children under the age of 16 years old, the CPRA requires affirmative opt-in consent to sell children’s private information. It also triples the CCPA’s fines for the collection and sale of the personal information of children.
Overall, the principles embedded in the CPRA have many parallels with the European GDPR. Time will tell whether the CPRA can be implemented smoothly and whether California’s introduction of the CPRA will influence legislative changes in other jurisdictions.