On November 3, 2020, California voters approved Proposition 24, the California Privacy Rights and Enforcement Act of 2020 (“CPRA”), which amends the existing California Consumer Privacy Act (“CCPA”) and significantly expands the data privacy rights available to California consumers. Although the CPRA does not take effect until January 1, 2023, it’s not too early for businesses to start thinking about how they will comply with the new law. Here are 10 CPRA impacts to consider:
- New Threshold for Businesses. Under the existing CCPA, any business that buys, sells, or shares for business purposes the personal data of 50,000 consumers, households or devices annually is required to comply with the law. The CPRA, however, increases the threshold amount to 100,000 consumers or households and no longer includes devices, a change that may reduce the number of businesses subject to the law. (The two other thresholds that determine whether a “business” is subject to the law—(1) annual gross revenues of more than $25 million or (2) 50% or more of annual revenues derived from selling or sharing of consumers’ personal information—remain unchanged.)
- New Category of “Sensitive Personal Information.” Sensitive personal information is now defined as including social security numbers; account log-ins with passwords; precise geolocation; health, racial or ethnic origin, religious or philosophical beliefs, or union membership; and more. Upon the consumer’s request, businesses must stop selling or sharing Sensitive Personal Information and must limit internal uses of that information.
- New Right of Correction. The CPRA creates new rights for consumers to correct inaccurate personal information. Businesses must disclose the consumer’s right to request a correction and must use commercially reasonable efforts to correct the inaccurate personal information.
- Expanded Opt-Out Right. The CPRA allows consumers to opt-out of the sale or sharing of personal information. “Sharing” of personal information is broadly defined to include disclosing or transferring the information to a third party, whether or not for monetary or other valuable consideration.
- Additional Disclosure Obligation. The CPRA requires businesses to notify consumers of the length of time they will retain personal information or sensitive personal information.
- Extension of Employee and Business-to-Business Exemptions. The CPRA extends the current exemptions for personal information collected in the employment and business-to-business contexts to January 1, 2023.
- Expanded Right to Know. The CPRA expands the right to access from 12 months preceding the consumer’s request to longer than a 12-month window (beginning January 1, 2022), unless doing so “proves impossible or would involve a disproportionate effort.”
- New Exception to Right to Delete. The CPRA allows businesses to deny a consumer’s right to delete personal information if retaining the information is reasonably necessary and proportionate to the business’s maintenance of its security and integrity.
- Triple Penalties for Violations Involving Minors. The CPRA triples the maximum penalty for privacy violations involving consumers under 16 years of age ($7,500 per intentional violation).
- New Enforcement Agency. The CPRA creates a new California Privacy Protection Agency to oversee and enforce data privacy laws, replacing the California Attorney General’s office as the primary enforcement agency.
As California continues to blaze the trail for increased data privacy rights, the CPRA provides a blueprint for other states to follow and may even serve as an impetus for Congress to take up a federal consumer data privacy law sooner rather than later.
This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel.