Californians voted to make their consumer data privacy laws more robust than any other state in the country. The California Privacy Rights Act (CPRA) was passed by majority vote on Proposition 24 in the November election. The CPRA amends the 2018 California Consumer Privacy Act (CCPA) by expanding some definitions, closing a few loopholes, and adding state-level enforcement.
The 2018 CCPA affords California consumers specific protections from businesses that collect information about them. The key provisions include:
- The consumer has the right to know what information the business is collecting, storing, or selling.
- Consumers have the right to have erroneous data deleted.
- Consumers have the right to “opt-out” of having their personal information sold.
The 2020 CPRA offers the following upgrades and changes:
- closes the “share-versus-sell” loophole -The old law allowed businesses to share sensitive personal data, just not to sell it for monetary value. Sharing, trading, and other non-monetary exchanges for disclosures are now forbidden without consent.
- new sub-category of “sensitive personal information” -The new category includes: race, ethnicity, financial information, biometric data, geolocation history, health status, contents of emails and texts, government-issued identifiers and more. This represents some new considerations for consumer privacy in the age of Big Data.
- consumers have the right to correct inaccurate data – The ‘18 CCPA offered consumers the right to access their data and the right to request it be deleted. The ‘20 CPRA adds the right to have it corrected when the data is wrong.
- increased penalties for businesses that violate the rights of minors. When the victim is under 16, new penalty limits for businesses in violation is $7500. Children under 13 require a parent or guardian’s consent.
- expanded the scope of a “data-breach” – A “breach” now includes stealing a password or the answers to secret questions. Both are connected to rises in identity-theft and other crimes of fraud.
- establishes a Privacy Enforcement Agency – current CCPA violations are handled through the state’s Attorney General office. Future CCPA and CPRA violations and enforcement will be through the newly formed state agency.
In order to remain compliant, businesses will have to re-examine how they categorize, store and distribute consumer data. Loyalty-rewards programs and opt-out clauses will need to be re-considered. Terms and conditions must be updated. As such, there is a 2-year ramping-up period before enforcement begins for the upgraded restrictions provided in the amendment. Businesses must be compliant by January 1st of 2022, and authorities can begin taking action against violators on January 1st of 2023.
Californians have passed trend-setting consumer data-privacy laws in both of the last elections because they understand the sensitivity issues created from living in an increasingly digitized world. New-world technology like facial-recognition, geographical histories, and expanded personal data sets create some new world realities about consumer privacy and vulnerability. Progressive laws keep us protected from being exploited or falling victim to identity theft.
If you believe your privacy has been violated by a business or agency that collects or shares your personal information, contact the consumer protection attorneys at The Law Offices of Jeffrey Lohman. We understand the network of state and federal laws that outline your rights as a consumer, and we can help you take the appropriate action. Contact us today.