What Should Businesses Expect under California’s Proposition 24?

California voters recently approved Proposition 24, formally known as the California Privacy Rights and Enforcement Act Initiative

Since taking effect on January 1, 2020, the CCPA has faced criticism from both business and consumer privacy groups due to its ambiguity. The Privacy Rights and Enforcement Act seeks to strengthen and clarify the CCPA, as well as establish a dedicated enforcement agency.

California Consumer Privacy Act

Former Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (CCPA) into law on June 28, 2018. Effective January 1, 2020, it grants consumers the right to request that a business disclose the following:

• The categories of personal information (PI) it has collected about that consumer;
• The categories of sources from which the PI is collected;
• The business or commercial purpose for collecting or selling PI;
• The categories of third parties with whom the business shares PI; and
• The specific pieces of PI it has collected about that consumer.

The CCPA also includes a number of other data protections for consumers. It grants a consumer the right to request deletion of PI and mandates that businesses to delete such information upon receipt of a verified request. Consumers also have the right to request that a business that sells the consumer’s PI, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The CCPA also authorizes a consumer to opt out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right.

The CCPA applies to for-profit business entities that conduct business in California, collect consumers’ personal information, alone or jointly with others determine the purposes or means of processing that data, and meet one or more of the following criteria: (1) have annual gross revenues greater than $25 million; (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information.

Businesses can face penalties of up to $2,500 for each violation of CCPA requirements. Penalties increase to up to $7,500 for intentional violations. Penalties only may be applied if businesses fail to address the violation within 30 days of being notified of the violation. The California Department of Justice (DOJ) is authorized to impose these penalties.

The CCPA also includes a private right of action. When a breach of personal information occurs due to a business’ failure to implement and maintain reasonable safeguards to protect that information, the law entitles aggrieved consumers to pursue statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.

Data Privacy Requirements Under Proposition 24

On November 3, 2020, California voted to pass the Proposition 24 ballot initiative, which significantly amends the CCPA. Below is a brief summary of the key changes under the California Privacy Rights and Enforcement Act of 2020 (CPRA), which became law with the passage of Proposition 24:

Changes to covered businesses: The CPRA expands the criteria for determining whether businesses are covered under the data privacy law. As amended, the requirements will apply to a business that (1) has greater than $25 million in annual revenue; (2) buys, sells or shares PI of 100,000+ consumers or households; or (3) derives at least 50% of annual revenue from selling or sharing consumer personal information. The CPRA increases the annual threshold to 100,000 or more consumers or households, which will exempt some small businesses. However, businesses that generate most of their revenue from sharing (not just selling) PI are now covered, which expands the reach of the CCPA.  

New protections for “sensitive personal information”: The CPRA defines certain types of personal data as “sensitive.” Examples include social security and driver’s license numbers; financial account and login information; precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications (mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information. Consumers can direct businesses to limit use of their sensitive personal data only to (1) provide requested services or goods and (2) fulfill key business purposes (such as providing customer service).

New consumer privacy rights: The CPRA creates additional privacy rights. Notably, consumers could direct businesses to not share their personal data and direct businesses to take reasonable efforts to correct personal data that they possess.

Changes to existing penalties: The CPRA establishes a new penalty of up to $7,500 for violations involving the consumer privacy rights of minors. The amendments also remove the ability of businesses to avoid penalties by addressing violations within 30 days of being notified of the violation. Additionally, the CPRA imposes penalties for data breaches of email addresses along with information that would permit access to an account, such as a password. Under the amendments, businesses that suffer data breaches due to the lack of reasonable security procedures can no longer avoid penalties by putting them in place within 30 days after the breach.

New enforcement agency: Proposition 24 establishes the California Privacy Protection Agency (CPPA) to oversee and enforce the state’s consumer privacy laws. CPPA will be governed by a five-member board and have a wide range of responsibilities, including the authority to investigate violations, assess penalties, and develop regulations.

What’s Next?

The bulk of the changes mandated under the CPRA are slated to take effect on January 1, 2023. Businesses must begin to understand these new regulations and prepare to comply with the expanded terms.

If you have questions, please contact us

If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.