The ballot initiative, Proposition 24, has been passed¹ by voters in yesterday’s election.  What does this proposition entail and how does it impact the California Consumer Privacy Act (CCPA)?

What’s Covered in Proposition 24 - The California Privacy Rights Act (CPRA)

The CPRA, among other things, does the following:

• Revises the existing CCPA to expand consumer rights with respect to personal information and sensitive personal information;
• Creates a new agency responsible for enforcing the CPRA; and
• Increases penalties for violations related to the personal information of children under the age of 16.

As for additional consumer rights, the CPRA offers consumers the opportunity to request a correction of inaccurate personal information. In addition, a consumer may direct a company to “limit its use of the consumer's sensitive personal information” to a use that an average customer would expect.²

The CPRA also establishes the California Privacy Protection Agency to enforce any violations of the CPRA.  It appears that this may also include enforcement of consumer rights under the CCPA once the CPRA takes effect. These enforcement rights are currently vested with the Attorney General of California.  However, the CPRA creates a special fund, the Consumer Privacy Fund, for use to offset the costs of enforcement actions pursuant to the CCPA by both the California Privacy Protection Agency and the Attorney General.³ It is worth noting that the private right of action regarding data breaches set forth in the CCPA remains in place under the CPRA.

New Penalties Assigned

Penalties under the CPRA are tripled over the statutory amounts imposed by the CCPA for any violations related to children’s private information.  These penalties are increased to $7,500 for “violations involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge is under 16 years of age”.⁴

The CPRA will become operative on January 1, 2023 and apply to personal information collected after January 1, 2022.  The CCPA remains in effect until the CPRA is enforceable.

Why Does This Matter For Businesses

• It is imperative that privacy regulation be addressed by California businesses.  Consumers have made it clear that the protection of their personal information matters and that businesses will pay dearly for failing to protect consumer information.
• Companies should already be in compliance with the CCPA.  Now is the time to quickly implement a compliance strategy if you are not already in compliance.
• Any current compliance plan should satisfy current CCPA requirements, at a minimum.  Depending on your organization, you may want to include CPRA requirements or incorporate flexibility into your plan to address these once the regulations take effect.
• The private right of action regarding data breaches in the CCPA cannot be ignored.  In the event of a breach, suits can be made by individual consumers.  And the Attorney General has been authorized to enforce CCPA actions since July 1^st of this year.

We Are Here To Help

Since the CCPA was first proposed, we have been analyzing and navigating privacy requirements for clients, and will continue to do so as privacy regulations are implemented. A one size fits one model is imperative for any CCPA compliance strategy to meet your business’ specific needs, including the flexibility to meet new regulations as they develop.  Contact us for additional guidance.

¹ See https://www.sfchronicle.com/politics/article/California-s-Proposition-24-which-would-expand-15699663.php
² See Proposed California Civil Code section 1798.121(a) under the CPRA.
³ See Proposed California Civil Code section 1798.160.
⁴ Proposed California Civil Code section 1798.155(b) under the CPRA.