In our first three posts on the CCPA, we discussed how its data privacy provisions might affect businesses and empower consumers, as well as the law’s implications on COVID-19 temperature checks. Although it has been a mere eleven months since the CCPA took effect, we already have a new law to evaluate. Buoyed by seven-figure support from San Francisco-based real estate developer Alastair Mactaggart and public concerns over businesses’ use of consumers’ personal information, voters passed the ballot initiative known as Proposition 24, the Consumer Personal Information Law and Agency Initiative, on November 3, 2020. In this post, we highlight some of Prop 24’s crucial changes to the CCPA.
Prop 24 altered the CCPA in five areas: (1) businesses that must comply with the consumer data laws, (2) consumers’ enhanced rights, (3) exemptions from the laws, (4) penalties for violating the laws, and (5) the creation of a new government agency.
Fewer Businesses Need to Comply
The CCPA of 2018 defined a “business” as those that either (a) earn over $25 million in annual revenue, (b) buy, sell, or share the personal information of 50,000 consumers, households, or devices, or (c) earn 50% of its annual revenue from selling consumers’ personal information. [i]
Prop 24 retained the substance of (a), but modified (b) and (c). As for (b), the new law includes only those businesses that buy, sell, or share the personal information of 100,000 consumers or households. [ii] This doubling of the overall number and the omission of devices that one consumer or household uses will likely limit how many businesses must comply. On the other hand, the new law modified (c) by including businesses that earn 50% of their annual revenue from selling or sharing consumers’ personal information, thereby capturing some businesses that rely heavily on the latter practice.
New Consumer Rights Will Increase Businesses’ Compliance Workloads
Under the CCPA of 2018, consumers had certain rights to disclosure, to deletion, to opt out, and to be free from discrimination. Prop 24 has added rights that increase the proactive burden on businesses. For instance, Prop 24 includes a new term requiring special protection—sensitive personal information—which includes social security numbers, account log-ins, passwords, and other private information that is not de-identified. [iii] Businesses must now affirmatively disclose to consumers if they collect such information, which goes beyond the reactive opt-out approach of the CCPA. [iv]
Prop 24 also requires businesses to get permission from consumers under the age of 16 before selling or sharing their personal information, [v] whereas the CCPA had lumped those under 16 years old into the same opt-out provisions as adults.
In addition to the CCPA’s right to delete personal information, consumers will now be able to demand that businesses correct inaccurate personal information. [vi] Businesses have 45 days to comply with the demand, which is the same timeline as for other consumer requests under the CCPA. [vii]
Another subtle distinction is Prop 24’s prohibition against the selling or sharing of consumers’ personal information upon their request. The CCPA had only included the sale of such information. [viii] This could have large ramifications for businesses that rely on leverage created through the sharing of personal information with third parties, rather than its sale.
The List of Exemptions Has Grown
Important to businesses’ roles as employers are certain moratoria that Prop 24 carves out of its compliance requirements. Each of these exemptions goes into effect immediately and sunsets on January 1, 2023. First, the entire title is inapplicable to employees’ personal information that businesses use within the context of employment (e.g. background checks, emergency contacts, job benefits). [ix] Second, most of Prop 24’s communications provisions that empower consumers do not apply to employees, including the rights to have personal information deleted or corrected, the rights to know what personal information is collected, sold, or shared, and the rights to limit the use and disclosure of sensitive personal information. [x] That being said, employers are still required to provide their employees with notice at the point of collection, and employees still have data breach protections and rights of action related to data breaches. [xi]
Prop 24 also significantly lengthens the number and types of activities that are exempted from existing data privacy provisions. Some of these exclusions will allow businesses to use consumers’ personal information in ways they could not under the CCPA. For instance, businesses can sell or share consumers’ personal information if the collection and subsequent transaction takes place outside California. Moreover, businesses can store that information while consumers are in California, then collect and use it once consumers and their devices are outside California. [xii]
Other new exemptions apply to business interactions with law enforcement, the use of vehicle information, requirements of education agencies, and limited emergencies.
Penalties Are Increased and Harder to Avoid
Penalties under the CCPA of 2018 were somewhat onerous, but they were at least limited and businesses could generally avoid them through corrective action. Prop 24 tightens the noose. The existing penalties of $2,500 per violation and $7,500 per intentional violation remain. However, Prop 24 levies a $7,500 fine whenever a business violates a provision and has actual knowledge that the consumer is under 16 years old. [xiii] Perhaps more important is that Prop 24 eliminates businesses’ escape hatch of curing the violation within 30 days of being notified of noncompliance.
Get Ready To Deal with a New Government Agency
Under the CCPA of 2018, the Department of Justice (DOJ) was responsible for crafting regulations, investigating complaints, and imposing penalties. Prop 24 creates the California Privacy Protection Agency (CPPA). [xiv] Governed by a 5-member board, the CPPA will take over most of DOJ’s current responsibilities. The CPPA should stand up by March 2021 and assume rulemaking responsibilities by July 2021. [xv] Businesses governed by Prop 24 can likely expect the stability of detailed rules, but also the toil and expense of figuring out how to navigate an unfamiliar bureaucracy.
Prop 24’s new provisions are lengthy and nuanced. They arrive on the heels of the CCPA, which has only been in effect since January 1, 2020, and has yet to be widely understood. There are bound to be some growing pains as businesses learn the rules and wait for regulations to hopefully clarify the new laws.
The key to success will be taking a proactive approach, including establishing a compliance plan for the CCPA and Prop 24, the Consumer Personal Information Law and Agency Initiative.
[i] (Cal. Civ. Code, § 1798.140(c).)
[ii] (Cal. Civ. Code, § 1798.140(d) [proposed amendment].)
[iii] (Cal. Civ. Code, § 1798.140(ae) [proposed amendment].)
[iv] (Cal. Civ. Code, § 1798.121 [proposed amendment].)
[v] (Cal. Civ. Code, § 1798.135(c)(5) [proposed amendment].)
[vi] (Cal. Civ. Code, § 1798.106 [proposed amendment].)
[vii] (Cal. Civ. Code, § 1798.130(a).)
[viii] (Cal. Civ. Code, § 1798.120.)
[ix] (Cal. Civ. Code, § 1798.145(m) [proposed amendment].)
[x] (Cal. Civ. Code, § 1798.145(n) [proposed amendment].)
[xi] (Cal. Civ. Code, §§ 1798.100 and 1798.150 [proposed amendments].)
[xii] (Cal. Civ. Code, § 1798.145(a)(7) [proposed amendment].)
[xiii] (Cal. Civ. Code, § 1798.155(a) [proposed amendment].)
[xiv] (Cal. Civ. Code, § 1798.199.10 et seq. [proposed amendment].)
[xv] (Cal. Civ. Code, §§ 1798.199.10 and 1798.199.40 [proposed amendments].)