As the dust clears after a very long election day (i.e., week) in the USA, we are taking stock of what has changed. Amid the obvious changes, voters in California approved Proposition 24, the California Privacy Rights Act [1]. California, the first state to implement a comprehensive privacy law, now has an updated set of privacy rules.

This article provides an overview of Prop 24 in four parts, answering four questions:

• (1) What is Prop 24;

• (2) Who does Prop 24 affect;

• (3) What did the supporters and opponents think of Prop 24?; and

• (4) When does this all come into effect?

For a TLDR of the key changes Prop 24 brings to California’s privacy laws, skip to the conclusion.

WHAT IS PROP 24?

Prop 24, also known as the California Privacy Rights Act (the “CPRA”) supplements the existing California Privacy Act (the “CCPA”), which just came into effect last year (check out previous blog post on the CCPA here).

The California Privacy Rights Act does four main things:

(1) Changes existing consumer data privacy requirements. The CPRA requires companies to adopt data minimization and retention practices. For example, businesses must now notify consumers of the length of time they will keep personal data.

(2) Provides new consumer privacy rights. The CPRA permits consumers to:

• Tell businesses not to use “sensitive personal information.” “Sensitive personal information” is a new category that expands types of information consumers can block businesses from sharing. It includes precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specific health information.

• Prevent businesses from sharing personal information. The CPRA makes it more explicit that “do not sell” includes data shared between companies. Businesses must provide consumers with the ability to opt-out of having their data shared for purposes of cross-context behavioral advertising. Definition time! “Share” is defined in the CPRA to include sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for advertising for the benefit of a business in which no money is exchanged.

• Correct personal information.

(3) Establishes a new agency, the California Privacy Protection Agency (the “CPPA”). This agency will be in charge of enforcing and implementing consumer privacy laws and imposing fines, a duty which previously was left to the attorney general’s office. The CPPA will be governed by a five-member board, two seats (including the Chair) will be appointed by the Governor of California, and the remaining seats will be appointed, respectively, by the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly. Any CPPA decision related to a complaint against a business or a penalty can be reviewed by the state trial courts.

(4) Changes existing penalties. For example, it triples fines for violations if the affected consumer is younger than 16 years old; and authorizes civil penalties for theft of consumer login information.

Also noteworthy, and already or likely to be the source of much debate, the CPRA:

• Allows businesses to charge consumers more if they opt-out of having their data sold or shared more (dubbed the “pay-for-privacy” allowance).

• Provides that any “agreement obtained through use of dark patterns does not constitute consent.” Dark patterns is defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.”

WHO DOES PROP 24 AFFECT?

The CCPA regulated “businesses,” “service providers,” and “third parties.” The CPRA both narrows and expands who must comply with privacy regulations.

Narrowing: the CPRA redefines who classifies as a “business.” Used to be that consumer data privacy requirements applied to businesses that buy, sell, or share for business purposes the personal data of 50,000 or more consumers, households, or devices annually. The CPRA narrows the definition of “business” in two ways: (1) it no longer counts devices; and (2) it increases the annual threshold to 100,000 or more consumers or households.

Expanding: the CPRA also adds a new regulated entity: “contractors.” At first blush, it seems contractors will have similar obligations under the CPRA as service providers.

And who can avail themselves of the privacy protections in the CPRA? Same as the CCPA: any California resident. Importantly, a growing number of companies that have Californians consumers are overhauling their processes at a macro level, such that all their consumers, not just those in California, benefit from the privacy standard in the CCPA and CPRA.

PROPONENTS AND OPPONENTS: THE DEBATE AROUND PROP 24

The tale of Prop 24 is but a chapter in the saga of privacy regulation in California. It started in the foothills of Oakland, when Alastair Mactaggart became aware of just how much data companies scrape from their consumers and subsequently uninhibitedly use and share. In 2018, Mactaggart introduced a ballot measure in the California state legislature championing consumer privacy. After some negotiation, this start became the CCPA, which was signed into law on June 28, 2018 (with additional substantive amendments added on October 11, 2019).

But the CCPA was not enough for Mactaggart, and so was born Prop 24, originally a 52-page ballot measure that he felt would fix the shortcomings he saw in the CCPA.

Prop 24 was hotly debated. Amongst its supporters were Andrew Yang, the NAACP of California, US Representative Ro Khanna (D-CA), and privacy advocates and experts including Chris Hoofnagle and Ashkan Soltani.

Prop 24’s vocal opponents were not, as one may think, the FANG tech giants who would be affected by the law. Rather, a number of consumer rights and privacy advocacy groups came out against the measure. The American Civil Liberties Union (the “ACLU”) stood firmly against it, pointing specifically to the “pay-for-privacy” provision that would allow businesses to charge users more if they opt-out of data sharing [2]. The ACLU argued such a provision would make privacy rights less accessible to people with lower incomes. Most saw Prop 24 as a missed opportunity. The Electronic Frontier Foundation, which advocates for digital civil rights, said the measure was too much of a “mixed bag” to take a position [3].

WHEN DOES THIS ALL COME INTO EFFECT?

The magic date is January 1, 2023. The substantive legal requirements will come into effect on January 1, 2023. Some portions of Prop 24, such as the creation of the CPPA, will go into effect immediately. The first order of business being assembling the new agency’s board.

TLDR...

To summarize, there are three key updates the California Privacy Rights Act brings to California privacy law:

1. The definition of “sensitive personal information” has changed. More types of information are now protected, including precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specific health information.

2. Businesses must provide consumers with the ability to opt-out of having their data shared for purposes of cross-context behavioral advertising. “Do not sell” includes data shared between companies. However, the CPRA does allow businesses to charge users more for their services if the user opts-out of data sharing.

3. The CPRA both narrows and expands which businesses are required to meet data privacy requirements. While it hikes up the annual threshold of users (to 100,000 or more consumers or households) to classify as a business, it also creates a new category of entities to be regulated, “contractors.”

4. A new agency, the California Privacy Protection Agency, will be created to enforce and implement privacy law.

Why does this matter? As a consumer, this means you now have additional rights you can leverage in California to protect your privacy. As a business, this means you will need to adjust your CCPA compliance approaches to account for the additional requirements before those become operative on January 1, 2023.

(By Elena Ponte. Questions, comments, suggestions? Send them her way at: elena@zumolabs.ai or book a demo today.)

[1] Sam Dean. “California voters approve Prop 24, ushering in new rules for online privacy.” LA Times. November 3, 2020.

[2] Jacob Snow and Chris Conley. “Californians Should Vote No on Prop 24.” October 16, 2020. https://www.aclunc.org/blog/californians-should-vote-no-prop-24

[3] Lee Tien, Adam Schwartz, and Hayley Tsukayama. “Why EFF Doesn’t Support California Proposition 24.” July 29, 2020. https://www.eff.org/deeplinks/2020/07/why-eff-doesnt-support-cal-prop-24