California has again brought changes to US privacy laws, with effects for businesses both within and outside of California. On November 3, 2020, California voters passed Prop 24 to amend the California Consumer Privacy Act of 2018 (CCPA) to expand consumer privacy rights and impose updated or entirely new requirements on businesses that interact with California residents. As a result, businesses subject to CCPA should review and update their policies and practices, in some cases not long after their most recent round of updates, for compliance with the changes brought by Prop 24.
The CCPA is the nation’s first comprehensive consumer privacy law. It became law on the heels of the European Union’s General Data Protection Regulation (GDPR) and, in its current form, shares several key characteristics with its European predecessor. The CCPA places notice requirements and limitations on the collection, processing, and disclosure of California residents’ personal information by businesses, and empowers California residents to exercise certain rights over their personal information held by those businesses.
In terms of applicability, the CCPA has long arms. Any business that does business in California and (a) has an annual gross revenue in excess of $25 million, (b) buys, sells, or shares personal information of 50,000 or more consumers, households or devices, or (c) derives 50% of annual revenues from selling or sharing personal information is likely subject to the CCPA. The reach of the law’s applicability and California’s status as a major segment of the U.S. economy and a legislative trailblazer means the CCPA’s influence over US businesses cannot be overstated.
Prop 24 Key Amendments
Prop 24 amends the CCPA’s core provisions relating to consumer notice, consumer privacy rights, and business obligations to safeguard consumer personal information and manage relationships with service providers and other entities. Key changes include:
- Adds the right to correct inaccurate personal information held by a business.
- Adds the right to limit use or sharing of sensitive personal information (e.g. health, race and ethnicity, sexual orientation, precise geolocation, etc.). Upon request, the business must not only stop selling or sharing sensitive personal information, but also limit any internal uses of such information and notify its service providers to comply with the request.
- Expands the right to access all categories of personal information collected over the previous 12 months, “unless doing so proves impossible or would involve a disproportionate effort.”
- Expands the right to opt-out to include an opt-out of data “sharing” and provides two acceptable methods for businesses to comply.
- Adds protections for sensitive personal information, including specific notice whether sensitive personal information is collected, how it is used, for what purpose, whether it is sold or shared, and how long the business retains the sensitive personal information.
- Clarifies the role of service providers and their legal obligations to consumers.
- Establishes standards for collecting consent and when consent is required to permit a business to engage in certain practices.
- Imposes a general obligation on businesses to only use, retain, and share personal information as “reasonably necessary and proportionate” to achieve the permitted purpose.
- Clarifies and expands business obligations to receive and respond to consumer requests to exercise their privacy rights, and exceptions and limitations on those obligations.
Next Steps for Businesses
Companies doing business in California will need to update their notices and practices to accommodate Prop 24 amendments and, if they haven’t already, establish a privacy program in compliance with the CCPA. While the exact path to compliance will differ from one business to the next, businesses can expect to take the following steps to meet these new standards:
- Update privacy policies and other notices to include added and expanded consumer rights and explanations of new legal standards.
- Adjust processes to receive and respond to consumer privacy requests to include Prop 24’s added and expanded privacy rights.
- For service providers, update notices and instructions to consumers to exercise their privacy rights.
- Provide legally acceptable methods for consumers to exercise their rights under Do Not Sell or Share My Personal Information and Limit Use of My Sensitive Personal Information.
- Ensure no sale or sharing of personal information from children under age 16 without legally required consent.
- Analyze data security and retention practices to ensure compliance with heightened CCPA standards.
- Update contract review due diligence to ensure that written agreements with service providers, contractors, and third parties comply with statutory requirements.
Prop 24 amendments are effective January 1, 2023 with a 12-month lookback. This means that companies will need to address these action items no later than December 31, 2021. Companies with questions about the CCPA, Prop 24 or general consumer privacy matters are welcome to reach out for guidance and additional resources.
Please contact Immix Law Group with any questions regarding this law and its effect on your business.