Proposition 24 – the California Privacy Rights and Enforcement Act

 

Proposition 24 – the California Privacy Rights and Enforcement Act (CPRA) – Would Create New Requirements for Data Collection and Dissemination

By Marc Reiner

 

Due to its massive population and economy, any changes to California’s laws or regulatory scheme are virtually guaranteed to have an outsized effect on the way the rest of the U.S. goes about its business.  This phenomenon is particularly true in the data privacy sphere, as was seen with the rollout of the California Consumer Privacy Act of 2018 (CCPA).  Although the CCPA only applied to California businesses and residents, companies around the country and around the world made it a point to make sure that their practices were CCPA compliant due to the importance of California as a market.

California is at it again.  On the ballot this year is Proposition 24, also known as the California Privacy Rights and Enforcement Act (CPRA), which would expand or amend the provisions of the CCPA significantly.  In addition, it would create the California Privacy Protection Agency and no longer allow businesses to remedy violations before being penalized for them.

The CPRA would require businesses to do the following:

• Refrain from sharing a consumer’s personal information upon the consumer’s request
• Provide consumers with an opt-out option for having their sensitive personal information – such as precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information – used or disclosed for advertising or marketing
• Obtain permission before collecting data from consumers who are younger than 16
• Obtain permission from a parent or guardian before collecting data from consumers who are younger than 13; and
• Correct a consumer’s inaccurate personal information upon the consumer’s request.

The CPRA also triples maximum penalties for violations concerning consumers under age 16 and prohibits businesses’ retention of personal information for longer than reasonably necessary.

As with any new privacy law, the ultimate effect is difficult to predict.  This is particularly the case with legislation created by ballot initiative rather than by experienced legislators.  Unlike some standalone ballot initiatives, however, the CPRA is designed in part to correct loopholes that were created by the CCPA two years ago.    For example, there is a new limitation on data collection and use by third parties who the owner of the data never dealt with originally.  Conversely, the CPRA also allows news publishers to sell subscriptions ton consumers who opt out of having their data shared with other parties, thereby offering greater data privacy for a price.  Some critics argue that this puts a price on privacy, but it will at a minimum be interesting to see to what extent consumers financially value data privacy.

Perhaps the biggest loophole sought to be closed by the CPRA is one that has allowed large tech companies to disseminate personal data without penalty.  The CPRA requires that when a consumer opts out of having their data shared, that publisher must pass their choice along to all the companies with which it works and those companies must also stop using that consumer’s data for any other purpose.  This right cannot be contracted away, as has generally been attempted by Google or Facebook.

In sum, the CPRA is a relatively thoughtful update and amendment to the CCPA from a consumer’s point of view.  If it passes, it will require companies to further monitor and change their data policies to make sure that their ongoing practices are in line with this essential sector of the U.S. economy.

Marc Reiner’s current practice includes General Commercial Litigation; the registration of trademarks; litigation and counseling in the areas of trademarks, copyrights, false advertising, cybersquatting, and violations of the rights of privacy and publicity.