California voters recently approved Proposition 24, formally known as the California Privacy Rights and Enforcement Act Initiative
Since taking effect on January 1, 2020, the CCPA has faced criticism from both business and consumer privacy groups due to its ambiguity. The Privacy Rights and Enforcement Act seeks to strengthen and clarify the CCPA, as well as establish a dedicated enforcement agency.
California Consumer Privacy Act
Former Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (CCPA) into law on June 28, 2018. Effective January 1, 2020, it grants consumers the right to request that a business disclose the following:
The categories of personal information (PI) it has collected about that consumer;
The categories of sources from which the PI is collected;
The business or commercial purpose for collecting or selling PI;
The categories of third parties with whom the business shares PI; and
The specific pieces of PI it has collected about that consumer.
The CCPA also includes a number of other data protections for consumers. It grants a consumer the right to request deletion of PI and mandates that businesses to delete such information upon receipt of a verified request. Consumers also have the right to request that a business that sells the consumer’s PI, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The CCPA also authorizes a consumer to opt out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right.
The CCPA applies to for-profit business entities that conduct business in California, collect consumers’ personal information, alone or jointly with others determine the purposes or means of processing that data, and meet one or more of the following criteria: (1) have annual gross revenues greater than $25 million; (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information.
Businesses can face penalties of up to $2,500 for each violation of CCPA requirements. Penalties increase to up to $7,500 for intentional violations. Penalties only may be applied if businesses fail to address the violation within 30 days of being notified of the violation. The California Department of Justice (DOJ) is authorized to impose these penalties.
The CCPA also includes a private right of action. When a breach of personal information occurs due to a business’ failure to implement and maintain reasonable safeguards to protect that information, the law entitles aggrieved consumers to pursue statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.
Data Privacy Requirements Under Proposition 24
On November 3, 2020, California voted to pass the Proposition 24 ballot initiative, which significantly amends the CCPA. Below is a brief summary of the key changes under the California Privacy Rights and Enforcement Act of 2020 (CPRA), which became law with the passage of Proposition 24:
Changes to covered businesses: The CPRA expands the criteria for determining whether businesses are covered under the data privacy law. As amended, the requirements will apply to a business that (1) has greater than $25 million in annual revenue; (2) buys, sells or shares PI of 100,000+ consumers or households; or (3) derives at least 50% of annual revenue from selling or sharing consumer personal information. The CPRA increases the annual threshold to 100,000 or more consumers or households, which will exempt some small businesses. However, businesses that generate most of their revenue from sharing(not just selling) PI are now covered, which expands the reach of the CCPA.
New protections for “sensitive personal information”: The CPRA defines certain types of personal data as “sensitive.” Examples include social security and driver’s license numbers; financial account and login information; precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications (mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information. Consumers can direct businesses to limit use of their sensitive personal data only to (1) provide requested services or goods and (2) fulfill key business purposes (such as providing customer service).
New consumer privacy rights: The CPRA creates additional privacy rights. Notably, consumers could direct businesses to not share their personal data and direct businesses to take reasonable efforts to correct personal data that they possess.
Changes to existing penalties: The CPRA establishes a new penalty of up to $7,500 for violations involving the consumer privacy rights of minors. The amendments also remove the ability of businesses to avoid penalties by addressing violations within 30 days of being notified of the violation. Additionally, the CPRA imposes penalties for data breaches of email addresses along with information that would permit access to an account, such as a password. Under the amendments, businesses that suffer data breaches due to the lack of reasonable security procedures can no longer avoid penalties by putting them in place within 30 days after the breach.
New enforcement agency: Proposition 24 establishes the California Privacy Protection Agency (CPPA) to oversee and enforce the state’s consumer privacy laws. CPPA will be governed by a five-member board and have a wide range of responsibilities, including the authority to investigate violations, assess penalties, and develop regulations.
What’s Next?
The bulk of the changes mandated under the CPRA are slated to take effect on January 1, 2023. Businesses must begin to understand these new regulations and prepare to comply with the expanded terms.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Does Your Homeowners Insurance Provide Adequate Coverage?
