Last week, California voters passed Proposition 24, the California Privacy Rights and Enforcement Act (CPRA). The CPRA expands the existing online consumer privacy protections of the California Consumer Privacy Act (CCPA) that went into effect this year and clarifies some of its ambiguities.
Here’s what you need to know about CPRA, Proposition 24:
Effective date is January 1, 2023.
The CPRA becomes effective at the beginning of 2023, so there’s plenty of time to prepare. Once in effect, it does apply to data dating back to January 1, 2022 and beyond.
Do not sell OR SHARE.
The CCPA allowed consumers to opt out of allowing businesses to sell their data. However, some organizations argued that they weren’t selling data as defined by the CCPA—so they didn’t have to pay attention to the law.
The CPRA fixes this by specifically calling out sharing of data for “cross-context behavioral advertising.” Consumers can now opt for their data to not be sold or shared. Sellers must “prominently and conspicuously” display the ability to opt out of both selling and sharing on their homepage.
Extension for B2B and employee exceptions.
During the 2019 legislative session, the California Assembly passed amendments to exempt B2B and employee data from the law. Those exceptions were set to expire on January 1, 2021, but the CPRA extends these exceptions for two more years. During this time, the State Assembly will be studying the issue and taking steps to determine whether to include or exclude this data from the CPRA. The European Union’s General Data Protection Regulation includes these types of data. If the Assembly decides to move toward a GDPR-like law, it’s very possible that in two years you’ll have to consider employee and B2B data to be CPRA compliant.
Creates a new enforcement agency.
One of the most important components of the CPRA is the creation of the California Privacy Protection Agency, dedicated to enforcing the new privacy regulations. The agency has the power to fine businesses $2,500 for each violation of the CPRA, or $7,500 for what it deems ‘intentional violations,’ and those violations that involve minors.
Where the CCPA left enforcement to the Attorney General, who had neither time nor budget for enforcement, the creation of a dedicated agency ups the game significantly. It demonstrates a new level of commitment and seriousness with which the State is taking privacy.
Adds an explicit data security requirement.
Where the CCPA did not expressly require businesses to maintain reasonable safeguards to protect personal information, the CPRA expressly requires businesses to implement reasonable security procedures and practices to protect personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code 1798.81.5.
Get CPRA Ready.
There’s more to the CPRA, of course, and you’ll want to consult your privacy attorney or privacy team. If you’re interested in getting your data compliance and security ready for CPRA, let’s talk.
Watch this on-demand webinar to learn why Truebill decided to buy vs. build so they would never touch sensitive PII data and how it has streamlined their operations.