Proposition 24 Expands Digital Privacy Regulation in California

California voters passed ballot measure Proposition 24, or the California Privacy Rights Act (CPRA), on November 3, 2020. The CPRA builds upon the California Consumer Privacy Act (CCPA) passed in 2018. The CCPA is already one of the strongest privacy laws in the country. The CPRA will come into effect on January 1, 2023. Enforcement will begin on July 1, 2023, giving lawmakers over two years to sort out the details for smooth implementation.

The new legislation gives Californians the right to know what data businesses are collecting about them. It also prohibits businesses from selling that data. Specifically, consumers have the power to tell businesses not to disclose certain categories of identifying information. These categories include race, health, religious affiliation, location, sexual orientation, and biometrics. If the affected individual is younger than 16 years old, the law triples the fines for violations.

Proposition 24 Supporters and Critics

A number of states have attempted to pass ballot measures enhancing digital privacy with varying degrees of success. However, none are quite as strong as the CPRA. The passage of California’s newest privacy law, although not coming into effect until January 1, 2023, could spur legislation on the federal level.

The intent of Proposition 24 is to strengthen digital privacy protection. But critics express a number of reservations with its drafting. They point out that the CPRA contains many ambiguous provisions and it adds significantly more compliance obligations for companies. Moreover, the CPRA also establishes a new administrative enforcement agency called the California Privacy Protection Agency (CalPPA). This agency will have rulemaking, auditing, investigation, and enforcement authority. As a consequence, even minor violations may be at risk of enforcement action by the CalPPA.

Proposition 24 GDPR
Proposition 24 GDPR

GDPR Comparison

Proposition 24 Includes New and Revised Consumer Rights

  • Right to Limit Use of Sensitive Information: The CPRA includes the right to opt-out of data sale or sharing of personal information. The distinction between “selling” and “sharing” data is that “sharing” involves disclosure to a third party without the exchange of monetary value. The CPRA also includes the right to opt-out from secondary use of sensitive information. Companies that discloses sensitive information from secondary use are required to include a “Limit the use of my sensitive personal information” link on their homepage.
  • Right of Correction: The CPRA gives consumers a new right to request a company to correct personal information.
  • Right to Delete: The CPRA expands the ability of consumers to request deletion of personal data.

Data Security

  • Data Retention: The CPRA mandates that companies explicitly state in their privacy notices the criteria for determining the data retention period.
  • Reasonable Security: The CPRA expands ability of individuals to bring a private right of action for a data breach. The scope of data that could qualify for a private right of action now includes compromise of a consumer’s email in combination with a password that would enable access to the consumer’s account.

Additional Third-Party Obligations

  • New “Contractor” Category: The CPRA introduces a new category of “contractors”, which is distinguishable from the existing definitions of “third parties” and “service providers.” It also imposes more specific contracting requirements for businesses selling or sharing personal data with service providers, contractors, and third parties.
  • Children: For children under the age of 16 years old, the CPRA requires affirmative opt-in consent to sell children’s private information. It also triples the CCPA’s fines for the collection and sale of the personal information of children.

Overall, the principles embedded in the CPRA have many parallels with the European GDPR. Time will tell whether the CPRA can be implemented smoothly and whether California’s introduction of the CPRA will influence legislative changes in other jurisdictions.

Ryan Carpenter serves as Attorney and Managing Director of Carpenter Wellington. Ryan advises clients across a broad set of corporate and commercial matters.