Hot on the heels of the California Consumer Privacy Act (CCPA), California residents this November will vote on Proposition 24. A majority yes vote on Prop 24 would pass the California Privacy Rights Act (CPRA). The CPRA proposes several amendments to the CCPA, such as granting new rights to consumers, imposing greater penalties on businesses for certain violations, and creating a new state enforcement agency, the California Privacy Protection Agency (CPPA).
1. Right to Restrict Use of Sensitive Data
Under the newly added Section 1798.121, consumers now have the right to direct businesses to limit the use of “sensitive personal information.”
As defined in CPRA, sensitive personal information appears to combine the conventional definition of “personally identifiable information” from state breach notification laws with the definition of “special category data” under the GDPR. Accordingly, sensitive personal information is data that may include a Social Security Number, driver’s license number, account log-in/debit/credit card information in combination with password or PIN. It may also include a consumer’s precise geolocation, the contents of their e-mails or texts to others, and racial, religious, biometric, or health data.
If directed to do so, businesses must limit the use of sensitive personal information to only those purposes that are necessary to provide a consumer’s requested services or goods.
To facilitate consumer exercise of this right, businesses may be required to add another link, “Limit the Use of my Sensitive Personal Information,” to their websites, in addition to any existing “Do Not Sell My Personal Information” link.
2. Right to Opt-Out of Cross-Context Behavioral Advertising
The CPRA requires a right of opt-out for “cross-context behavioral advertising” regardless of whether it constitutes a “sale” of personal information or not.
Currently, the CCPA is ambiguous as to whether cross-context behavioral advertising—that is, the collection of a consumer’s activities across different websites or even different devices for the purposes of personalized and targeted advertising—constitutes a sale of personal information. Some affiliates, such as Google, have categorized themselves as a service provider providing marketing and advertising services to the business in order to fall out of the definition of sale. Some other affiliates have put forth the position that they never “sold” personal information, because they only allow advertisers to target broad categories of demographics without identifying a specific individual to the advertiser.
The CPRA is quite clear that such activity requires an opt-out regardless whether it is a sale of information or not. Should CPRA come into effect, businesses should expect to present consumers with three opt-out choices in total (subject to further clarification from the Attorney General):
- A global opt-out from sale and sharing of personal information
- A choice to “Limit the Use of My Sensitive Personal Information”
- A choice for “Do Not Sell/Do Not Share/Do Not Share my Personal Information for Cross-Context Behavioral Advertising”
3. Employee and Business-to-Business (B2B) Data
Both employee and B2B data are currently exempted from general CCPA coverage, although these exemptions are set to expire January 1, 2021. Under the CPRA, these exemptions would be extended until January 1, 2023.
However, this does not mean that businesses do not have any obligations with respect to employee data under CCPA (and under CPRA). For data belonging to job applicants, employees, and independent contractors, businesses must disclose the categories of personal information that were collected and what purposes the information was collected for, typically within a separate employee privacy notice. CPRA also extends anti-discrimination rights to employees who exercise their rights and then face retaliatory action from their employer.
4. Children’s Data
Children’s privacy and data collection is a particularly sensitive area of regulation. Tik Tok is commonly scrutinized due to its predominantly younger userbase, and settled with the FTC for $5.7 million in 2019 over allegations that it collected children’s data without parental consent.
Under CPRA, fines may be tripled for violations involving children’s information. Currently, businesses are fined $2,500 for each violation and $7,500 for intentional violations under CCPA. Per the amended Section 1798.155 in CPRA, businesses would be fined $2,500 for each violation and $7,500 for intentional and children’s data violations. Given that violations can potentially involve hundreds of thousands of records for medium sized enterprises and in the millions for large companies, the fines can be staggering when multiplied.
5. Removal of Notice-and-Cure
Previously, under CCPA, businesses were allowed a thirty (30) day period to cure violations following notice by the California Attorney General’s office. CPRA has quietly removed this notice-and-cure provision through its changes to Section 1798.155. The notice-and-cure is often criticized as a “get-out-of-jail-free” card that prevents any real enforcement of CCPA outside of a consumer’s private right of action. If CPRA passes, the removal of this provision means that businesses will need to be more vigilant about getting privacy compliance and privacy implementation correct on the first try.
6. CPPA: New State Enforcement Agency
CPRA will allocate $10 million per year to a new state agency, the CPPA, to investigate and enforce against violations of consumer privacy laws, similar to European data protection authorities. Some portion of this cost will be offset by the proceeds of enforcement actions.
Currently, the California Office of the Attorney General (OAG) enforces the CCPA as part of the office’s functions for protecting consumer rights and prosecuting consumer crimes, amid a host of other duties.
The CPPA being an agency dedicated solely to privacy regulation would relieve much of the strain of enforcement previously on the OAG. If CPRA passes, expect to see more enforcement actions.
Likelihood of Prop 24 Passing
Prop 24 is divided in its support among reputable consumer and civil rights organizations, which can make it harder to gauge how likely Prop 24 will pass. Democratic Presidential candidate Andrew Yang as well as the NAACP has come out in support of Prop 24. However, the ACLU has opposed Prop 24 in official election materials. Other organizations remain neutral, such as the Electronic Frontier Foundation, which has come out as neither endorsing nor opposing Prop 24.
According to recent polling conducted by Redfield & Wilton Strategies, 60% of respondents indicated that they would vote ‘Yes’ on Prop 24, with 17% opposing and 23% undecided. Even if Prop 24 fails to pass, businesses should not breathe a sigh of relief and assume that the trendlines are moving toward deregulation. In fact, the greatest opposition to CPRA is centered on the fact that the law is not protective enough of consumer privacy and has too many loopholes that cater to big tech companies collecting large amounts of data. The pattern is moving toward greater privacy regulation, and CPRA is an experiment in seeing how far the boundary can be pushed.