Professionals
Practices & Industries
The Election Results Are In: The Next Phase of California Privacy Law
On January 1, 2020, the California Consumer Privacy Act (“CCPA”) became effective, ushering in a new era of privacy legislation in the United States. After a long and circuitous journey, on August 14, 2020, the Office of Administrative Law approved the underlying regulations and filed them with the Secretary of State, making them effective immediately. Just as businesses began to get their arms around the legislation and regulations, Californians were asked to vote on a ballot initiative, officially known as Proposition 24, to expand the CCPA.
The legislation at issue in Proposition 24 is the California Privacy Rights and Enforcement Act of 2020 (“CPREA”). The CPREA was sponsored by Californians for Consumer Privacy. This group — headed by Alastair Mactaggart and advised by several prominent Californians— is the same group whose prior initiative led the California Legislature to pass the CCPA. Not satisfied with their earlier efforts, Californians for Consumer Privacy pushed the CPREA to supplement the privacy protections imposed on companies collecting personal information from consumers. On November 3rd, those additional privacy protections became a reality as Californians voted by a margin of 56% to adopt the CPREA.
One of the more significant changes is that the CPREA establishes a new sub-category of personal information called “sensitive personal information.” Sensitive personal information includes data relating to a consumer’s biometric identification, finances, health, and exact location. Businesses collecting sensitive personal information will be required to notify the consumer at or before the time of collection of: (1) the category of information the business will collect; (2) the retention period; and (3) whether the information will be sold by the business. In addition, businesses will also be required to provide a “Limit the Use of My Sensitive Personal Information” link for consumers.
The CPREA also provides consumers with greater control over how businesses collect, use and share their data. For example, consumers may request that a business correct inaccurate personal information maintained by that business. Consumers who are younger than 16 years of age must give their permission before a business can collect their personal information, or, if the consumer is younger than 13 years of age, permission must be obtained from a parent or guardian.
The legislation also establishes a new agency, the California Privacy Protection Agency, to enforce the law. It will initially consist of a five-member board with seats appointed by the Governor, the Attorney General, the Senate Rules Committee and the Speaker of the Assembly. The new agency’s duties will include developing regulations, providing guidance to businesses and consumers, investigating and adjudicating violations, assessing penalties and promoting public awareness of consumers’ rights.
These are but a few of the significant, new requirements that will be imposed upon the business community by the CPREA. The following chart, prepared by the Californians for Consumer Privacy, compares the significant components of the CCPA and CPREA.
| Components | Existing | New |
| Right to Know What Information a Business has Collected About You |  | |
| Right to Say No to Sale of Your Info | | |
| Right to Delete Your Information | | |
| Data Security: Businesses Required to Keep Your Info Safe | | |
| Data Portability: Right to Access Your Information in Portable Format | | |
| Special Protections for Minors | | |
| Requires Easy “Do Not Sell My Info” Button for Consumers | | |
| Provides Ability to Browser with No Pop-ups or Sale of Your Information |  | |
| Penalties if Email Plus Password Stolen Due to Negligence | | |
| Right to Restrict Use of Sensitive Personal Information | | |
| Right to Correct Your Data | | |
| Storage Limitation: Right to Prevent Companies from Storing Info Longer than Necessary | | |
| Data Minimization: Right to Prevent Companies from Collecting More Info than Necessary | | |
| Right to Opt Out of Advertisers Using Precise Geolocation (< than 1/3 mile) | | |
| Ability to Override Privacy in Emergencies (Threat of Injury / Death to a Consumer) | | |
| Provides Transparency Around “Profiling” and “Automated Decision Making” | | |
| Establishes California Privacy Protection Agency to Protect Consumers | | |
| Restrictions on Onward Transfer to Protect Your Personal Information | | |
| Requires High Risk Data Processors to Perform Regular Cybersecurity Audits | | |
| Requires High Risk Data Processors to Preform Regular Risk Assessments | | |
| Appoints Chief Auditor with Power to Audit Businesses’ Data Practices | | |
| Protects California Privacy Law from being Weakened in Legislature | | |
Each red “X” (with its corresponding green “√”) reflects a new hurdle for those doing business in California. So, although the legislation will not take effect until 2023, given the breadth of the requirements, businesses should not delay their efforts to develop a plan to comply with the CPREA.
For more information on preparing for the CPREA contact Michelle Merola (518.736.2917), Gary Schober (716.848.1289), or Patrick Fitzsimmons (716.848.1710) to discuss how Hodgson Russ LLP can assist.
If you received this alert from a third party or from visiting our website, and would like to be added to our Cybersecurity alert mailing list or any other of our mailing lists, please visit us HERE.