Californians pass Proposition 24: The CPRA
On November 3, 2020, the California Privacy Rights Act (CPRA) was passed. The CPRA builds upon the California Consumer Privacy Act (CCPA) and solidifies California’s position of having the strongest privacy laws in the United States.
Last autumn, Californians for Consumer Privacy, the nonprofit behind the 2018 ballot initiative for the CCPA, announced a new ballot measure and subsequent amendments to significantly expand the CCPA. Alastair Mactaggart, founder of Californians for Consumer Privacy, said that the CCPA ended up with weaker privacy protections after multiple rounds of amendments altered or removed key areas from his original ballot measure. In an effort to strengthen the CCPA, Mactaggart drafted the CPRA in the form of a 52 page ballot measure.
The ballot measure appeared on Californian’s ballots in the form of Proposition 24 and seems to be voted in comfortably above the 50% threshold needed to pass (with 72% of the votes tallied it stands at 56%). The results will be certified by December 11th, 2020. The CPRA will function to close some of the loopholes that businesses had used to skirt around the law under the CCPA, specifically related to the sale of consumer data. The data privacy law grants consumers more control over how companies use their information and establishes a new enforcement agency. While many of the revisions won’t be enforceable until 2023, the CPRA does align California’s privacy regulations more closely with Europe’s General Data Protection Regulation (GDPR). Here are the most important changes California’s new data privacy law introduces:
The CPRA adds a “sensitive personal information” category of data
Existing CCPA law does not include a special category of sensitive data. Now, the CPRA adds the concept of “sensitive personal information” that includes social security numbers, driver's license and passport numbers, precise geolocation, race and ethnicity, genetic data, biometric data and sexual orientation. This special category of data will be subject to limited processing. Businesses must inform consumers if they are collecting sensitive personal information, the purpose for the collection, whether such data will be sold or shared and how long the data will be stored. Customers will have the right to limit the use of their sensitive information at any time, increasing the importance for companies to weigh the business impact of collection and usage of this type of data with the potential compliance risk.
The privacy law also grants a host of new rights to consumers
The CPRA further grants consumers the following rights:
The right to correct data collected about you (a key feature of the GDPR).
The right to restrict use of sensitive personal data.
The right to restrict storage of data longer than is necessary
The right to restrict the collection of more data than is necessary.
The right to restrict use of precise geolocation.
The right to reject automated decision-making and profiling.
The CPRA strengthens consumers’ rights to opt out to cover sharing of data
Additionally, the right to opt-out has been extended to cover data sharing as well as selling. This comes with the strengthening of the “Do Not Sell” provision of the CCPA, as the law now states more explicitly that “Do Not Sell” also applies to information shared between companies. Under the CCPA, a lot of companies found loopholes in the law where they were able to get away with sending data to service providers and not considering it a “sale of data” under the law. Additionally, the updated provision favors companies with a direct consumer relationship, while closing loopholes used by large internet companies such as Google and Facebook that collect most of their data as third parties. This could greatly inhibit the monetization capabilities of these companies and potentially other companies utilizing the online AdTech ecosystem.
If you want to learn more about the possible implications of the CPRA on the online advertising industry, and specifically AdTech, take a look at this analysis previously done for AdMonsters.
In addition to the rights granted to consumers, businesses have new obligations
The CPRA establishes an obligation of data protection by design and default. This is the GDPR (Art. 25) equivalent to “privacy by design” which requires companies to incorporate privacy and security measures into all aspects of their technology and systems.
In an effort to ensure that businesses are better managing and tracking how they maintain and use personal information, the CPRA will require the maintenance of records of processing activities. Companies need to find an adequate system to support audits, such as the Datawallet Compliance blockchain.
The California Privacy Protection Agency will be charged with requiring audits and risk assessment by businesses who undertake high-risk processing. High-impact data processors are processors whose processing presents significant risks to consumer privacy. The size and complexity of the business and the nature and scope of the processing will all be taken into account when determining whether a business is a high-risk processor.
