While many marketers and media companies are settling into the realities of data compliance under the CCPA, a new ballot initiative is positioned to increase requirements for data privacy compliance. On November 6th, CA voters will vote on Prop 24 which is intended to change existing consumer privacy requirements. Based on the latest polling from the Yes on Prop 24 campaign, 77% of likely voters will vote yes on the ballot measure. This means that marketers will need to prepare for changing laws that will add new privacy requirements, define time-periods for how long a business can retain data, further restrict the ways data can be used. Ultimately, should Prop 24 pass, it’ll require further investigation to determine the specific impact on each businesses’ data collection and use practices.
Background on CCPA Path to CPRA
For background on the current data privacy regulation, July 1 marked the official start to legal enforcement of the California Consumer Privacy Act (CCPA). Voted into law by the California legislature. CCPA has national implications as it became the first major privacy law giving consumers in the United States control over their personal information.
For reference, CCPA applies to for-profit businesses that do business in California and meet any of the following:
- Have $25 million or more in gross annual revenue.
- Possess the personal data of more than 50,000 “consumers, households, or devices”.
- Earn more than half of its annual revenue selling consumers’ personal data.
Regulations were outlined to cover personal information that businesses are collecting, how that data is being used, and how consumers can opt out of the data being sold. On the heels of the beginning of enforcement, a follow-up act has been proposed here in California and has made the November 2020 ballot. The proposed addendum is highly likely to pass given CA only requires a simple majority on ballot measures and this would seemingly make CCPA stronger.
The California Privacy Rights Act (CPRA) would make CCPA stronger by creating a new government agency dedicated to handling enforcement and compliance with the new privacy regulations. CPRA isn’t a different law but is an expansion of the current law, which strengthens protections for consumers and clarifies some of the more unclear compliance questions for organizations. The CPRA is a law not just on “selling” consumer data, which is what the language of the CCPA refers to, but also on “sharing” it.
Having an agency dedicated to CCPA would lead to more businesses in compliance and enforcement of penalties.
CPRA would become effective on January 1, 2021, with most compliance obligations required by January 1, 2023. The CPRA would apply only to personal information collected after January 1, 2022, and CPRA would extend the CCPA’s temporary business to business exemption and employee data exemptions (which are scheduled to sunset on January 1, 2021) until January 1, 2023.
Until January 1, 2023, businesses would need to comply with the CCPA and any finalized regulations in force (which could mean both CCPA and CPRA regulations). The Attorney General would preserve its authority to issue CCPA regulations and enforcement during this period, and a new privacy agency would be formed with its rule-making and enforcement authority.
- Expanding privacy rights of action and increasing companies’ breach liability
- Requiring annual audit/risk assessments for high-risk processing
- Providing additional rights for sensitive personal information
- Enhancing consumer rights including:
- Right of correction for consumers
- Right to opt-out of companies using geolocation data
- Right to restrict the use of sensitive personal information and profiling activities
- Expanding the right to know
- Stricter Definitions: CPRA defines “sensitive personal information” more strictly than “personal information;” “sensitive personal information” includes government-issued identifiers (i.e., Social Security numbers, driver’s license numbers, passport numbers), account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages (i.e., mail, e-mail, text), genetic data, biometric information, and other types of information.
CCPA's regulations have been criticized for being too vague as most companies knew they had to comply with the law, but were left wondering how to comply. Requests to clarify details of the law were met by assurances from the California Attorney General that more information would become available, but some businesses are still in limbo. CCPA became effective on January 1, 2020, and began being enforced on July 1, 2020. CPPA should solve some of these issues, as they will be tasked with informing businesses about their compliance (or lack thereof) of the CCPA and CPRA while potentially helping the offending companies get their privacy practices back on track.
Fines for non-compliance with California's new privacy law depend on the offense and other factors. Civil penalties start at $2,500 per violation for non-compliance that is deemed unintentional. For intentional non-compliance, those fines jump to as much as $7,500 per violation. Then, there's the time frame in which the business responds. The CCPA states that if a company can "cure" the non-compliance within 30 days of being notified of the offense, they get off with a warning. If they can't remedy the situation that fast then they are subject to fines.
For more information on the differences between CCPA and CPRA, along with clearer definitions on the more nuanced verbiage within CCPA please see this article from Ad Law Access.