California Voters Pass Prop. 24 Amending CCPACalifornia Privacy Rights Act Will Create a State-Level Enforcement Agency
California voters Tuesday passed Proposition 24, the California Privacy Rights Act, which expands upon the recently activated California Consumer Privacy Act specifically when it comes to enforcement and how businesses handle personal data.
The California Secretary of State's office reports Proposition 24 passed with 56.1% of the vote. A long road remains before the legislation goes into full effect. While CPRA becomes operative on Jan. 1, 2021, the rulemaking process for it does not start until July 1, 2021. On Jan. 1, 2022 the 12-month lookback period begins and if all goes as planned, CPRA will become fully operative and enforceable on Jan. 1, 2023.
The CPRA expands the powers under the CCPA by allowing for the creation of a state agency to enforce privacy regulations. It will also further limit what businesses can and cannot do with a person's personal information (see: It's Official: CCPA Enforcement Begins).
"The passage of the California Privacy Rights Act is a major step for data privacy in the United States and will have an overall positive impact on the state of California, its citizens and other states looking to enact data privacy regulations," says Stephen Cavey, co-founder and chief evangelist of Ground Labs.
Heather Federman, vice president of Privacy and Policy at BigID, says one of the most important "new" items is the creation of the first dedicated agency in California - and the U.S. - that would be responsible for privacy.
"The California AG was in charge of enforcing and rulemaking for the CCPA - but it was unlikely a lot of cases would be brought under the office, given their time and budget constraints. This new agency, however, will be solely focused on enforcing the CPRA and drafting regulations that are aligned with the law," Federman says.
The CPRA's fine structure remains the same as under the CCPA with the act stating any business, service provider, contractor or another person that violates the regulation shall be subject to an injunction and/or a civil penalty of not more than $2,500 for each violation or $7,500 for each Intentional violation and each violation involving the personal Information of minor consumers.
The act also weighs in on any civil penalties brought in the name of the state attorney general, saying the court may consider any good-faith cooperation in relation to the violation, such as quickly fixing the issue, by the business, service provider, contractor, or another person when determining the amount of the civil penalty.
CPRA's Basic Regulations
The Proposition was proposed by the San Francisco real estate developer Alastair Mactaggart, who is board chair and founder of the group Californians for Consumer Privacy.
Federman says Mactaggart's desire to create the CPRA just months after the CCPA went into full effect is unusual, but was because of Mactaggart's group being concerned that businesses were "actively and explicitly" weakening the CCPA. So they seized the chance to expand the CCPA with their new ballot initiative.
"Very odd. And honestly, I'm waiting for someone in Hollywood to make a movie out of California privacy legislation. That being said, the oddness here is due to California's ability to allow any Californian to put an initiative or a referendum on the state ballot," Federman says.
When it comes to affecting businesses, the basic core tenets of CPRA differ from the CCPA in two ways. The new regulation doubles the CCPA's threshold number of consumers or households from 50,000 to 100,000, to be held accountable under the regulation.
Next, the regulation has applicability to businesses that generate most of their revenue from sharing personal information, not just selling it. Under CCPA the law applies to businesses making 50% of annual revenue from selling consumer personal information. The CPRA adds selling or sharing such data.
The CPRA retains the CCPA's $25 million or more in annual revenues as the threshold for being under the rule.
The CPRA also adds a new category of personal sensitive information as a dataset to be regulated within the state. This covers:
- Government issued information such as Social Security numbers and drivers' licenses;
- Financial account and login information including credit or debit card number together with login credentials;
- Precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership;
- Content of nonpublic communications such as mail, email and text messages;
- Genetic data; biometric or health information; and sex life or sexual orientation information.
The CPRA adds several new consumer rights, including the right to request any correction of their PI held by a business if that information is inaccurate; the right to opt-out of automated decision-making technology, the right to access any information gathered by an automated decision making technology and the right to restrict or limit the use and disclosure of sensitive personal information.
Similarities with GDPR
The CPRA allows the state to create the California Privacy Protection Agency which will be used in much the same manner as the EU's General Data Protection Regulation does through its network of Data Protection Authorities. The CPPA will have investigative powers and will bring enforcement actions.
As with GDPR, the CPRA requires businesses collect and store only the bare minimum of information necessary, cannot use the data collected for a purpose outside the reason for its initial purpose and businesses must tell the consumer how long the data will be retained when it is collected.