This election season brought a number of new propositions to California ballots. Included on the ballot was Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”). It will strenghten California’s already robust consumer privacy protection law – the California Consumer Privacy Act (“CCPA”) – but also adds burdensome regulations for businesses across the state. It’s imperative for California business owners to understand how both the CCPA and the new CPRA will affect their businesses. A brief summary of some of the many important requirements, follows.
The California Consumer Privacy Act
The CCPA was signed into law by Governor Jerry Brown on June 28, 2018. This landmark law secured new privacy rights for California consumers, including:
- The right to know about the personal information that a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to protection from discrimination for exercising their CCPA rights.
Under the CCPA, if you are a California resident, businesses must, upon your request (1) disclose what personal information they have about you and what exactly they do with that information, (2) delete your personal information, and (3) not to sell your personal information. Residents also have the right to be notified, before or at the time businesses collect your personal information, of the types of personal information they are collecting and what they intend to do with that information. Additionally, businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.
The CCPA applies to “for-profit” businesses that do business in California and meet any of the following criteria:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
California Privacy Rights Act of 2020
The CPRA will increase privacy protections of the CCPA, eventually giving California a law on par with the European Union’s General Data Protection Regulation (GDPR).
The CPRA updates the threshold for types of business that are now required to comply with these privacy laws as follows:
- Businesses that have gross annual revenue of over $25 million.
- Businesses that buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices; or
- Businesses that derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.
The CPRA will also amend the provisions of the CCPA by requiring businesses to do the following:
- Not share a consumer’s personal information upon the consumer’s request (the CCPA only required a business to not sell personal information upon request);
- Provide consumers with an “opt-out” option for having their sensitive personal information, as defined in law, used or disclosed for advertising or marketing;
- Obtain permission before collecting data from consumers who are younger than 16;
- Obtain permission from a parent or guardian before collecting data from consumers who are younger than 13; and
- Correct a consumer’s inaccurate personal information, upon the consumer’s request.
Additionally, the CPRA does the following:
- Limits use of “sensitive personal information,” including precise location, race, religion, sexual orientation, social security information, specified health information and other categories of personal information;
- Prohibits retention of personal information for longer than necessary;
- Triples penalties for violations involving minors under 16;
- Creates a new “California Privacy Protection Agency” to replace the Attorney General’s office as the statute’s enforcer;
- Expands the private right of action for consumers;
- Creates new obligations for “opt-out links;” and
- Removes the ability of businesses to fix violations before being penalized for those violations.
Under both the CCPA and CPRA, businesses are exempt from their requirements when a business complies with federal, state, or local laws and subpoenas. The CPRA also allows law enforcement, engaged in an active investigation, to instruct a business to retain personal information in its possession for between 90 to 180 days in order to give the investigation time to obtain a court-issued warrant, subpoena, or order. Further, the CPRA allows personal information to be shared with government authorities, if a person is at risk or in danger of death or serious injury, provided that the government’s request (1) is made by a high-ranking officer for emergency access, (2) the request is based on the agency’s good faith determination, and (3) the agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.
The California Privacy Protection Agency, initially funded with $10 million, will be able to issue penalties or citations to businesses that abuse consumers’ data. City and District Attorneys will also be able to sue businesses over violations under the CPRA. The CCPA gave businesses 30 days to fix any violations or breaches before being issued with a fine. The CPRA will eliminate the 30-day notice period and adopts the following penalties for violations and data breaches:
- up to $2,500 for each violation;
- up to $7,500 for each violation involving the information of a person under the age of 16;
- up to $750 per consumer per data breach incident or actual damages, whichever is greater.
What This Means for Your Business
The CPRAwill not take effect until 2023. However, businesses that are subject to the CCPA should study and understand the new CPRA requirements and how they may cause a need to change operational practices, while continuing to comply with CCPA. The impact on businesses with a strong online presence may be substantial because the concept of information “sharing” is much broader in scope than “selling”. “Sharing” may be interpreted to include the sharing of customer or site visitor information with third-party vendors or service providers (e.g., marketing and advertising companies or consultants, etc.).
If your business is subject to the CCPA, you should take the following steps to ensure compliance:
- Audit your business to determine if it meets one of the thresholds for compliance;
- If the CCPA applies to your business, take the following steps:
- If your business collects consumer information (e.g., names, addresses, payment information, etc.), determine who you sell or share that information with, if applicable;
- Maintain insurance that covers data breaches and cyber practices;
- Make sure your staff understands best practices regarding privacy compliance;
- Continuously audit and monitor your business’s privacy practices.
Unfortunately, there are many additional considerations for your business when it comes to complying with California’s current privacy laws, and these considerations will increase when the CPRA takes effect in a couple of years. Should you have any questions about these complex privacy laws, your business’s compliance therewith, or any other legal needs, please reach out to me or one of my FLAS team members.
Dallas N. Verhagen
Direct: (805) 966-4225
DISCLAIMER: This Advisor is one of a series of business, real estate, employment, estate planning and tax bulletins prepared by the attorneys at Fauver, Large, Archbald & Spray, LLP. This Advisor is not exhaustive, nor is it legal advice. You should discuss your particular situation with us or with your own attorney. Our legal representation is only undertaken through a written engagement letter and not by the distribution or use of this Advisor.