California Consumer Privacy Law Update

November 2020

 This election season brought a number of new propositions to California ballots. Included on the ballot was Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”).  It  will strenghten California’s already robust consumer privacy protection law – the California Consumer Privacy Act (“CCPA”) – but also adds  burdensome regulations for businesses across the state. It’s imperative for California business owners to understand how both the CCPA and the new CPRA will affect their businesses. A brief summary of some of the many important requirements, follows.

The California Consumer Privacy Act

The CCPA was signed into law by Governor Jerry Brown on June 28, 2018. This landmark law secured new privacy rights for California consumers, including:

  • The right to know about the personal information that a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale of their personal information; and
  • The right to protection from discrimination for exercising their CCPA rights.

Under the CCPA, if you are a California resident, businesses must, upon your request (1) disclose what personal information they have about you and what exactly they do with that information, (2) delete your personal information, and (3) not to sell your personal information. Residents also have the right to be notified, before or at the time businesses collect your personal information, of the types of personal information they are collecting and what they intend to do with that information. Additionally, businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.

The CCPA applies to “for-profit” businesses that do business in California and meet any of the following criteria:

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

California Privacy Rights Act of 2020

The CPRA will increase privacy protections of the CCPA, eventually giving California a law on par with the European Union’s General Data Protection Regulation (GDPR).

The CPRA updates the threshold for types of business that are now required to comply with these privacy laws as follows:

  • Businesses that have gross annual revenue of over $25 million.
  • Businesses that buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices; or
  • Businesses that derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.

The CPRA will also amend the provisions of the CCPA by requiring businesses to do the following:

  • Not share a consumer’s personal information upon the consumer’s request (the CCPA only required a business to not sell personal information upon request);
  • Provide consumers with an “opt-out” option for having their sensitive personal information, as defined in law, used or disclosed for advertising or marketing;
  • Obtain permission before collecting data from consumers who are younger than 16;
  • Obtain permission from a parent or guardian before collecting data from consumers who are younger than 13; and
  • Correct a consumer’s inaccurate personal information, upon the consumer’s request.

Additionally, the CPRA does the following:

  • Limits use of “sensitive personal information,” including precise location, race, religion, sexual orientation, social security information, specified health information and other categories of personal information;
  • Prohibits retention of personal information for longer than necessary;
  • Triples penalties for violations involving minors under 16;
  • Creates a new “California Privacy Protection Agency” to replace the Attorney General’s office as the statute’s enforcer;
  • Expands the private right of action for consumers;
  • Creates new obligations for “opt-out links;” and
  • Removes the ability of businesses to fix violations before being penalized for those violations.

Under both the CCPA and CPRA, businesses are exempt from their requirements when a business complies with federal, state, or local laws and subpoenas. The CPRA also allows law enforcement, engaged in an active investigation, to instruct a business to retain personal information in its possession for between 90 to 180 days in order to give the investigation time to obtain a court-issued warrant, subpoena, or order. Further, the CPRA  allows personal information to be shared with government authorities, if a person is at risk or in danger of death or serious injury, provided that the government’s request (1) is made by a high-ranking officer for emergency access, (2) the request is based on the agency’s good faith determination, and (3) the agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.

Enforcement

The California Privacy Protection Agency, initially funded with $10 million, will be able to issue penalties or citations to businesses that abuse consumers’ data. City and District Attorneys will also be able to sue businesses over violations under the CPRA. The CCPA gave businesses 30 days to fix any violations or breaches before being issued with a fine. The CPRA will eliminate the 30-day notice period and adopts the following penalties for violations and data breaches:

  • up to $2,500 for each violation;
  • up to $7,500 for each violation involving the information of a person under the age of 16;
  • up to $750 per consumer per data breach incident or actual damages, whichever is greater.

What This Means for Your Business

The CPRAwill not take effect until 2023. However, businesses that are subject to the CCPA should study and understand the new CPRA requirements and how they  may cause a need to change operational practices, while continuing to comply with CCPA. The impact on businesses with a strong online presence may be substantial because the concept of information “sharing” is much broader in scope than “selling”. “Sharing” may be interpreted to include the sharing of customer or site visitor information with third-party vendors or service providers (e.g., marketing and advertising companies or consultants, etc.).

If your business is subject to the CCPA, you should take the following steps to ensure compliance:

  1. Audit your business to determine if it meets one of the thresholds for compliance;
  2. If the CCPA applies to your business, take the following steps:
    1. Develop standards and practices for your business and the way that it handles personal information, including providing a CCPA notice or privacy policy to customers and consumers (this is required by California law);
    2. If your business collects consumer information (e.g., names, addresses, payment information, etc.), determine who you sell or share that information with, if applicable;
    3. If you sell or share personal information of consumers, provide a clear and conspicuous way for consumers to “opt out” of the sale or sharing of their information (e.g., provide a “pop up” notice on your website regarding your CCPA notice/privacy policy with a notice that informs consumers of their right to “opt out” and provide instructions on how to do so);
    4. Ensure that any third-parties to whom your business shares or sells personal information maintains a strong privacy policy and complies with applicable privacy laws. Is is wise to require any such third- parties agree to maintain the confidentiality of such information (or, better yet, agree to indemnify your business if they fail to do so);
    5. Maintain insurance that covers data breaches and cyber practices;
    6. Make sure your staff understands best practices regarding privacy compliance;
    7. Continuously audit and monitor your business’s privacy practices.

Unfortunately, there are many additional considerations for your business when it comes to complying with California’s current privacy laws, and these considerations will increase when the CPRA takes effect in a couple of years. Should you have any questions about these complex privacy laws, your business’s compliance therewith, or any other legal needs, please reach out to me or one of my FLAS team members.

 

Dallas N. Verhagen

DVerhagen@FLASllp.com

Direct: (805) 966-4225

DISCLAIMER:  This Advisor is one of a series of business, real estate, employment, estate planning and tax bulletins prepared by the attorneys at Fauver, Large, Archbald & Spray, LLP. This Advisor is not exhaustive, nor is it legal advice. You should discuss your particular situation with us or with your own attorney. Our legal representation is only undertaken through a written engagement letter and not by the distribution or use of this Advisor.

Our Attorney's specializing in this area:

Santa Barbara Office
820 State Street, 4th Floor
Santa Barbara, CA 93101
OFFICE (805) 966-7000
FAX (805) 966-7227
Privacy Policy | Terms of Use | Copyright ©2024 Fauver, Large, Archbald & Spray, LLP. All rights reserved.