top of page
Working with Laptops

Orderboard Blog

California Adds Strict Data Privacy Rules to Its Constitution

This past Election Day, 56% of California voters approved Proposition 24 -- the California Consumer Privacy Rights Act (CPRA) -- tightening restrictions on the use of personal data and the way those restrictions are enforced. CPRA brings California into close alignment with European data privacy standards. The vote embeds these changes in California’s State Constitution which means they can only be changed by amending the State Constitution going forward.


The California Initiative system is often seen as a predictor what regulatory changes will enacted nationwide, so this vote may have far-ranging repercussions.


What Does CRPA do?


CPRA extends the data privacy rules established in the California Consumer Privacy Act (CCPA) that went into effect on Jan 1, 2020. CPRA will go into effect on Jan. 1, 2223 so that businesses have time to make required changes. The new privacy rules will apply retroactively to all data collected after Jan. 1, 2022.


The original CCPA required firms doing business in California to notify consumers about personal data collection and to support certain rights (right to know what is being collected, to opt out of the resale of data and request deletion of data) but provided little for the enforcement of those rules


Broadly CPRA does four things:


  1. CPRA adds new categories of information to the definition of personal information,

  2. CPRA extends limitations on selling of personal information so that the sharing of information between companies is also now covered

  3. CPRA establishes a $100M budget for a new agency to enforce CPRA

  4. CPRA extends the rights of consumers to opt out of having their data used and to correct information that companies have collected


What businesses are covered by CPRA?


  • Businesses that derive 50% or more of revenue from selling or sharing data on California consumers – the revenue can be from anywhere, not just California

  • Businesses with more than $25M in annual revenue

  • Any business that buys, sells or shares data on more than 100,000 California consumers, households or devices


CPRA does provide an exemption for data gathered from “widely distributed media” so that it is likely that data posted on social media by consumers will not be covered.


What constitutes “Sensitive Personal Information” Under CPRA


  • Social Security Number

  • Driver’s License Number

  • State ID Card Number

  • Passport Number

  • Logins, passwords and other codes for accessing financial accounts

  • Precise geolocation information

  • Personal information that reveals race, ethnicity, religion, sexual orientation, or union membership

  • Private communications, unless the business collecting the data was the intended recipient

  • Biometric information

  • Health information

  • Any other data collected and analyzed for the purpose of identifying any of these information categories


How does this impact data businesses?


There are no definitive answers to this question today. Much will be hashed out by lawyers between now and the implementation of the rules two years hence.


The largest target of this effort in California is on-line advertising and the sharing of information between businesses to create consumer profiles and “cross-context behavioral advertising” based on those profiles.


While such activity is not prohibited under CPRA, companies will be expected to:


  • Greatly ease the process for consumers to opt out of the use, resale or sharing of their data

  • Provide consumers the ability to correct any of their personal information that a busiess stores

  • Establish auditable data security plans

  • Establish limits on the length of time personal data are stored, with tougher rules for justifying what storage is required

  • Require that companies that experience a data breach not only notify consumers about the breach but “restore” the level of privacy consumers had before the breach. This could prove very costly

  • Require that any business that purchases data or shares data from a data-collecting business establish the same level of privacy protection as the data-collecting business


What is next?


While the referendum in California only applies to data collected on California residents, the impact of this referendum is likely to be felt more broadly throughout the United States. On regulatory matters, California is often a bellwether for what other states or the federal government may do.


Even if no other jurisdiction acts, businesses implementing new software and new policies may find it more cost effective to deploy a single approach that meets the California standard rather than maintaining dual systems and processes. The possibility that other jurisdictions will move forward, each at their own pace, makes a single solution approach preferable to one in which changes are required each time these new California restrictions are adopted elsewhere.




Recent Posts

See All

Attrition Spikes 2021 continues to shape up as the year of “The Great Resignation,” with record numbers of Americans voluntarily leaving their jobs as the economy continues to move out of the Covid sl

bottom of page