California voters recently approved Proposition 24, formally known as the California Privacy Rights and Enforcement Act Initiative
Since taking effect on January 1, 2020, the CCPA has faced criticism from both business and consumer privacy groups due to its ambiguity. The Privacy Rights and Enforcement Act seeks to strengthen and clarify the CCPA, as well as establish a dedicated enforcement agency.
California Consumer Privacy Act
Former Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (CCPA) into law on June 28, 2018. Effective January 1, 2020, it grants consumers the right to request that a business disclose the following:
The categories of personal information (PI) it has collected about that consumer;
The categories of sources from which the PI is collected;
The business or commercial purpose for collecting or selling PI;
The categories of third parties with whom the business shares PI; and
The specific pieces of PI it has collected about that consumer.
The CCPA also includes a number of other data protections for consumers. It grants a consumer the right to request deletion of PI and mandates that businesses to delete such information upon receipt of a verified request. Consumers also have the right to request that a business that sells the consumer’s PI, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The CCPA also authorizes a consumer to opt out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right.
The CCPA applies to for-profit business entities that conduct business in California, collect consumers’ personal information, alone or jointly with others determine the purposes or means of processing that data, and meet one or more of the following criteria: (1) have annual gross revenues greater than $25 million; (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information.
Businesses can face penalties of up to $2,500 for each violation of CCPA requirements. Penalties increase to up to $7,500 for intentional violations. Penalties only may be applied if businesses fail to address the violation within 30 days of being notified of the violation. The California Department of Justice (DOJ) is authorized to impose these penalties.
The CCPA also includes a private right of action. When a breach of personal information occurs due to a business’ failure to implement and maintain reasonable safeguards to protect that information, the law entitles aggrieved consumers to pursue statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.
Data Privacy Requirements Under Proposition 24
On November 3, 2020, California voted to pass the Proposition 24 ballot initiative, which significantly amends the CCPA. Below is a brief summary of the key changes under the California Privacy Rights and Enforcement Act of 2020 (CPRA), which became law with the passage of Proposition 24:
Changes to covered businesses: The CPRA expands the criteria for determining whether businesses are covered under the data privacy law. As amended, the requirements will apply to a business that (1) has greater than $25 million in annual revenue; (2) buys, sells or shares PI of 100,000+ consumers or households; or (3) derives at least 50% of annual revenue from selling or sharing consumer personal information. The CPRA increases the annual threshold to 100,000 or more consumers or households, which will exempt some small businesses. However, businesses that generate most of their revenue from sharing(not just selling) PI are now covered, which expands the reach of the CCPA.
New protections for “sensitive personal information”: The CPRA defines certain types of personal data as “sensitive.” Examples include social security and driver’s license numbers; financial account and login information; precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications (mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information. Consumers can direct businesses to limit use of their sensitive personal data only to (1) provide requested services or goods and (2) fulfill key business purposes (such as providing customer service).
New consumer privacy rights: The CPRA creates additional privacy rights. Notably, consumers could direct businesses to not share their personal data and direct businesses to take reasonable efforts to correct personal data that they possess.
Changes to existing penalties: The CPRA establishes a new penalty of up to $7,500 for violations involving the consumer privacy rights of minors. The amendments also remove the ability of businesses to avoid penalties by addressing violations within 30 days of being notified of the violation. Additionally, the CPRA imposes penalties for data breaches of email addresses along with information that would permit access to an account, such as a password. Under the amendments, businesses that suffer data breaches due to the lack of reasonable security procedures can no longer avoid penalties by putting them in place within 30 days after the breach.
New enforcement agency: Proposition 24 establishes the California Privacy Protection Agency (CPPA) to oversee and enforce the state’s consumer privacy laws. CPPA will be governed by a five-member board and have a wide range of responsibilities, including the authority to investigate violations, assess penalties, and develop regulations.
What’s Next?
The bulk of the changes mandated under the CPRA are slated to take effect on January 1, 2023. Businesses must begin to understand these new regulations and prepare to comply with the expanded terms.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Breach of Contract Explained: Types and Consequences
Breach of contract disputes are the most common type of business litigation. Therefore, nearly all New York and New Jersey businesses will likely have to deal with a contract dispute at least once. Understanding when to file a breach of contract lawsuit and how long you have to sue for breach of contract is essential […]
How to Dissolve a Corporation in New Jersey: A Step-by-Step Guide
Closing your business can be a difficult and challenging task. For corporations, the process includes formal approval of the dissolution, winding up operations, resolving tax liabilities, and filing all required paperwork. Whether you need to understand how to dissolve a corporation in New York or New Jersey, it’s imperative to take all of the proper […]
Gross Lease vs. Net Lease: Understanding the Key Differences
Commercial leases can take a variety of forms, which is often confusing for both landlords and tenants. Understanding the different types, especially the gross lease structure, is important when selecting the lease that best suits your needs. One key distinction between lease types is how rent is calculated and paid. This article addresses the two […]
What to Do If You Are Impacted by a Retailer Bankruptcy Part 2
Over the past year, brick-and-mortar stores have closed their doors at a record pace. Fluctuating consumer preferences, the rise of online shopping platforms, and ongoing economic uncertainty continue to put pressure on the retail industry. When a retailer seeks bankruptcy protection, a myriad of other businesses are often impacted. Whether you are a supplier, customer, […]
The Current Administration's Proposals for the Financial Services and Banking Industries Will Affect Your Business
Since his inauguration two months ago, Donald Trump’s administration and the Congress it controls have indicated important upcoming policy changes. These changes will impact financial services policies and priorities. The changes will particularly affect cryptocurrency, as well as banking rules and regulations. Key Regulatory Changes in Cryptocurrency For example, in the burgeoning cryptocurrency business environment, […]
Tips for Commercial Landlords Impacted by Wave of Retailer Bankruptcies Part 1
The retail sector has experienced a wave of bankruptcy filings over the last year. Brick-and-mortar businesses in financial distress include big-name brands like Big Lots, Party City, The Container Store, and Vitamin Shoppe. When large retailers seek bankruptcy protection, they are not the only businesses impacted. Landlords can be particularly hard hit. While commercial landlords […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
