California voters pass Proposition 24, approving the California Privacy Rights and Enforcement Act

On 3 November, California voters approved Proposition 24, otherwise known as the California Privacy Rights and Enforcement Act (CPRA). The new law comes into effect on 1 January 2023 and will significantly augment the privacy provisions under the 2018 California Consumer Privacy Act (CCPA). Once implemented, the CPRA will bring California privacy regulation even closer to the General Data Protection Regulation (GDPR) standards. Below are some of the major features and updates organisations should keep in mind.

New category of “sensitive personal information”

The CPRA creates a new category of personal information called “sensitive personal information.” It includes Social Security Numbers, driver license numbers, passport numbers, financial account information, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation.

Organisations covered by these regulations will be required under the CPRA to limit use of “sensitive personal information” to what is “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.”

Additional obligations around service providers, third parties, and contractors

To clarify the scope of obligations, the CPRA modifies the definitions of third party and service provider and introduces the category of contractor.

  • Under the CPRA, a service provider is a person that “processes personal information on behalf of a business” and receives such information from or on behalf of the said business by way of contract.
  • Service providers must provide businesses with information regarding their subcontractors.
  • A contractor is a person or entity to whom an organisation provides a consumer’s personal information for a business purpose according to a written contract.
  • The CPRA makes these agreements mandatory and requires the inclusion of certain provisions, such as limiting use to specified purposes.
  • A third party is an entity other than a service provider, contractor, or the business the consumer intentionally interacts with.
  • Businesses must have agreements in place with third parties. Such agreements must contain provisions that obligate third parties, among other obligations, to comply with the CPRA and “provide the same level of privacy protection as” is required of them under this law.

New agency, the California Protection Agency, to develop regulations and enforce the law

The CPRA will also create the California Privacy Protection Agency (CPPA). The five-member board will have authority to adopt regulations on a range of issues, including updating definitions of key terms and requiring regular audits and risk assessments for identified organisations. The independent watchdog, CPPA, will be the first agency in the United States to dedicate its mission to consumer data privacy.

Voluntary application

Under the CPRA, an entity doing business in California will be able to voluntarily certify to the CPPA that it is in compliance with and agrees to be bound by the CPRA.

Right to correct information

The CCPA currently does not include an explicit requirement for businesses to honour a consumer’s request for correction. Under the CPRA, consumers will have the right to correct inaccurate personal information. Upon receiving a verifiable consumer request, businesses must use “commercially reasonable efforts” to correct personal information. They must take a similar approach to responding to consumer requests for access to or deletion of personal information.

Right to opt out of cross-context behavioral advertising

The CPRA expands the existing right under the CCPA to opt out of the sale of consumers’ personal information. Under the CPRA, consumers have the further right to opt out of the sharing of their personal information for cross-context behavioural advertising purposes. This will have a dramatic effect on the ad tech industry.

The new term, “cross-context behavioural advertising”, is defined as advertising targeted to a consumer based on personal information obtained from the consumer’s activities across businesses, distinctly-branded websites, applications and services, with the exception of activities across the entities with which the consumer intentionally interacts.

Therefore, organisations that sell or share personal information will need to provide a Privacy Notice to consumers, as well as separate links to, or a single link to both, a “Do Not Sell or Share My Personal Information” webpage and a “Limit the Use of My Sensitive Personal Information” webpage.

Enhanced liability for children’s privacy

The CPRA will triple the CCPA’s fines for collecting and selling information of minors under 16 years of age.

Right to deletion

Pursuant to the CPRA, organisations will be required to pass along valid consumer deletion requests to service providers and third parties with whom the organisation has shared or sold information. Such service providers and third parties must also pass on the deletion requests further in certain circumstances, including to subcontractors when necessary.

Extended right to know

Currently, the CCPA requires organisations to disclose data collected on a consumer over the 12 months prior to receiving a “request to know.” The CPRA will allow a consumer to make a request to know beyond the CCPA’s 12-month look-back period, starting on or after January 1, 2022, as long as doing so does not prove “impossible” or “involve a disproportionate effort” to the organisation.

As businesses adjust their data privacy compliance strategies to the new feature updates of the CPRA, HewardMills is positioned to assist your business with your data protection needs. Our experts are on hand to make sure you are CPRA compliant, saving time, money and unnecessary fines or legal action.

Additional blog contributions: Claudia Chan, data protection and privacy consultant