Prop 24: Everything you need to know
A majority of Californians voted to pass Prop 24 in November’s election, approving the California Privacy Rights Act or CPRA. The Act forces companies to give greater freedom to consumers regarding data collection and establishes a state agency -- The California Privacy Protection Agency -- to work on behalf of consumers and regulate companies. The restrictions on data collection are similar to but stronger than those under the California Consumer Privacy Act or CCPA, which went into effect this year.
Here’s everything you need to know about the new law and how it may affect your work as a GC and lawyer.
A quick rundown of the law
The CPRA builds on the CCPA. The main difference is that the CPRA gives consumers slightly more rights in controlling their data, and it encompasses the processing of more sensitive personal data than the CCPA. Also, rather than being governed by the Attorney General, companies will be governed by California Privacy Protection Agency for the CPRA.
The gist of the CPRA is that companies that buy, sell or share personal data must make consumers aware of what they’re doing, give them a clear opportunity to opt out and prove to the California Privacy Protection Agency they have a legitimate business reason for processing the data -- a reason that outweighs the consumers’ risk in giving up the data.
What counts as personal data
See a full list. But here are a few common types:
- Social security numbers
- Postal addresses
- Browsing and search history
The newly added types of personal data that are considered to be more “sensitive” include precise location, religion, race, biometric data and health info.
Small and midsize businesses are mostly exempt
According to an analysis by the state of California, CPRA applies only to companies involved in the buying, selling and sharing of California residents’ personal information that meet any one of the following benchmarks:
- Earn more than $25 million in annual revenues
- Buy, share or sell the data of at least 100,000 consumers or households per year (this threshold is higher than the CCPA, which affected companies buying, selling or sharing data of 50,000 or more consumers)
- Earn more than 50% of annual revenue from selling or sharing data of California consumers
What covered companies must do
The end goal of the CPRA is to give consumers more authority over their own personal data. To accomplish that goal, the law essentially forces companies to stop collecting/selling/sharing personal data of people who have opted out and to prove they are protecting any data they have collected.
The various steps required for compliance are specific and lengthy and can be seen in full here, with much of the most relevant info in Sections 4, 12 and 13. Below are a few of the key provisions, most of which are new or at least modified under the CPRA (Jones Day also breaks out a few key definitions).
- Notify customers before collecting data and setting up a process for them to opt-out of the collection/sharing/selling. The notification must be available in a “clear and conspicuous link” on the business’ homepage that says “Do Not Sell or Share My Personal Information.” Customers also have the right to receive reports on how they’re data is being used.
- Offer a link allowing customers to share only as much personal data with the business as is needed for the business to perform its function (companies may combine into one link the option for a total opt-out of data collection and a limited opt-out).
- Companies may offer payments or discounts to consumers in exchange for them sharing personal data.
- Disclose to consumers their ability to correct personal information and delete personal information and do so upon consumer request. Companies must notify any third parties to which they have sold information about deletion requests. But companies do not have to delete personal information if it is deemed necessary for security reasons.
- Report to the California Privacy Protection Agency “on a regular basis” a risk assessment that weighs the benefit of processing personal information versus the risk of processing the information. The goal is for the Agency to limit or restrict processing of the information if the risks are determined to be higher than the companies’ benefit.