California voters have approved Proposition 24, the California Privacy Rights and Enforcement Act of 2020 (CPREA). Although this controversial ballot measure was meant to expand and make permanent the consumer protections within the California Consumer Privacy Act of 2018 (CCPA), privacy groups have expressed concern that the new law will place an unnecessary burden on businesses that are only now learning how to properly comply with the CCPA and that it may actually reduce consumer rights in important ways. Prop 24 was approved with 56 percent of the vote.

Given the essentially unlimited resources of large technology companies and other Silicon Valley–based opponents of the CCPA, the organizers behind Prop 24 feared that the California Legislature could weaken those protections in the future. The only way to reverse the voter-approved CPREA is through a future ballot initiative.

Among other things, the CPREA includes provisions that allow consumers to direct businesses not to share their personal information, remove the time period in which businesses can fix violations before being penalized and create a privacy protection agency to enforce the state's consumer data privacy laws.

What businesses are covered under the CPREA?
The CPREA modifies the criteria for covered businesses under the CCPA to include businesses that:

• Earn $25 million in annual revenue. The CCPA has the same requirement.
• Alone or in combination with service partners annually buy, sell or share personal information of 100,000 or more consumers or households. The CCPA’s threshold is 50,000 or more consumers, households or devices each year. It also does away with the “device” requirement, which has caused confusion due to persons who own multiple devices.
• Earn 50 percent or more of their annual revenue from selling or sharing consumers’ personal information. “Sharing” is a term that relates primarily to use of a consumer’s data for targeted advertising through service partners.

What are the primary changes to protection of customer data?
The law goes into effect in January 2023 and has a “look back” provision to January 2022. It provides consumers with greater control over how businesses collect, use and share their data. Covered businesses will be required to:

• Refrain from sharing or selling a consumer's personal information to third parties upon the consumer's request
• Disclose whether the business collects “sensitive personal information,” the types of sensitive personal information collected, the purpose for which the sensitive personal information would be collected, and the length of time that the business intends to retain the sensitive personal information
• Provide consumers with the ability to opt out of having their sensitive personal information used or disclosed for advertising or marketing
• Correct a consumer's inaccurate personal information upon the consumer's request
• Obtain permission before collecting data from consumers who are younger than 16 years of age
• Obtain permission from a parent or guardian before collecting data from consumers who are younger than 13 years of age.

These requirements are in addition to the mandates of the CCPA, which requires covered businesses, upon the consumer’s request, to:

• Disclose to the consumer the personal information that has been collected about the consumer and the commercial purpose of the information collected
• Refrain from selling a consumer's personal information to third parties
• Delete the consumer’s personal information.

How is “sensitive personal information” defined?
The CPREA expands a consumer’s protectable data. It defines “sensitive personal information” as personal information that reveals:

• A consumer's social security, driver's license, state identification card or passport number
• A consumer's account log-in, financial account, debit card number or credit card number in combination with any required codes, passwords or credentials allowing access to an account
• A consumer's precise geolocation
• A consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership
• The contents of a consumer's mail, email and text messages (unless the business is the intended recipient of the communication)
• A consumer's genetic data
• A consumer's biometric information (for the purpose of identifying the consumer)
• Information concerning the consumer's health
• Information concerning a consumer's sex life or sexual orientation.

There are several exemptions for information used for certain purposes, including consumer credit reports, personal information collected for job applications, emergency contact information collected by a business and personal information needed to administer employment benefits. The consumer data requirements also cannot restrict a business's ability to comply with other laws or valid court orders and subpoenas.

What penalties are available?
The CPREA eliminates the CCPA’s 30-day notice period to cure violations and has adopted the following penalties:

• Up to $2,500 for each violation
• Up to $7,500 for each violation involving the information of a person under the age of 16
• Up to $750 per consumer per data breach incident or actual damages, whichever is greater.

Creation of the California Privacy Protection Agency
The new California Privacy Protection Agency created by the CPREA will initially consist of a five-member board with seats appointed by the governor, the attorney general, the Senate rules committee and the speaker of the Assembly. The new agency’s duties will include developing regulations, providing guidance to businesses and consumers, investigating and adjudicating violations, assessing penalties and promoting public awareness of consumers' rights.

The controversy around Prop 24
Prop 24 has been controversial in terms of both the need for the new law and its likely effect on data privacy. Supporters say that the CPREA will create a system to better enforce the CCPA, give consumers more control over most personal data, allow Californians to shield their precise location from tracking, triple fines on companies that violate the privacy of children and provide increased ability to hold companies accountable for failure to protect consumer data through regulatory enforcement and litigation.

Opponents caution that because the CCPA just went into effect this year, additional time should be allowed before changing it. There is concern that the new law will place an unnecessary burden on businesses that are only now learning how to properly comply with the CCPA and doing so in the midst of a pandemic. Some privacy groups that supported the CCPA, such as the American Civil Liberties Union and the Consumer Federation of California, have opposed Prop 24 on the basis that it may actually reduce consumer rights in important ways. The concerns include the delay of a rule that allows workers to determine what information employers collect about them, the ability of companies to take a consumer’s data when he or she leaves California, and the preference for an “opt-in” system for consumer data collected and sold rather than the ability to “opt out.” Opponents also are critical of the “pay for privacy” section that allows businesses to charge more to a consumer who does not allow the business to use the consumer’s data.

Regardless of the controversy, the CPREA will soon be law in California, and covered businesses should begin to plan for compliance.

For more information on the California Privacy Rights and Enforcement Act of 2020, please contact the author or other members of the Wilson Elser Cybersecurity & Data Privacy Practice. Additional information can be found at www.wilsonelser.com.