By: Alex Theodosakis

After California passed the California Consumer Privacy Act (CCPA) in 2018, privacy lawyers scrambled for the better part of 2019 to revamp and rework all of their client privacy policies. The CCPA forces most businesses with clients or customers in California to reconfigure their privacy policies and data-collection processes to grant access to California consumers any saved personal information and publish full lists of the third party data-sharers. As CCPA enforcement only began on January 1st, 2020, these businesses have become subject to CCPA’s expansion of privacy policy requirements for just less than one year. Now California has altered the United States’ privacy law landscape once again.

On November 3rd, California voted to pass Proposition 24 (Prop. 24), the California Privacy Rights Act of 2020 (CPRA), placed on the ballot by Petition signatures. As Californians have approved of the ballot measure with about 56% “yes” votes to about 44% “no,” Prop. 24 will further expand the CCPA and California’s current Privacy laws, subjecting any company with California customers (subject to exceptions) to yet another reevaluation and expansion of their privacy policies. In addition, Proposition 24 will create a new state regulatory enforcement agency, the “California Privacy Protection Agency”, as an independent consumer watchdog to prosecute Privacy violations concurrently with the Attorney General and the Department of Justice. In addition to this new state regulatory agency, the state of California will expand its “Consumer Privacy Fund” within the General Fund in the State Treasury, used currently to fund enforcement, to include the purposes of holding investment money to be made in grants to promote, protect, and educate on Consumer Privacy.

Specifically, the Act will amend the California Civil Code to expand the definition of affected businesses from those who “collect” personal information to those who “control the collection” of personal information, encompassing and regulating even more actors. It will add the mandatory informing of California consumers of the length of time the business intends to retain each category of personal information and bolster limitations on third party data contracts (must specify purpose and imposes obligations on third parties). The Act will also force third parties that control data collection to disclose collected data to the consumers and provide required information “prominently and conspicuously on the homepage of its internet website.” All businesses must only collect, use, retain, or share consumer’s personal information as “reasonably necessary and proportionate to achieve the purpose[]” for which the data was collected, and must implement “reasonable security procedures and practices.” Further, under the CPRA, service providers or contractors must cooperate in deleting data collected by businesses upon request, inching us towards the European Union’s General Data Protection Regulation’s (GDPR) well-known, progressive principle of the “right to be forgotten.” Additionally, the CPRA also narrows data use allowance for preventing and deterring crime, as under the Act, businesses, service providers, and contractors may not refuse to delete consumer information in order to “detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible…,” but only help ensure security to the extent the consumer’s personal info in reasonably necessary and proportionate to these purposes. The Act strikes from the civil code the right to maintain consumer info if reasonably necessary to use consumer info internally “in a lawful manner that is compatible with the context” in which the info was provided, but still allows the information to complete the transaction at issue, debug and repair errors, etc.

Since California amended its state constitution in 1972 to include the right to privacy among the “inalienable” rights of all people, the state has emerged as a Privacy legislation pioneer. The CPRA expresses that the state’s emerging role comes with its status as “a world leader in many new technologies that have reshaped our society” and lays out the Act’s driving motivations of consumer protection, controlling the asymmetry of consumer information, and establishing equal footing for consumer negotiations. One supposes that it makes sense California, home to Silicon Valley and haven for tech entrepreneurs, is leading the Privacy push. Legislators and lobbyists see California Big Tech as a large reason for the emergence of such extensive markets for “Big Data,” and now the State is leading the action to regulate that marketplace and to further protect consumers.

As expressed earlier, the CCPA has had less than a year in effect, and we have not yet had adequate time to truly evaluate the effect of CCPA regulations on privacy dealings, data collection, and entrepreneurship. Entrepreneurs must be cognizant of this new, upcoming change in Privacy law, as old templates and policy models will be outdated and inaccurate, and existing Privacy Policies will require revision once again before the CPRA goes into effect in 2023. When it comes to Privacy, California continues to lead the progressive and rapid reform of U.S. policy.