Proposition 24 (California Privacy Rights Act)—passed by more than 56% of voters in November—will replace and build upon the California Consumer Privacy Act (CCPA). The new law will take full effect in 2023 with individual rights (and accompanying covered business requirements) granted by the CCPA remaining during the transition.
Right to Correct Inaccurate Information
When people exercise the right to access information and the information provided is inaccurate, they can request the business correct that information. The business is then required to use commercially reasonable efforts to correct that information if it receives a verifiable consumer request (some exceptions apply).
Right to Have Personal Information Collected Subject to Data Minimization and Purpose Limitations
Businesses are required to minimize use, retention and sharing of personal information to what is reasonably necessary and proportionate to achieve the purposes for which the information was collected.
Right to Receive Notice from Businesses Planning on Using Sensitive Personal Information and Ask Them to Stop
Businesses are required to give people special notice if they plan to collect or use any sensitive personal information, and a person can ask businesses to stop selling, sharing and using it. This type of information includes
- information revealing a social security, driver’s license, state ID card or passport number
- account log-in, financial account, debit card or credit card number in combination with the access code, password or credentials to them
- precise geolocation
- racial or ethnic origin, religious or philosophical beliefs, or union membership
- contents of mail, email and text messages
- genetic data
- biometric information for the purpose of identifying someone
- information collected and analyzed concerning a person’s health, sex life or sexual orientation
Right to Access Information
Building upon the CCPA right to request access to the personal information a business has collected about a person in the preceding 12-month period, the California Privacy Rights Act expands this to include any information collected—regardless of when it was collected—unless doing so proves impossible or would involve a disproportionate effort.
Right to Opt Out of Sharing Information with Third Parties
The California Privacy Rights Act clarifies that people can opt out of both the sale and sharing of their personal information to third parties. This was a point of contention under the CCPA where the definition of sell does not explicitly include sharing.
Right to Sue Businesses When They Expose Usernames and Passwords
The CCPA gave people the right to sue a business directly when it exposes their personal information through a data breach resulting from a failure to use reasonable security measures. The California Privacy Rights Act expands this to cover data breaches where the personal information that was exposed includes a username and password.
Creation of a New Agency
This new law creates a new dedicated privacy agency, the California Privacy Protection Agency, to handle enforcement. It will be governed by a five-member board appointed by the Governor (appointing the Chair and one other member), the Attorney General, the Senate Rules Committee and the Speaker of the Assembly. These appointees must have expertise in the areas of privacy, technology and consumer rights (with some restrictions to help ensure that they remain free from external influence).
Board members cannot serve for more than eight consecutive years and may be removed during that time by their appointing authority. For two years after they leave the agency, they are also unable to work for any person or organization that currently has an issue before it or was subject to an enforcement action during the five-year period preceding the board member’s appointment.
Headed by a board-appointed executive director, this agency will be partially funded by enforcement actions with any administrative fines assessed or settlement proceeds going directly into the Consumer Privacy Fund. It will also receive an annual $10,000,000 (adjusted annually) from the General Fund.
Enforcement of Current Law
Until January 2023, the California Attorney General’s office will continue to enforce the CCPA. During this time, people can still sue businesses that expose their personal information in a data breach, but will not be able to sue for the exposure of usernames and passwords until January 1, 2023.
Creation of the California Privacy Protection Agency
Funding and establishment of the new agency could begin as early as this month, but will happen within 90 days following the effective date of the act (five days after the Secretary of State officially files the election results).
The earliest the new California Privacy Protection Agency can begin exercising its rulemaking authority is July 1, 2021 or six months after it provides notice to the Attorney General that it is prepared to begin rulemaking. Final regulations should be prepared by July 1, 2022.