On November 3, 2020, California voters approved what was commonly called Proposition 24 (“Prop 24”). Prop 24 was a ballot initiative intended to amend the California Consumer Privacy Act (“CCPA”). See full text here. Prop 24 was approved by more than 56% of the voters and will soon become law. Prop 24 will become effective on January 1, 2023. Here are some of the more important highlights of California’s amended privacy law:
Data “sharing” now covered by the “opt out” provisions
The CCPA regulates the sale, transfer and sharing of consumer personal information. In the 2018 CCPA, consumers were given the right to “opt out” of having their personal information “sold.” Prop 24 expands the right to “opt out” and now allows consumers to opt out of having their information shared. This new provision is aimed at requiring notice and consent for sharing of personal data that enables what is called “cross-context behavioral advertising.” In general, sharing personal information will be regulated in the same manner as the selling or transferring of personal information. Thus, for example, Prop 24 expands the coverage of the CCPA to businesses who generate a majority of their revenue from sharing personal information.
New category of data: “sensitive personal information”
Prop 24 adds a new category of personal data with heightened restrictions. The new category is called “sensitive personal information” and very broadly defined. Sensitive personal information includes any information or data that reveals a consumer’s:
- Social security, driver’s license, state identification card, or passport number;
- Account log-in and passcode information for financial accounts, debit or credit cards, or other financial accounts
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, union membership, sex life or behavior, and sexual orientation
- The contents of mail, email and text messages, unless the business is the intended recipient
- Genetic data and biometric information and
- Health information
With respect to sensitive personal information, Prop 24 adds a new consumer right — the right to limit internal use by a business of such information and to limit disclosure of the information. These are distinct from the concept of selling, transferring or sharing such information.
Right to know expanded indefinitely
The CCPA gave consumers the “right to know” what personal information is collected, what the information is used for and with whom it is shared. Under the CCPA, the right to know extended backward for the previous 12 months. Prop 24 eliminated the 12-month limitation. Consumers now have a right to know what information has been collective indefinitely into the past.
Right to correct inaccurate information
Prop 24 gives consumers the right to have inaccurate information corrected. Businesses must now disclose this right along with the other notice requirements, and when requested, a business must “use commercially reasonable efforts” to correct the inaccurate personal information.
Expanded coverage and narrower coverage
Prop 24 has expanded the coverage of the CCPA to “businesses that control the collection” of personal information. Privacy advocates were concerned that businesses would use affiliates and subsidiary companies to evade the requirements of the CCPA. At the same time, Prop 24 offered some protection for smaller businesses by doubling the applicability threshold from 50,000 consumers/households to 100,000.
Limits on data collection
Prop 24 creates a new limitation on what data a business can collect, use, retain, sell, and share. Businesses shall not collect personal information unless said information “be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed In a manner that is incompatible with those purposes.”
Limits on changing business purpose
Prop 24 clarifies the CCPA with respect to the business purpose that is disclosed when personal information is collected. Businesses now are specifically prohibited from using personal information for a new business purpose without providing an additional
Limits on storage
Prop 24 now prohibits businesses from retaining personal information for longer than is “reasonably necessary.”
New enforcement agency
Prop 24 creates a new enforcement agency called the California Privacy Protection Agency with investigative power and the ability to issue regulations.
Cure period removed and penalties tripled for violations related to minors
Under the CCPA, businesses that committed violations had a 30-day cure period after notice before enforcement actions could be taken. Prop 24 removes the cure period. Prop 24 also increased the maximum penalty for each violation from $2,500 to $7,500 for CCPA violations concerning minors.
For more information, contact the data privacy lawyers at Revision Legal at 231-714-0100.