Georgetown Law
Technology Review

During the November 2020 general election, California Proposition 24, also known as the California Privacy Rights Act (CPRA), was approved by a majority of the state’s voters. The CPRA was spearheaded by concerned consumers who felt that the existing privacy legislation, the California Consumer Protection Act (CCPA), did not go far enough in protecting consumer privacy. When the CPRA goes into effect, it will greatly expand consumer data protection laws in the state, and bring the privacy rights of California consumers closer to those enjoyed by European citizens under the General Data Protection Regulation (GDPR)—the “gold standard” of data privacy regulations. This law will have far reaching effects on California consumers and businesses with a presence in the state, and will undoubtedly impact the future of federal data privacy regulations in the United States.

What Consumers Should Know:

California consumers should be aware that the CPRA will expand existing privacy rights and protections, and grant new rights not included in the CCPA. One of CPRA’s key effects on consumers results from the emphasis it places on “data minimization.” Data minimization protects consumers by discouraging corporations from maintaining information about consumers unless such information is necessary to provide services. In a nod to Europe’s GDPR, the CPRA embraces the data minimization concept, requiring companies processing personal data to only process data that is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”

Perhaps more directly impactful to consumers are the new and expanded rights enumerated within the CPRA. Section 6 of the CPRA is entirely new and provides that consumers may submit a verifiable consumer request to require companies to make reasonable efforts to correct inaccurate information. Further, the CPRA also expands upon the CCPA, which allowed consumers to opt-out of the sale of personal information, by providing consumers the same opt-out option for sharing of their personal information. Together, these two rights provide California consumers with much greater control over the accuracy of their personal information and the extent to which it is shared.

How This Affects Businesses:

Much like the GDPR, the CPRA emphasizes “Privacy by Design,” requiring businesses to embed privacy into the design of business processes and their IT infrastructure. As businesses prepare for the CPRA to take effect, they will need to consider how the law will impact their current privacy policies and practices, and make any necessary changes to ensure compliance by January 1, 2023. Though the law does not take effect until 2023, Section 12 of the Act provides a one-year lookback clause that allows consumers to exercise their rights on data collected after January 1, 2022.

The CPRA addresses two problematic ambiguities in the CCPA regarding what constitutes the sale of consumer information and when consent is required to share consumers’ personal information. The CCPA requires that a company provide consumers an opportunity to opt out of the “sale” of their personal information in exchange for “valuable consideration,” but does not adequately define either term. Privacy rights advocates were concerned that the ambiguity created a loophole around the regulation, whereby companies could share information without providing consumers an opportunity to opt out. The CPRA revises the definition of a “sale” to include sharing of personal data, and expressly expands the opt out right to encompass both selling and sharing of information. To comply with the CPRA, businesses must now reassess whether they are selling or sharing consumer information and provide an opportunity for consumers to opt out.

The new requirement to track “sensitive personal information” will change the way companies will handle personal information. By providing consumers with a right to limit companies’ use of their personal information, the CPRA has put the onus on companies to track which categories of sensitive personal information are being collected, and to provide consumers with clear direction for how to request limits on the use of such information. The CPRA’s definition of “sensitive personal information” is quite broad, encompassing any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” As a result, companies will need to pay close attention to ensure they track data meeting this definition. Unlike GDPR, express consent from the consumer to process such data is not required, but the breadth of the term “sensitive personal information” and the ability of consumers to limit a company’s use of such data requires extra diligence by companies to ensure they can comply with consumer requests under the CPRA.

Federal Reach:

Although the law will only be authoritative with respect to California citizens, once effective, it is likely to impact privacy regulations nationwide, much like the CCPA. After the CCPA passed in June 2018, several tech companies, including Microsoft, announced they would apply the principles of the CCPA to all U.S. citizens. The support of the CCPA by major tech companies underscored the need for a federal data privacy regulation, and led to a slew of competing proposed federal privacy regulations, many of which closely resembled the language of the CCPA or GDPR. Additionally, the multitude of differing state privacy regulations within the U.S. creates a difficult landscape for companies to navigate, with severe financial penalties for companies that fail to adhere to the rules. As a result, leading companies within the technology industry are pushing for comprehensive federal data privacy regulation to bring some certainty.

The CPRA expands on the CCPA and implements several key aspects of foreign data privacy laws for the first time in the United States. For example, whereas other states vest the authority to enforce data privacy laws in the state attorney general, the CPRA creates and provides funding for the California Privacy Protection Agency (CPPA), which will now have this authority. The CPPA is a newly created agency that will oversee enforcement and rulemaking under the CPRA. Today, the Federal Trade Commission (FTC) is the federal agency that exercises this authority, but proponents of greater consumer protections have expressed the need for a federal data protection authority like the CPPA, separate from the FTC. The FTC has limited authority under its Unfair or Deceptive Acts or Practices (UDAP) mandate to regulate data privacy and, given the scope of the data landscape, is significantly constrained by budget and personnel considerations. Congressional Democrats, with some Republican support, are pushing for a federal privacy regulation that would include the creation of an agency to take over responsibility for enforcing U.S. data privacy regulations. In fact, certain proposed regulations such as the one introduced by Senator Gillibrand include language that would create a separate U.S. data protection agency. If these trends continue and the CPRA becomes the model for future federal regulation, there may very well be a federal data protection agency in the future.

Conclusion:

The CPRA is the United States’ most far-reaching privacy regulation and, in some ways, it even surpasses the protections offered by the GDPR. While companies have time before the CPRA goes into effect, it is important they examine their processes and products to ensure compliance. How the CPRA will affect federal privacy regulation is yet to be determined. However, the adoption of Proposition 24 further underscores the public’s desire and need for Congress to take action on a comprehensive federal data protection regulation.