While the Nation Focused on the Presidential Race, California Expanded Its Privacy Laws and “Yes” Non-California Businesses Are Likely Impacted

While the eyes of the nation were keenly focused on the Presidential race, California voters passed Proposition 24, the California Privacy Rights Act (CPRA), which will further reinforce and redefine the state’s California Consumer Privacy Act (CCPA), which went into effect January 1, 2020.

In a nutshell, the CPRA closes a number of loopholes in the CCPA, strengthening consumer privacy protections and requiring the creation of a privacy enforcement agency, the California Privacy Protection Agency (the Agency). The Agency will assume the California Department of Justice – Office of the Attorney General’s responsibility for taking enforcement actions under California’s privacy laws, be a regulator, and issue guidelines for entities and organizations subject to the laws. The Agency will be installed by either July 1, 2021, or six months after the CCPA is ready to make rules, whichever occurs later.

Another key point is that the CPRA removed the ability of businesses to fix violations before being penalized. In addition, and on top of the notice and data subject right requirements now in effect under the CCPA, the CPRA will require businesses to do all of the following:

• Avoid sharing a consumer’s personal information upon the consumer’s request;
• Provide consumers an opt-out option for having their sensitive personal information, which is defined in the CCPA, used or disclosed for advertising or marketing purposes;
• Obtain permission before collecting data from consumers under the age of 16;
• Obtain permission from a parent/guardian before collecting data from consumers under the age of 13; and
• Correct a consumer’s inaccurate personal information upon the consumer’s request.

The new requirements with respect to minor consumer data contain some elements required under the Children’s Online Privacy Protection Act (COPPA) but adds some significant protections, including permission prior to collection. 

The installation of the Agency will mean that businesses will need to review their privacy policies and procedures, ensuring they are compliant, or risk being sent a notice for negligence, audit, enforcement, etc. Businesses must also have an end-to-end automated solution that can fully process data subject requests rights, which includes their right to know, right to delete, and right to opt-out of the sale of their personal information, and provide consumers a seamless interaction when exercising their privacy rights.

Other provisions include further extensions of the employee exception and the business-to-business exceptions in the CCPA to January 1, 2023. (We discussed these exceptions in more detail late last year in our piece titled “CCPA Amendments Pass Adding Some Clarity to Scope and Industry Breathing Room Especially to B2B Businesses.”)

As a reminder, the CCPA, and now the CPRA, does not just apply to companies doing business in California. Rather, it applies to any business that has gross revenue of $25 million, that has the personal data of more than 50,000 “consumers, households, or devices”, or earns more than half its revenue selling consumers’ personal data.

These changes, which will not go into full force and effect until January 2023 (with a “look back” period to data collected on or after January 2022), bring California more in line with the European Union’s General Data Protection Regulation (GDPR) and further solidifies California as having the strongest legislative consumer privacy protections in the United States. For businesses, it means they will need to review their privacy policies and procedures, specifically their data subject right notifications and request structures, and modify them as necessary to comply with the new legal requirements.

Unlike the CCPA, the CPRA cannot be repealed by the California legislature, but may be amended. It is also important to remember that, while the CPRA has passed, there are many details that will be further clarified and defined through regulation. So, while many businesses may want to get started on their compliance, starting too early and/or going too far may result in spending more money to make changes or fixes once the regulations are issued.