The CPRA slightly changes who is considered a covered business that must comply with the regulation
To be a covered business under the CPRA, the business must (1) derive at least 50% of annual revenue from sharing or selling the personal information of California consumers, (2) have a gross revenue of over $25 million the preceding year or (3) buy, sell or share the personal information of more than 100,000 California consumers and/or households. Upping the number from 50,000 under the CCPA aims at helping small businesses with the compliance burden.
Enforcement and violation fines will also be expanded
The CPRA has tripled the fines for violations that affect the information of children below the age of 16, increasing protection for minors.
The private right of action for consumers has been expanded to cover breaches that involve access to an account through the combination of an email address and a password or a security question (and answer to the security question).
The CPRA also provides funding for and establishes a new Privacy Protection Agency. The California Privacy Protection Agency will take over from Attorney General Xavier Becerra’s office (which has limited bandwidth already) to enforce data privacy regulations, potentially already in 2021. This California Privacy Protection Agency will be the first agency in the United States that is solely dedicated to regulating data privacy.
The ballot initiative was met with both support and pushback
Numerous organizations have endorsed the CPRA, including the National Association for the Advancement of Colored People (NAACP), Consumer Watchdog and Common Sense Media, as well as various political figures and privacy experts. Alice Huffman, President of the NAACP, stated that "Prop. 24 [the CPRA] allows consumers to stop companies from using online racial profiling to discriminate against them." Complimentary to Huffman’s statement, Carmen Balber, Executive Director of Consumer Watchdog, noted that the CPRA would allow consumers to limit the use of their personal information to prevent Uber from racially profiling them and prevent Facebook from using sensitive information (such as sexual orientation, health status or religion) in its algorithms.
Despite such endorsements, there has also been opposition to the privacy regulation. The American Civil Liberties Union (ACLU) has been one of the main opponents of the CPRA. The ACLU of Northern California argues that the privacy law “will undermine protections in current law and increase the burden on people to protect themselves — in ways that will disproportionately harm poor people and people of color.” The ACLU notes that the CPRA will allow companies to force consumers to manually opt out of the sale of their information separately on each website and that “requiring people to fill out forms to get privacy protection is an unacceptable burden for everyone, but especially for communities who are already struggling.” A default opt-out (or active consent to data processing) similar to the GDPR would definitely have been preferable in our opinion. In addition to these concerns, the ACLU also in the law. However, it appears that the concerns raised by the ACLU did not make enough of an impact to prevent Californians from voting “yes” on Proposition 24.
What should companies do now?
In preparation for these updated regulations companies that handle consumer data, especially in the online ecosystem, should properly map and define what constitutes personal information and also understand which partners or third parties may have access to it. Given the more comprehensive definition of what is included under personal information and the inclusion of sharing data in the ‘Do Not Sell my Data’ provision, this may include creation of additional data categories and use cases. Especially for players in the digital media ecosystems, which heavily relies on sharing of data, it is pivotal to ensure that all third parties (such as AdTech vendors, analytics providers, platform providers, and more) used to process any data have gone through proper due diligence. Understanding the potential repercussions of consumers opting out of “cross-contextual behavioral advertising” and the hefty fines if companies are noncompliant will be important.
The obligations under the CPRA are slated to take force on January 1, 2023. Once in effect, it will apply to personal information collected by businesses on or after January 1, 2022. Businesses also must understand that this journey is far from over. The CPRA may very well set a precedent for provisions in other states as well as a future federal privacy law. Having a strong compliance partner to monitor these changes and automatically update the platform to reflect the changing status quo of data privacy regulations, in California and beyond, has become more pivotal than ever.
Datawallet is the world’s leading blockchain based data privacy compliance platform. Being the first company to champion the concept of Consumer First Compliance, we not only enable enterprises to comply with complex international data privacy regulations such as CCPA and SB-220 in the United States, GDPR in Europe, and POPIA in South Africa. But we furthermore provide users of our clients the ability to fully understand their data and make informed decisions about its usage.
Need something tailormade for your organization? Contact us at firstname.lastname@example.org.CCPARegulatory UpdatesDatawalletConsumer PrivacyAdTech