California Proposition 24 Adopted
On November 3, 2020, the Golden State voted in favor of Proposition 24, thus expanding the State’s privacy legislation with a new set of rules. The law passed with 56.1% of the vote, despite being debated heavily.
Surprisingly, civil rights organizations such as the ACLU came out in opposition to the Proposition.
Privacy prevailed, and on January 1, 2023, the California Consumer Privacy Act (CCPA) will be succeeded by the California Privacy Rights Act (CPRA) with a one-year look back to January 2022.
What does the California Privacy Rights Act (CPRA) entail?
The CPRA intends to amend the CCPA by adding new definitions, new individual rights, and broadening the enforcement elements of the CCPA.
As was the case with the CCPA, there are still a lot of details to be ironed out in the coming months to ensure the CPRA can be fully operational in 2023.
However, quite a few of the changes are already clear.
Sensitive Personal Information
CPRA introduces the concept of sensitive personal information, which requires more data protection than regular personal information.
Sensitive information includes identification numbers like
- social security,
- driver’s license,
- identity card or passport number,
- account credentials,
- credit card details,
- the precise geolocation of a consumer,
And the content of communications via mail, email, and text messages (if a business is not the recipient of the communication).
As well as GDPR-aligned data elements like religious or philosophical beliefs, union membership, health, genetic and biometric data, and information related to an individual’s sex life or sexual orientation.
Under the CPRA, a consumer will have the right to direct a business not to use or disseminate their sensitive information.
If so directed, the business may only use the bare minimum of already collected sensitive personal information that would be needed to deliver the agreed goods or services to the consumer.
The Right to Deletion
This right is already included in the CCPA and will be extended ensuring that service providers will cooperate with the deletion of personal information, and allowing business to keep a confidential record of deletion requests for future reference.
A Right of Correction
CPRA introduces a right of correction, allowing consumers to request the correction of inaccurate personal information.
It is further clarified that businesses may not ‘punish’ a consumer for exercising their individual rights under the CPRA.
The exception to allow businesses to run loyalty programs and offer premium discounts in return for personal information, is made more explicit in the law.
Consumers Will Get Access to More Data
A data access request is not limited to just the data collected in the 12 months preceding the consumer’s request.
This does not mean that companies will be forced to retain data longer than they usually do.
But it may mean that if personal information is retained for 24 months, access will also need to be provided for all data collected and used during those 12 months.
This obligation will apply to all data collected after 1 January 2022. And the intended retention period for personal information needs to be disclosed in the privacy notice.
Concept of Purpose Limitation
CPRA introduces the concept of purpose limitation into the law, ensuring personal information can only be processed for pre-determined specific, explicit, and legitimate purposes.
Data collection will also need to be limited to what is necessary and proportionate.
New Cross-Contextual Behavioral Advertising and Dark Pattern Limitation
Another new limitation relates to cross-context behavioral advertising and the use of so-called dark patterns.
Cross-context behavioral advertising means that advertising publishers can build a profile of an individual, to use as part of their advertising efforts.
Under CPRA, individuals will get the possibility to opt-out of such data collections, also because the definition of a sale is expanded to also include the sharing of information without payment.
In short: individuals get a right not to be tracked online if they so wish. To make this even easier, consumers may not be nudged towards accepting the processing of their personal information by the visual presentation of privacy preferences.
Examples include: offering a large, bright colored “accept all” button, and a much smaller and less conspicuous link to change data collection preference.
Extended Data Beach Requirements
Personal information that is both non-encrypted and non-redacted, as well as the combination of an email address and password or security question and answer allowing access to an account that is subject to unauthorized access, is considered a data breach.
Under the CPRA, individuals have the right to claim compensation and other relief that is considered necessary by a court. Companies may also face administrative enforcement for breaches caused by insufficient data security.
California Gets a New Enforcement Agency
From the enforcement perspective, the CPRA introduces a new enforcement agency in California, comparable to data protection supervisory authorities elsewhere in the world.
The California Privacy Protection Agency (CPPA) will consist of the five persons board, two of which will be appointed by the California Governor and the other members by the California Assembly, the Senate and the Attorney General.
The CPPA will, among other things, be allowed to investigate violations of the law, conduct hearings and compel testimony, issue cease and desist orders as well as issue monetary sanctions.
Lastly, the CPPA will also provide further guidance on the application and implementation of the CPRA.
How Can You Prepare for the CPRA?
Although some of the supporting provisions of the CPRA, including the establishment of the CPPA have already come into force, the main criteria won’t apply until January 2023.
This includes an extension of the current exception for employee data in the CCPA, until 2023. But keep in mind, companies operating in California will need a process in place for handling employee privacy as well.
Start by documenting the purposes for your data processing and which personal information is necessary and proportionate to achieve those purposes.
It will also be helpful to document which categories of sensitive personal information are being processed.