Six Key Things to Know About the Recently Passed Prop 24 (CPRA)
By Procopio Partner and Privacy and Cybersecurity Practice Group Co-Leader Frederick K. Taylor
While this election cycle is most notable for what was at the top of the ballot, there are some significant changes coming to the privacy landscape for Californians. The California Privacy Rights Act passed this week, although most of its provisions will not go into effect until January 1, 2023. Now that it’s passed, we have new privacy provisions that work in conjunction with the existing California Consumer Privacy Act (CCPA).
Here is a quick look at six of the significant provisions in the new law:
- New Definitions: Sensitive Personal Data. Creates significant new obligations for those processing sensitive data. The definition of sensitive personal data is broad and includes government identifiers, account and login information, precise geolocation data, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail, email and text messages, genetic data, and certain sexual orientation, health and biometric information. Data Breach Liability. Expands the private right of action for breaches to add unauthorized access or disclosure of an email address and password or security question that would permit access to an account. Profiling. Creates new access and opt out rights related to automated-decision making and profiling.
- Extends Exemptions. Effective now, CCPA employee data and business-to-business exemptions are extended until January 1, 2023.
- Expands consumer rights. Consumers will have, among others, the right to correct inaccurate personal information, opt out of the sharing of personal information with a third party for cross-context behavioral advertising (i.e., targeted advertising), limit the use and disclosure of sensitive personal information, and to opt out of advertisers using precise geolocation. This could significantly affect third-party adtech cookie collection and sharing. Companies may need to provide links that state “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” to facilitate the new rights.
- Increases accountability in the use of third parties. If a company sells or shares consumer data with a third party it must contractually obligate that third party to limit data use and comply with the CCPA/CPRA. Companies will also have the ability to take reasonable steps to ensure compliance.
- Creates an enforcement arm, the California Privacy Protection Agency. This would be the first agency in the country solely dedicated to enforcement of privacy rights. It will assume the rule-making and enforcement duties currently held by the California Attorney General, but with significantly more budget.
- Requires high-risk companies to perform audits and risk assessments. Companies whose data processing present a significant risk to consumers’ privacy or security will be required to perform annual cybersecurity audits and risk assessments. Risk assessments may need to be submitted to the new Privacy Protection Agency.