Welcome the “California Privacy Rights Act” (and its triple fines)
On November 3, 2020, Californians solidified their support of privacy rights in voting Proposition 24, now known as the California Privacy Rights Act (“CPRA”) into law. Expanding California’s Consumer Privacy Act from 2018, the CPRA will establish a Privacy Protection Agency within the state to implement the new regulations and police the non-compliant.
Generally, the CPRA becomes effective January 1, 2023. However, California residents are granted greater access rights to data as early as January 1, 2022. As the fifth largest economy in the world, California acting as the first state to establish a privacy protection agency and a collective privacy protection law will continue to greatly impact the use, collection, and administration of personal information in the U.S. and the world.
Similar to the European Union’s General Data Protection Regulation, the CPRA creates a category of “sensitive” information and requires “reasonable” cybersecurity measures. Below are certain highlights from the new law:
Fines for intentional violations of the CCPA increased to $7,500 involving the personal information of an individual known to be under 16 years old.
Consumers can demand more than 1 years’ worth of data collected about them to review (sometimes referred to as the look-back period).
CPRA introduces a new right for California residents to demand that a business correct inaccurate personal data held by a business about the individual.
The CPRA would establish a new category of “sensitive personal information,” carrying additional rights. “Sensitive personal information” is defined as “personal Information that reveals a consumer's social security, driver's license, state Identification card, or passport number; a consumer's account log-In, financial account, debit card, or credit card number In combination with any required security or access code, password, or credentials allowing access to an account; a consumer's precise geolocation; a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer's mall, email and text messages, unless the business Is the Intended recipient of the communication; a consumer's genetic data; and the processing of biometric Information for the purpose of uniquely identifying a consumer; personal Information collected and analyzed concerning a consumer's health; or personal Information collected and analyzed concerning a consumer's sex life or sexual orientation.” It exempts information is publicly available.
Again, amending the CCPA, the CPRA provides that breaches resulting in the compromise of a consumer’s email address in combination with a password or answer to a security question permitting access consumer’s account are subject to liability provisions under the CCPA. And, CPRA permits private lawsuits for data beaches caused by a company’s failure to use reasonable cybersecurity measures.
The CPRA requires businesses to disclose in their privacy notices and include the time period in which the business retains each category of data, or the criteria used to determine the period before data is destroyed. Such a provision will require new privacy policies for companies with California-based clientele.
Fortunately, businesses have a little less than 2 years to prepare for complete compliance and 1 year to prepare for new access rights. Start re-drafting privacy policies and data retention policies. And with fines tripling for violations affecting children under 16 years old, educational companies and institutions must pay attention.