Prop 24 Could Majorly Impact California Data Privacy. Will Businesses Comply?
All eyes are focused on the presidential election today, but for businesses, a ballot initiative in California could have major implications. Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA), is seen by many as an even more stringent version of the California Consumer Privacy Act (CCPA). That has some businesses rethinking how they collect user data and questioning whether they might be vulnerable to lawsuits if the proposition passes.
Originally designed to clarify the consumer rights and privacy protections for Californians outlined in the CCPA, the CPRA actually has more in common with the European Union’s General Data Protection Regulation (GDPR). Like the GDPR, the CPRA would create a new regulatory agency to implement and enforce California’s privacy regulations. It would also expand the definition of sensitive personal information beyond what was originally outlined in the CCPA.
That change, in particular, has businesses worried they could be vulnerable to lawsuits if they don’t change how they collect user data.
“The privacy protections under the CPRA are more in line with the EU’s GDPR privacy regulation, with the exception of it making private browsing easier for consumers, expanding on the definition of ‘sharing’ personal information,” says Dan Clarke, president at IntraEdge.
The CPRA uses the term “data sharing” in order to close the loophole based on the CCPA’s use of “selling” personal data. Clarke says businesses that don’t have a DNS link currently are more likely to fall under the definition of “share,” and that could become a major problem when the CPRA goes into effect in 2023.
The new privacy enforcement agency that would be developed after the passage of Proposition 24 is also something that Clarke says businesses need to watch out for. The agency would dramatically change how privacy rights are handled across the U.S. Unfortunately, there’s plenty of companies that aren’t aware of the implications of Proposition 24 and have no idea how they will need to adjust their data privacy collection strategy if the CPRA goes into effect.
“Businesses need to understand that under the CPRA, consumers will have a right to correct their data,” Clarke says. “The CPRA also creates a new category for sensitive information, including how to deal with it, and places restrictions on the sharing of personal information for behavioral advertising.”
Under the CPRA’s definition, businesses must comply if they report annual gross revenues in excess of $25 million in the preceding calendar year. Additional requirements mean even more businesses would fall under the umbrella, including any organization that buys, sells, or shares the personal information of 100,000 or more consumers or households each year, or generates at least 50% of its annual revenue from selling or sharing personal information.
If the CPRA passes, Clarke says businesses will need to immediately review the new updates and make appropriate plans to address the changes.
“Privacy regulation has proved to be an ever-evolving landscape, with Washington recently submitting its third round of proposed privacy regulations. Brazil also recently approved its privacy law – these constant changes require a true end-to-end automated solution that can scale with the CPRA and beyond,” he says.
The CPRA can’t be weakened or changed by the normal legislative process, which Clarke says is a good thing for businesses. Whereas the CCPA has evolved significantly since it was passed in 2018, businesses won’t have to contend with constant updates with the CPRA if it passes.
While enforcement and implementation of CPRA wouldn’t occur until 2023, Clarke says it’s important to remember that the CCPA remains effective until then, and businesses still need to meet compliance requirements. However, for businesses that have already complied with the CCPA, the new privacy regulation would make it easier to meet requirements in the short term.
“In the long term, businesses can expect the CPRA to remain the same and can only be amended if the said changes do not harm consumer privacy. The CCPA proved to be anything but perpetual with its ever-evolving updates, resulting in unprecedented challenges in compliance measures, especially amid a pandemic,” he says. “The CPRA sets a comprehensive foundation for other U.S. privacy regulations in the future.”
Stephanie Miles is a senior editor at Street Fight.