On November 3, 2020, California voters approved Proposition 24, an initiative intended to strengthen existing personal data privacy rights. Proposition 24 builds on and will supersede the California Consumer Privacy Act (CCPA) of 2018, that went into effect this past January, and that provides Californians with the ability to better understand how their personal data is being used, along with the right to opt out of certain data collection programs.
The new law is known as the California Privacy Rights Act of 2020 (CPRA). The CPRA creates a new state agency – the California Privacy Protection Agency (PPA) – that will be responsible for enforcing privacy laws, as well as promulgating the rules that will flesh out the broader, statutory language. Before the establishment of the PPA, California’s Attorney General was responsible for enforcing the data privacy law. Even so, Xavier Becerra, California’s current Attorney General, has stated that because of his office’s limited resources, they are able to prosecute only the most serious violations.
The CPRA expands coverage of the data privacy laws to businesses that ‘control’ the purchase, sale or sharing of personal information, which is intended to blunt efforts by some data collectors to outsource the collection process. At the same time, the new statute raises from 50,000 to 100,000 the number of consumers or households whose data is being collected by a business in order for that business to be subject to the law. The new law tightens the sanctioning regime, in part by eliminating the prior law’s 30-day period grace for businesses to correct violations before fines could be imposed.
Under the 2018 law, consumers had a right to obtain information from businesses that sold their personal data. The CPRA expands that to also include businesses that share personal data. The CPRA also creates a new category of “sensitive personal information,” and enables consumers to limit the use of such data, even when properly collected. Sensitive personal information includes such seemingly obvious things as social security, driver’s license, and passport numbers, as well as genetic information, along with other information. Also included within the concept of sensitive personal information is precise geolocation data, defined as “any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of one thousand, eight hundred and fifty (1,850) feet, except as prescribed by regulations.” For rough comparison, a square residential block typically is about 400 feet by 400 feet. A circle with a radius of 1,850 feet has an area of approximately 247 acres.
For those who are bothered by targeted advertising pop-ups that seem magically to appear following web searches (the technical term is “cross-context behavioral advertising”), the new law provides a method for opting out of such advertising. The CPRA also gives consumers the right to request that inaccurate personal information be corrected.
Interestingly, the CPRA permits amendments only to the extent that they further enhance consumer privacy.
On balance, and while the CPRA unquestionably expands consumers’ rights and businesses’ obligations, it also provides some points of clarification as to whether a given business is covered by the statute, and how a covered business is to comply with its data privacy obligations. As with the earlier CCPA, rights and obligations under the CPRA should become clearer once the expected regulations are promulgated.
The CPRA takes effect on January 1, 2023, although it will apply to data collected from January 1, 2022, on.
If you have any questions regarding the issues raised in this client alert, please contact your Labor and Employment counsel at Smith, Gambrell & Russell, LLP.