California voters recently approved Proposition 24, formally known as the California Privacy Rights and Enforcement Act Initiative
Since taking effect on January 1, 2020, the CCPA has faced criticism from both business and consumer privacy groups due to its ambiguity. The Privacy Rights and Enforcement Act seeks to strengthen and clarify the CCPA, as well as establish a dedicated enforcement agency.
California Consumer Privacy Act
Former Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (CCPA) into law on June 28, 2018. Effective January 1, 2020, it grants consumers the right to request that a business disclose the following:
The categories of personal information (PI) it has collected about that consumer;
The categories of sources from which the PI is collected;
The business or commercial purpose for collecting or selling PI;
The categories of third parties with whom the business shares PI; and
The specific pieces of PI it has collected about that consumer.
The CCPA also includes a number of other data protections for consumers. It grants a consumer the right to request deletion of PI and mandates that businesses to delete such information upon receipt of a verified request. Consumers also have the right to request that a business that sells the consumer’s PI, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The CCPA also authorizes a consumer to opt out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right.
The CCPA applies to for-profit business entities that conduct business in California, collect consumers’ personal information, alone or jointly with others determine the purposes or means of processing that data, and meet one or more of the following criteria: (1) have annual gross revenues greater than $25 million; (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information.
Businesses can face penalties of up to $2,500 for each violation of CCPA requirements. Penalties increase to up to $7,500 for intentional violations. Penalties only may be applied if businesses fail to address the violation within 30 days of being notified of the violation. The California Department of Justice (DOJ) is authorized to impose these penalties.
The CCPA also includes a private right of action. When a breach of personal information occurs due to a business’ failure to implement and maintain reasonable safeguards to protect that information, the law entitles aggrieved consumers to pursue statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.
Data Privacy Requirements Under Proposition 24
On November 3, 2020, California voted to pass the Proposition 24 ballot initiative, which significantly amends the CCPA. Below is a brief summary of the key changes under the California Privacy Rights and Enforcement Act of 2020 (CPRA), which became law with the passage of Proposition 24:
Changes to covered businesses: The CPRA expands the criteria for determining whether businesses are covered under the data privacy law. As amended, the requirements will apply to a business that (1) has greater than $25 million in annual revenue; (2) buys, sells or shares PI of 100,000+ consumers or households; or (3) derives at least 50% of annual revenue from selling or sharing consumer personal information. The CPRA increases the annual threshold to 100,000 or more consumers or households, which will exempt some small businesses. However, businesses that generate most of their revenue from sharing(not just selling) PI are now covered, which expands the reach of the CCPA.
New protections for “sensitive personal information”: The CPRA defines certain types of personal data as “sensitive.” Examples include social security and driver’s license numbers; financial account and login information; precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications (mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information. Consumers can direct businesses to limit use of their sensitive personal data only to (1) provide requested services or goods and (2) fulfill key business purposes (such as providing customer service).
New consumer privacy rights: The CPRA creates additional privacy rights. Notably, consumers could direct businesses to not share their personal data and direct businesses to take reasonable efforts to correct personal data that they possess.
Changes to existing penalties: The CPRA establishes a new penalty of up to $7,500 for violations involving the consumer privacy rights of minors. The amendments also remove the ability of businesses to avoid penalties by addressing violations within 30 days of being notified of the violation. Additionally, the CPRA imposes penalties for data breaches of email addresses along with information that would permit access to an account, such as a password. Under the amendments, businesses that suffer data breaches due to the lack of reasonable security procedures can no longer avoid penalties by putting them in place within 30 days after the breach.
New enforcement agency: Proposition 24 establishes the California Privacy Protection Agency (CPPA) to oversee and enforce the state’s consumer privacy laws. CPPA will be governed by a five-member board and have a wide range of responsibilities, including the authority to investigate violations, assess penalties, and develop regulations.
What’s Next?
The bulk of the changes mandated under the CPRA are slated to take effect on January 1, 2023. Businesses must begin to understand these new regulations and prepare to comply with the expanded terms.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Why Compliance Monitoring Matters for NY and NJ Businesses
Compliance programs are no longer judged by how they look on paper, but by how they function in the real world. Compliance monitoring is the ongoing process of reviewing, testing, and evaluating whether policies, procedures, and controls are being followed—and whether they are actually working. What Is Compliance Monitoring? In today’s heightened regulatory environment, compliance […]
When Are New Jersey Business Owners Personally Liable for Corporate Debt?
New Jersey personal guaranty liability is a critical issue for business owners who regularly sign contracts on behalf of their companies. A recent New Jersey Supreme Court decision provides valuable guidance on when a business owner can be held personally responsible for a company’s debt. Under the Court’s decision in Extech Building Materials, Inc. v. […]
Commercial real estate trends in 2026 are being shaped by shifting economic conditions, technological innovation, and evolving tenant demands. As the market adjusts to changing interest rates, capital flows, and workplace models, investors, owners, tenants, and developers must understand how these trends are influencing opportunities and risk in the year ahead. Overall Outlook for Commercial […]
One Big Beautiful Bill: New Tip Income Tax Rules Employers & Workers Need to Know
Part 2 – Tips Excluded from Income Certain employees and independent contractors may be eligible to deduct tips from their income for tax years 2025 through 2028 under provisions included in the One Big Beautiful Bill. The deduction is capped at $25,000 per year and begins to phase out at $150,000 of modified adjusted gross […]
One Big Beautiful Bill: New Overtime Tax Rules Employers and Employees Need to Know
Part 1 – Overtime Pay and Income Tax Treatment Overview This Firm Insights post summarizes one provision of the “One Big Beautiful Bill” related to the tax treatment of overtime compensation and related employer wage reporting obligations. Overtime Pay and Employee Tax Treatment The Fair Labor Standards Act (FLSA) generally requires that overtime be paid […]
New York’s FAIR Business Practices Act: What the New Consumer Protection Measure Means for Your Business
In 2025, New York enacted one of the most consequential updates to its consumer protection framework in decades. The Fostering Affordability and Integrity through Reasonable Business Practices Act (FAIR Act) significantly expands the scope and strength of New York’s long-standing consumer protection statute, General Business Law § 349, and alters the compliance landscape for New York […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
