California voters recently approved Proposition 24, formally known as the California Privacy Rights and Enforcement Act Initiative
Since taking effect on January 1, 2020, the CCPA has faced criticism from both business and consumer privacy groups due to its ambiguity. The Privacy Rights and Enforcement Act seeks to strengthen and clarify the CCPA, as well as establish a dedicated enforcement agency.
California Consumer Privacy Act
Former Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (CCPA) into law on June 28, 2018. Effective January 1, 2020, it grants consumers the right to request that a business disclose the following:
The categories of personal information (PI) it has collected about that consumer;
The categories of sources from which the PI is collected;
The business or commercial purpose for collecting or selling PI;
The categories of third parties with whom the business shares PI; and
The specific pieces of PI it has collected about that consumer.
The CCPA also includes a number of other data protections for consumers. It grants a consumer the right to request deletion of PI and mandates that businesses to delete such information upon receipt of a verified request. Consumers also have the right to request that a business that sells the consumer’s PI, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The CCPA also authorizes a consumer to opt out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right.
The CCPA applies to for-profit business entities that conduct business in California, collect consumers’ personal information, alone or jointly with others determine the purposes or means of processing that data, and meet one or more of the following criteria: (1) have annual gross revenues greater than $25 million; (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information.
Businesses can face penalties of up to $2,500 for each violation of CCPA requirements. Penalties increase to up to $7,500 for intentional violations. Penalties only may be applied if businesses fail to address the violation within 30 days of being notified of the violation. The California Department of Justice (DOJ) is authorized to impose these penalties.
The CCPA also includes a private right of action. When a breach of personal information occurs due to a business’ failure to implement and maintain reasonable safeguards to protect that information, the law entitles aggrieved consumers to pursue statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.
Data Privacy Requirements Under Proposition 24
On November 3, 2020, California voted to pass the Proposition 24 ballot initiative, which significantly amends the CCPA. Below is a brief summary of the key changes under the California Privacy Rights and Enforcement Act of 2020 (CPRA), which became law with the passage of Proposition 24:
Changes to covered businesses: The CPRA expands the criteria for determining whether businesses are covered under the data privacy law. As amended, the requirements will apply to a business that (1) has greater than $25 million in annual revenue; (2) buys, sells or shares PI of 100,000+ consumers or households; or (3) derives at least 50% of annual revenue from selling or sharing consumer personal information. The CPRA increases the annual threshold to 100,000 or more consumers or households, which will exempt some small businesses. However, businesses that generate most of their revenue from sharing(not just selling) PI are now covered, which expands the reach of the CCPA.
New protections for “sensitive personal information”: The CPRA defines certain types of personal data as “sensitive.” Examples include social security and driver’s license numbers; financial account and login information; precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications (mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information. Consumers can direct businesses to limit use of their sensitive personal data only to (1) provide requested services or goods and (2) fulfill key business purposes (such as providing customer service).
New consumer privacy rights: The CPRA creates additional privacy rights. Notably, consumers could direct businesses to not share their personal data and direct businesses to take reasonable efforts to correct personal data that they possess.
Changes to existing penalties: The CPRA establishes a new penalty of up to $7,500 for violations involving the consumer privacy rights of minors. The amendments also remove the ability of businesses to avoid penalties by addressing violations within 30 days of being notified of the violation. Additionally, the CPRA imposes penalties for data breaches of email addresses along with information that would permit access to an account, such as a password. Under the amendments, businesses that suffer data breaches due to the lack of reasonable security procedures can no longer avoid penalties by putting them in place within 30 days after the breach.
New enforcement agency: Proposition 24 establishes the California Privacy Protection Agency (CPPA) to oversee and enforce the state’s consumer privacy laws. CPPA will be governed by a five-member board and have a wide range of responsibilities, including the authority to investigate violations, assess penalties, and develop regulations.
What’s Next?
The bulk of the changes mandated under the CPRA are slated to take effect on January 1, 2023. Businesses must begin to understand these new regulations and prepare to comply with the expanded terms.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
You Just Received a Federal Grand Jury Subpoena in New Jersey: Now What?
Receiving a federal grand jury subpoena is not something most businesses or individuals anticipate. While it can be concerning, a federal grand jury subpoena does not necessarily mean that you are being accused of wrongdoing. It does, however, mean that a federal criminal investigation is underway and that federal prosecutors believe you may possess information […]
Why Every Business Should Conduct an Annual Insurance Coverage Review
Most New Jersey business owners purchase insurance policies, file them away, and assume they are protected if a claim arises. Without a regular insurance coverage review, many companies discover gaps only after a lawsuit, cyberattack, property loss, or other significant event occurs. An annual insurance coverage review can help businesses identify potential risks, ensure their […]
Demand Letters & Cease and Desist Letters: When to Send One (and When Not To)
Businesses and individuals often encounter situations where another party breaches a contract, fails to pay a debt, or continues harmful conduct. In many such disputes, a precisely drafted demand letter or cease-and-desist letter serves as a powerful legal tool. It can frequently resolve the dispute and avoid litigation. While demand or cease-and-desist letters can resolve […]
Key provisions in your contracts, including those relating to indemnification, insurance, and defense, are essential to contract risk management. While sometimes considered “boilerplate,” these provisions play a pivotal role when determining which party is responsible for certain costs and liabilities. They must always be negotiated and drafted carefully. Indemnification Clauses Businesses should never overlook the […]
Portability of estate and gift tax enables a surviving spouse to inherit any unused portion of their deceased spouse’s federal estate and gift tax exemption. So, if one spouse doesn’t utilize their full exemption, the surviving spouse can effectively double their exemption amount with regard to estate tax liability. For married couples, portability offers a […]
Pet Trusts in New Jersey and New York: A Practical Estate Planning Tool
For many of us, pets are more than companions—they are members of the family. Yet they are often overlooked or inadequately provided for when it comes to estate planning. A pet trust offers a legally enforceable way to ensure that your animal continues to receive proper care if you become incapacitated or pass away. As […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