Your home is likely your greatest asset, which is why it is so important to adequately protect it. Homeowners insurance protects you from the financial costs of unforeseen losses, such as theft, fire, and natural disasters, by helping you rebuild and replace possessions that were lost While the definition of “adequate” coverage depends upon a […]
Understanding the Importance of a Non-Contingent Offer
Making a non-contingent offer can dramatically increase your chances of securing a real estate transaction, particularly in competitive markets like New York City. However, buyers should understand that waiving contingencies, including those related to financing, or appraisals, also comes with significant risks. Determining your best strategy requires careful analysis of the property, the market, and […]
Fred D. Zemel Appointed Chair of Strategic Planning at Scarinci & Hollenbeck, LLC
Business Transactional Attorney Zemel to Spearhead Strategic Initiatives for Continued Growth and Innovation Little Falls, NJ – February 21, 2025 – Scarinci & Hollenbeck, LLC is pleased to announce that Partner Fred D. Zemel has been named Chair of the firm’s Strategic Planning Committee. In this role, Mr. Zemel will lead the committee in identifying, […]
Novation Agreement Process: Step-by-Step Guide for Businesses
Big changes sometimes occur during the life cycle of a contract. Cancelling a contract outright can be bad for your reputation and your bottom line. Businesses need to know how to best address a change in circumstances, while also protecting their legal rights. One option is to transfer the “benefits and the burdens” of a […]
What Is a Trade Secret? Key Elements and Legal Protections Explained
What is a trade secret and why you you protect them? Technology has made trade secret theft even easier and more prevalent. In fact, businesses lose billions of dollars every year due to trade secret theft committed by employees, competitors, and even foreign governments. But what is a trade secret? And how do you protect […]
What Is Title Insurance? Safeguarding Against Title Defects
If you are considering the purchase of a property, you may wonder — what is title insurance, do I need it, and why do I need it? Even seasoned property owners may question if the added expense and extra paperwork is really necessary, especially considering that people and entities insured by title insurance make fewer […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
What Should Businesses Expect under California’s Proposition 24?
Author: Scarinci Hollenbeck, LLC
California voters recently approved Proposition 24, formally known as the California Privacy Rights and Enforcement Act Initiative
Since taking effect on January 1, 2020, the CCPA has faced criticism from both business and consumer privacy groups due to its ambiguity. The Privacy Rights and Enforcement Act seeks to strengthen and clarify the CCPA, as well as establish a dedicated enforcement agency.
California Consumer Privacy Act
Former Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (CCPA) into law on June 28, 2018. Effective January 1, 2020, it grants consumers the right to request that a business disclose the following:
The categories of personal information (PI) it has collected about that consumer;
The categories of sources from which the PI is collected;
The business or commercial purpose for collecting or selling PI;
The categories of third parties with whom the business shares PI; and
The specific pieces of PI it has collected about that consumer.
The CCPA also includes a number of other data protections for consumers. It grants a consumer the right to request deletion of PI and mandates that businesses to delete such information upon receipt of a verified request. Consumers also have the right to request that a business that sells the consumer’s PI, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The CCPA also authorizes a consumer to opt out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right.
The CCPA applies to for-profit business entities that conduct business in California, collect consumers’ personal information, alone or jointly with others determine the purposes or means of processing that data, and meet one or more of the following criteria: (1) have annual gross revenues greater than $25 million; (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information.
Businesses can face penalties of up to $2,500 for each violation of CCPA requirements. Penalties increase to up to $7,500 for intentional violations. Penalties only may be applied if businesses fail to address the violation within 30 days of being notified of the violation. The California Department of Justice (DOJ) is authorized to impose these penalties.
The CCPA also includes a private right of action. When a breach of personal information occurs due to a business’ failure to implement and maintain reasonable safeguards to protect that information, the law entitles aggrieved consumers to pursue statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.
Data Privacy Requirements Under Proposition 24
On November 3, 2020, California voted to pass the Proposition 24 ballot initiative, which significantly amends the CCPA. Below is a brief summary of the key changes under the California Privacy Rights and Enforcement Act of 2020 (CPRA), which became law with the passage of Proposition 24:
Changes to covered businesses: The CPRA expands the criteria for determining whether businesses are covered under the data privacy law. As amended, the requirements will apply to a business that (1) has greater than $25 million in annual revenue; (2) buys, sells or shares PI of 100,000+ consumers or households; or (3) derives at least 50% of annual revenue from selling or sharing consumer personal information. The CPRA increases the annual threshold to 100,000 or more consumers or households, which will exempt some small businesses. However, businesses that generate most of their revenue from sharing(not just selling) PI are now covered, which expands the reach of the CCPA.
New protections for “sensitive personal information”: The CPRA defines certain types of personal data as “sensitive.” Examples include social security and driver’s license numbers; financial account and login information; precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications (mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information. Consumers can direct businesses to limit use of their sensitive personal data only to (1) provide requested services or goods and (2) fulfill key business purposes (such as providing customer service).
New consumer privacy rights: The CPRA creates additional privacy rights. Notably, consumers could direct businesses to not share their personal data and direct businesses to take reasonable efforts to correct personal data that they possess.
Changes to existing penalties: The CPRA establishes a new penalty of up to $7,500 for violations involving the consumer privacy rights of minors. The amendments also remove the ability of businesses to avoid penalties by addressing violations within 30 days of being notified of the violation. Additionally, the CPRA imposes penalties for data breaches of email addresses along with information that would permit access to an account, such as a password. Under the amendments, businesses that suffer data breaches due to the lack of reasonable security procedures can no longer avoid penalties by putting them in place within 30 days after the breach.
New enforcement agency: Proposition 24 establishes the California Privacy Protection Agency (CPPA) to oversee and enforce the state’s consumer privacy laws. CPPA will be governed by a five-member board and have a wide range of responsibilities, including the authority to investigate violations, assess penalties, and develop regulations.
What’s Next?
The bulk of the changes mandated under the CPRA are slated to take effect on January 1, 2023. Businesses must begin to understand these new regulations and prepare to comply with the expanded terms.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
