California Adds Strict Data Privacy Rules to Its Constitution
This past Election Day, 56% of California voters approved Proposition 24 -- the California Consumer Privacy Rights Act (CPRA) -- tightening restrictions on the use of personal data and the way those restrictions are enforced. CPRA brings California into close alignment with European data privacy standards. The vote embeds these changes in California’s State Constitution which means they can only be changed by amending the State Constitution going forward.
The California Initiative system is often seen as a predictor what regulatory changes will enacted nationwide, so this vote may have far-ranging repercussions.
What Does CRPA do?
CPRA extends the data privacy rules established in the California Consumer Privacy Act (CCPA) that went into effect on Jan 1, 2020. CPRA will go into effect on Jan. 1, 2223 so that businesses have time to make required changes. The new privacy rules will apply retroactively to all data collected after Jan. 1, 2022.
The original CCPA required firms doing business in California to notify consumers about personal data collection and to support certain rights (right to know what is being collected, to opt out of the resale of data and request deletion of data) but provided little for the enforcement of those rules
Broadly CPRA does four things:
CPRA adds new categories of information to the definition of personal information,
CPRA extends limitations on selling of personal information so that the sharing of information between companies is also now covered
CPRA establishes a $100M budget for a new agency to enforce CPRA
CPRA extends the rights of consumers to opt out of having their data used and to correct information that companies have collected
What businesses are covered by CPRA?
Businesses that derive 50% or more of revenue from selling or sharing data on California consumers – the revenue can be from anywhere, not just California
Businesses with more than $25M in annual revenue
Any business that buys, sells or shares data on more than 100,000 California consumers, households or devices
CPRA does provide an exemption for data gathered from “widely distributed media” so that it is likely that data posted on social media by consumers will not be covered.
What constitutes “Sensitive Personal Information” Under CPRA
Social Security Number
Driver’s License Number
State ID Card Number
Logins, passwords and other codes for accessing financial accounts
Precise geolocation information
Personal information that reveals race, ethnicity, religion, sexual orientation, or union membership
Private communications, unless the business collecting the data was the intended recipient
Any other data collected and analyzed for the purpose of identifying any of these information categories
How does this impact data businesses?
There are no definitive answers to this question today. Much will be hashed out by lawyers between now and the implementation of the rules two years hence.
The largest target of this effort in California is on-line advertising and the sharing of information between businesses to create consumer profiles and “cross-context behavioral advertising” based on those profiles.
While such activity is not prohibited under CPRA, companies will be expected to:
Greatly ease the process for consumers to opt out of the use, resale or sharing of their data
Provide consumers the ability to correct any of their personal information that a busiess stores
Establish auditable data security plans
Establish limits on the length of time personal data are stored, with tougher rules for justifying what storage is required
Require that companies that experience a data breach not only notify consumers about the breach but “restore” the level of privacy consumers had before the breach. This could prove very costly
Require that any business that purchases data or shares data from a data-collecting business establish the same level of privacy protection as the data-collecting business
What is next?
While the referendum in California only applies to data collected on California residents, the impact of this referendum is likely to be felt more broadly throughout the United States. On regulatory matters, California is often a bellwether for what other states or the federal government may do.
Even if no other jurisdiction acts, businesses implementing new software and new policies may find it more cost effective to deploy a single approach that meets the California standard rather than maintaining dual systems and processes. The possibility that other jurisdictions will move forward, each at their own pace, makes a single solution approach preferable to one in which changes are required each time these new California restrictions are adopted elsewhere.