Californians took to the polls last week and decisively voted to approve Proposition 24, the California Privacy Rights Act, an amendment to the recently-enacted California Consumer Privacy Act (“CCPA”). The amendments to CCPA law are expected to strengthen protections to what is already the foremost data privacy law in the Country.
How will the amendments change CCPA law?
The following is a non-exhaustive list of some of the changes that Proposition 24 will introduce to CCPA law:
- Altering the definition of a “covered business” in ways that are both beneficial to business and ways that are intrusive;
- The amendment pushes up the threshold of the number of consumers that trigger compliance obligations from 50,000 to 100,000, creating some breathing room for smaller businesses;
- Includes “sharing” data on the list of restricted activities.
- Creating a new “Sensitive Personal Information” category, including information that reveals a consumer’s Social Security Number, passport number, and/or driver’s license number, in conjunction with providing consumers with the ability to notify businesses not to use certain categories of information, including information related to health, religion, race, geolocation, and sexual orientation;
- Providing a right for consumers to request that businesses correct personal information if the consumer finds it to be inaccurate;
- Expanding CCPA law’s “right to know,” by extending a consumer’s right to request what information is sold to information that is also shared (i.e., released, rented, disclosed, made available, transferred, etc.), even where the information is not shared for monetary or other valuable consideration;
- Creating a new California governmental body, the Privacy Protection Agency, that will be tasked with promulgating rules to give effect to CCPA law, as well as enforcing the privacy law, a role that currently is assigned to the California Department of Justice; and
- Tripling the applicable fine amount when violations affect individuals who are younger than 16 years of age.
The CPRA does not become enforceable until 2023. It also extends the current delay of the CCPA’s application to business-to-business communications and human resources data until 2023. This should provide affected companies ample opportunity to study the new law’s prospective impact on their businesses and prepare for compliance implementation.
Compliance with CCPA law
Companies that operate websites must understand the importance of ensuring that their data gathering and sharing practices meet the ever-increasing consumer friendly standards of the CCPA. Businesses should also anticipate that the CCPA will serve as a model for other jurisdictions, including the federal government, for future data privacy legislation. In the interim, it is important to keep apprised of all CCPA-related developments, including any regulations issued by the newly constituted Privacy Protection Agency. As the Privacy Protection Agency is expected to aggressively enforce the law, it is critical to work closely with experienced compliance counsel to ensure that privacy practices and procedures remain compliant with applicable regulations.
If you require assistance with consumer data privacy compliance for your business, please email us at firstname.lastname@example.org, or call us at (212) 246-0900.
The material contained herein is provided for information purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Similar Blog Posts: