Insights
Publications

Proposition 24: California’s Ever-Evolving Privacy Landscape

October 28, 2020 Blog

Next Tuesday is election day, and this year, California voters are deciding whether to support another statewide privacy initiative – the California Privacy Rights Act (CPRA) (Proposition 24). 

This measure would expand on the California Consumer Privacy Act (CCPA), which went into effect earlier this year, in several important ways, including (among others):

  1. It would create a state administrative agency – the first of its kind in the country – which would be responsible for implementing the CCPA (implementation of which is currently overseen primarily by the California Attorney General). The California Privacy Protection Agency could levy administrative fines of up to $2,500 per violation of the act, or up to $7,500 for each intentional violation, or violation involving a minor. It would also obtain the rulemaking authority that is currently granted to the Attorney General’s office, under the CCPA.
  2. Like the GDPR, the CPRA would create protections for “sensitive personal information,” in addition to those provided for “personal information” under the CCPA. The measure would establish notice requirements related to the use of this “sensitive” information, and consumers would be given the right to limit its processing. Information in this category would include social security, driver’s license, passport, and financial account data; geolocation data; information about race, ethnicity, or religion; contents of personal communications; biometric, genetic, or health data; genetic data; information about sexual orientation; and other items. The CPRA would allow users to opt out of the sale or sharing of such information (in contrast with the GDPR, which requires users to opt in), and to direct companies to use sensitive personal information only for the express purpose for which it was collected. 
  3. It would restrict sharing, not just selling of personal data. The measure defines “sharing” personal information as disclosing it to a third party for “cross-context behavioral advertising,” which is the practice of creating a consumer profile based on data collected across multiple platforms, in order to target advertising.[1] It would also restrict the use of artificial intelligence or programmed logic to analyze personal data, by allowing people to opt out of automated processing of their personal information to evaluate or make predictions about their professional performance, economic situation, health, preferences, interests, reliability, behavior, location or movements. The CPRA also empowers consumers to request meaningful information about the logic used in automated decision-making processes.
  4. It would allow consumers more control over their data, granting them the right to correct it, delete it, or limit its use, and to prevent companies from collecting more data than necessary, or storing it for longer than required. It also would make such data portable, so that consumers could request that one company share their data with another – even a competitor.
  5. It would increase protections for children’s data. Fines for violations of the act would be three times higher when the business has knowledge that the consumer is under 16 years old. It also would require that individuals under 16 “opt in,” before a business sells or shares their personal data.
  6. It would expand the private right of action. While the CCPA currently allows private action for breaches of unencrypted, unredacted personal information, the CPRA would also grant a right of action where an email address and password or security question would permit access to an account, and that information is disclosed or otherwise accessed due to a business’ failure to maintain reasonable security procedures and practices.
  7. It would modify the group of businesses subject to the CCPA. Specifically, the CCPA currently applies to all businesses that (a) have gross annual revenues greater than $25 million, (b) buy, receive, or sell the personal information of 50,000 or more consumers, or (c) derive 50% or more annual revenue from selling consumers’ personal information. Under the CPRA, these thresholds would change, so that businesses would only be subject if they (a) have $25 million in gross annual revenues, (b) buy, sell or share personal information of 100,000 or more consumers or households, or (c) derive at least 50% of their annual revenue from selling or sharing consumers’ personal information. The statute would also apply to third party “service providers” who contract to process personal information on behalf of a company subject to the CCPA, even if the service providers themselves would not otherwise fall under its ambit.
  8. It would extend the CCPA’s exemptions for employment and business-to-business data until January 1, 2023. These exemptions – which largely exclude individuals’ data from CCPA protections if the individuals are in an employment relationship with the data holder, or if their personal information was obtained while they were acting on behalf of a business – have already been extended once, and are currently set to expire on January 1, 2022. The CPRA would therefore allow an extra year, before these types of data become subject to the law.

Importantly, unlike the CCPA, which was put into place by the state legislature, Proposition 24 would be implemented by California voters, and would therefore be subject to additional constitutional protections. Specifically, the California State Constitution states that an initiative approved by the voters may not be amended or repealed by the legislature without first obtaining direct voter approval. Cal. Const., Art. II, §10. Indeed, restricting lawmakers’ ability to remove or reduce the initiative’s privacy protections was a major impetus for its placement on the ballot. Thus, unlike the CCPA, this measure would supersede any potentially conflicting legislation going forward and would be very difficult to limit or repeal. This would be compounded by the language of the initiative itself, which requires that any amendments that legislators do implement be “consistent with and further the purpose and intent of [the CPRA].”

Notably, the CPRA would not go into effect until January 2023.[2] However, if passes (which it is likely to do), companies would be wise to start making plans early regarding how they will comply.


[1] This could affect advertisers’ ability to use Google Ads, or other cookie-based advertising algorithms to determine ad placement.

[2] Given that the CCPA has already gone into effect, businesses that transact personal information of between 50-100,000 consumers will likely need to continue complying with its requirements in the intervening period, until contrary guidance is issued by the Attorney General’s office.

Firm Highlights

Publication

Zoom Successfully Addresses New York’s Privacy and Security Concerns

A few weeks ago on this blog, we addressed some of the legal issues that have arisen for Zoom , as it becomes a significant part of American daily life during the COVID-19 pandemic. ...

Read More
Publication

How Antitrust and Unfair Competition Laws Affect Platform Providers’ Relationships With ISVs, API Developers, and Scrapers

A wide variety of business and consumer platforms host mutually beneficial ecosystems. But these ecosystems are also fraught with antitrust risk that arises when platforms try to terminate or modify the terms of third-party...

Read More
Publication

Reopening Plans and Recommended Protocols Beg New Privacy Issues

While far from getting us back to any kind of normal that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously closed “nonessential” businesses are returning to operations. With...

Read More
Publication

A Roadmap to Litigating Privacy Claims? A Look at a Recent Order From the Google Assistant Privacy Litigation

As privacy-related litigation continues to heat up, Judge Beth Freeman (ND Cal.) recently laid out in In re Google Assistant Privacy Litigation (Case No. 19-cv-04286) [1] a potential roadmap for surviving or winning a...

Read More
Publication

Three Steps Licensees Can Take to Protect Their IP Rights in Bankruptcy

During periods of widespread economic disruption such as the present, operating businesses must be able to identify and respond to threats to the financial health of their contracting counterparts in order to protect key...

Read More
News

Prop. 24 Passes: What Companies Need To Know About the New Privacy Law

Nate Garhart spoke to the San Francisco Business Times on the steps companies can take to prepare for the California Privacy Rights Act (CPRA). He noted that if the CPRA applies to your business, then...

Read More
Publication

Privacy During Bankruptcy Proceedings: Why It Matters

During these particularly trying times resulting from the COVID-19 pandemic, businesses of all sizes have been concerned about the future. As a result, considering potential liquidation or restructuring through bankruptcy is inevitably starting to...

Read More
Publication

Reopening Businesses Must Consider Employee and Consumer Privacy

While we’re far from returning to the “normal” that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously “nonessential” businesses are returning to operations. Along with these openings, governmental...

Read More
Publication

Twists in the Plot: California AG Releases Final CCPA Regulations

With a little time to consider the  finalized California Consumer Privacy Act regulations  released by the California Attorney General on August 14, 2020, it is clear that some last-minute negotiations (or perhaps just some...

Read More
Publication

Electric Fence: Protecting Proprietary Rights in Collected Energy Data

Like companies in other industries, a growing number of modern energy-related companies are focusing their efforts on data collection and analysis. For example, Enphase – an energy technology company – regularly tracks data about how...

Read More