California Consumer Privacy Act: 3 Implications of Proposition 24

On January 1, 2023, the California Privacy Rights Act (CPRA) of 2020 went into effect. Passed by a majority of voters as Ballot Proposition 24, the CPRA expands the personal data protections of California’s 2018 Consumer Privacy Act (CCPA) and creates a new state agency, the California Privacy Protection Agency, to investigate violations and assess penalties.

To avoid fines, businesses operating in the U.S. or handling the customer data of California residents should familiarize themselves with the legal obligations created by these laws. 

What is the California Consumer Privacy Act (CCPA)?

In 2018, the CCPA put into place the first internet-era consumer data privacy regulations in the U.S. Drawing extensively on the data trafficking restrictions of the E.U.’s General Data Protection Regulation (GDPR), the government of California defined consumer rights concerning the use and sale of personal data collected by businesses. 

Specifically, the CCPA stipulates that businesses must disclose what kinds of personal information they capture and store, such as names, addresses, contact information, and purchase histories. Additionally, businesses must honor any consumer requests to delete their personal information or opt out of data sales to third parties.

In its original formulation, the CCPA granted violating businesses 30 days from the time of official notification to comply before initiating any punitive actions, and its restrictions applied only to companies that sell consumer data to third-party buyers. 

What Changed: Implications of the CPRA

The CPRA enhances the existing consumer protections and business obligations of the CCPA. The newly enacted changes fall into three categories.

1. Businesses Affected

The CPRA expands the scope of regulated businesses. Under Proposition 24, organizations must now comply if they:

• Generate at least 50% of their reported annual revenue from the sale of California consumer data to third parties or from sharing data with aggregator services (the CCPA previously applied only to data sales)
• Process or store the personal data of more than 100,000 California households or individual residents 
• Earned at least $25 million in gross revenue during the previous tax year

As granting service providers such as cloud hosting and computing platforms access to consumer data constitutes data sharing, the CPRA effectively brings most businesses with modern cloud IT architectures under its umbrella.

2. Resident Rights

Although the CCPA established resident rights to know what kinds of data businesses collect and to opt out of data sales, the act’s original definition of personal information contained many loopholes and its specified resident rights did not include any process to amend incorrect data. 

To correct this oversight, the CPRA creates new resident rights and a new category of personal information. The act’s new resident rights afford consumers the ability to correct errors in their personal data, request disclosures and terms of service regarding any automated decision-making technology applied to their data, and place restrictions on the use of a new data type called sensitive personal information (SPI).

Under the CPRA, SPI comprises personal information that potentially enables discrimination or crimes such as identity fraud. Examples of SPI include:

• Social security numbers
• Passport numbers
• State ID numbers
• Precise geolocations
• Unique biometric data
• Contents of personal communications such as emails and texts
• Race or ethnicity
• Sexual orientation
• Genetic information

Presently, these rights and protections apply only to consumer data, but they will also apply to employee data and business-to-business communications after an initial grace period.

3. Business Obligations Under the CPRA

For businesses, compliance with the CPRA’s new regulations will require several proactive steps and the maintenance of guarantees to customers. There are four important steps businesses must take on their own:

• If a business sells or shares personal data, its website and mobile apps must include a directly linked form entitled “Do Not Sell or Share My Personal Information”
• If a business captures or handles SPI, its website and mobile apps must display a link entitled “Limit the Use of My Sensitive Personal Information”
• Beginning with data collected after January 1, 2022, information disclosed in right-to-know requests must be comprehensive – previously, the CCPA only required disclosure for the last 12 months
• Businesses that sell information or handle SPI must establish risk-based controls and information security policies that include the use of encryption and multifactor authentication

Additionally, businesses must be able to demonstrate that their policies guarantee consumers’ rights concerning their personal data. Among these are the right to:

• Opt-out of data selling or sharing
• Know precisely what kinds of data businesses collect
• Delete or correct data
• Non-discrimination based on SPI

CPRA-Compliant File Sharing with FileInvite

Businesses that collect personal information from clients can jumpstart their compliance efforts for the CPRA with FileInvite’s secure file-sharing and document portal platform. With SOC 2 Type 2 compliance and 256-bit end-to-end encryption for data in transit and at rest, FileInvite meets the information security standards of both the CPRA and the GDPR and helps businesses replace insecure, outmoded file-sharing methods such as email.

To learn more and request a demo, visit FileInvite today.

Related Posts:

• Which types of financial institutions are exempt from the updated FTC Safeguards Rule?
• PII vs. NPI: A guide to types of sensitive consumer data
• Are electronic signatures legally binding?