10 November 2020

Proposition 24: California votes to further restrict companies’ use of consumer personal data


Gina Bibby
Partner | US

During the November 3, 2020 general election, a majority of California voters approved Proposition 24, which is more restrictive than the currently enacted California Consumer Privacy Act of 2018 (CCPA) by making it easier for people to opt out of having their personal data shared, collected, or processed.

The new law, called the California Consumer Privacy Rights and Enforcement Act of 2020 (CCPREA), requires that businesses not share a consumer’s personal information with third parties upon the consumer’s request. The CCPREA also requires that businesses disclose whether the business collects “sensitive personal information,” the types of “sensitive personal information” collected, the purpose for which the “sensitive personal information” is collected, and the length of time that the business intends to retain the “sensitive personal information.”1 The CCPREA further requires that businesses provide consumers with an opt-out option for having their “sensitive personal information” used or disclosed for advertising or marketing.

The CCPREA also requires that businesses obtain permission before collecting data from consumers who are younger than 16; obtain permission from a parent or guardian before collecting data from consumers who are younger than 13; and correct a consumer’s inaccurate personal information upon the consumer’s request.

The requirements listed above are in addition to the requirements under the CCPA, which requires businesses to, upon a consumer’s request, disclose to the consumer the personal information that has been collected about the consumer and the commercial purpose for which the information is collected; not sell the consumer’s personal information to third parties; and delete the consumer’s personal information.

Changed Penalties for Violations and Data Breaches under the CCPREA

The CCPREA adopts new penalties and modifies certain CCPA penalties. New penalties include fines of up to $2,500 for each violation; fines up to $7,500 for each similar violation involving the information of a person under the age of 16; and fines up to $750 per consumer per data breach incident or actual damages, whichever is greater. Additionally, whereas the CCPA gives businesses 30 days to address and fix violations and data breaches before imposing fines, the CCPREA eliminates this 30-day notice period.

What Type of Business Must Comply with CCPREA?

As with the CCPA, only certain types of businesses are required to comply with the CCPREA. For example, both the CCPA and the CCPREA apply to businesses that earn $25 million or more in annual revenue or earn 50 percent or more of their annual revenue from selling consumers’ personal information.

Additionally, businesses that control the sharing, purchasing, or selling of the personal information of 100,000 or more consumers or households each year must also comply with the CCPREA. Whereas, businesses that purchase, sell, or share the personal information of 50,000 or more consumers, households, or devices each year must comply with the CCPA.

What Type of Data is Exempted under the CCPREA?

The CCPREA exempts certain types of information used for certain purposes, including vehicle information or vehicle ownership information retained or shared between vehicle dealers and manufacturers for the purpose of vehicle repairs. It also exempts a consumer’s credit standing, reputation, and worthiness for the purpose of consumer reports, and personal information collected by a business for a job application that is used within the context of the consumer’s role as a job applicant, employee, or independent contractor.

The CCPREA further exempts emergency contact information collected by a business and used within the context of having the information on file for emergency contact purposes. It exempts personal information collected by a business that is needed to administer employment benefits, personal information reflecting a written or verbal communication or a transaction between a business and an employee, owner, or independent contractor. And finally, CCPREA exempts a student’s grades, educational scores, or educational test results held on behalf of a local education agency.

What Should Companies Do Next?

At this point, companies must watch and wait. The next step in the CCPREA’s implementation is establishing a California Privacy Protection Agency (CPPA)—not to be confused with CCPA—whose five-member governing board will, among other things, implement and enforce California consumer data privacy law consistent with the CCPREA. In the meantime, companies can review current partner agreements to assess what may need to be revised, and think about practical things like how to implement “Do Not Share My Data” buttons on their websites or honor user browser settings that tell the company’s website not to share the user’s data. The new law is scheduled to take effect in January 2023.

To view further election related content, go to our US Election: Checklist 2020 webpage.

Footnotes

1 The CCPREA defines “sensitive personal information” as personal information that reveals a consumer’s social security or driver’s license number, state identification card or passport number, racial or ethnic origin, religious or philosophical beliefs, and union membership. Such information also includes precise geolocation, genetic, sexual orientation, and specified health information about a consumer. “Sensitive personal information” further includes the contents of a consumer’s mail, e-mail, or text messages (unless the business is the intended recipient of the communication) and a consumer’s biometric information (for the purpose of identifying the consumer).
2 Under the CCPREA, the chair of the five-member board will be appointed by the governor of California. The remaining four members will be appointed by the governor, attorney general, Senate Rules Committee, and speaker of the assembly. It is worth noting that each member of the five-member board is required to have expertise or experience in privacy and technology.

Gina Bibby Partner | Los Angeles

Category: Article