What is CA’s Prop 24?
California’s Prop 24, or the California Privacy Rights Act (CPRA) is an expansion of the CA consumer privacy laws introduced by California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020.
Under Prop 24, businesses will be forced to follow much more stringent rules regarding how they collect personal privacy data, what they do with that data, how they store it, and how long they can utilize it for business-related purposes.
Prop 24 also introduces a series of new consumer privacy protections rights, and it includes the requirement that California must create a new Data Protection Agency, built specifically to review, regulate, and enforce CA’s data privacy laws.
Here’s a quick list of data protection rules updates required by the passage of Proposition 24:
- California must build a new system used to enforce its consumer privacy laws
- Fines for violating children’s privacy will be tripled
- Consumers will gain even more control over their personal data
- Consumers will be able to sue companies who expose their email addresses or passwords, either on accident, or by having them stolen, hacked, etc.
- New protections are being introduced to privacy laws to make it harder for lobbyists to change (weaken) them in the future
Why Was Prop 24 Created?
Prop 24 was created to add additional elements to the existing California Consumer Privacy Laws, introduced by the CCPA’s passage in 2018.
The new law created as a result of Prop 24’s passage will introduce a host of new regulations and limitations, one of the most important being that it will limit businesses from using sensitive personal information, like a consumer’s exact location, health information, race and religious affiliation for any purposes.
Prop 24 will also alter data retention rules, prohibiting businesses from storing personal data for “longer than necessary”.
There are a series of other important data protection regulations that Prop 24 introduces, which we’ll explain in detail below.
How is Prop 24 Different from the Current CA Privacy Law (CCPA)?
Prop 24 adds additional consumer protections to the previous CCPA rules, basically taking what CCPA started and making it even more powerful.
CPRA adds new protections for consumers and works to help prevent companies from watering down the protections introduced by the CCPA.
To understand exactly how the new CPRA law may impact you or your company, here’s a list of 20 ways that Prop 24 alters the CCPA’s existing privacy protections:
1. Purpose Limitation
Prop 24 will make it law that businesses can only use personal data for a specific, stated purpose. They will NOT be able to take your details for security purposes, for example, then use them for marketing purposes.
2. Storage Limitation
Prop 24 will prevent businesses from holding onto your personal data forever. Under the rules of the new law, businesses will only be allowed to collect and store your data for “as long as necessary”.
3. Data Minimization
Prop 24 states that businesses won’t be allowed to collect more info than is necessary and required, so they can’t collect everything they’re able to find out about you, simply because they want as much data as possible.
4. Chain of Custody
Prop 24 guarantees that any business which receives your personal data will have to offer the same level of personal privacy protection that the business which originally collected it ensured.
5. Reasonable & Appropriate Security Requirements
Prop 24 ensures that any businesses which collects your personal info must protect it, meaning that they will get have significant liability if your data is leaked, hacked or otherwise exposed.
6. Deletion Expansion
Prop 24 adds to the CCPA deletion request protocols, requiring that businesses who have sold your information MUST tell the businesses they sold it to delete it, if they receive a deletion request from you.
7. Right of Correction
Prop 24 adds the ability to allow you to correct information that any business has about you; under the current rules, you could be denied a loan or a job simply because a business has the wrong details about you.
8. Tripling Fines
Prop 24 triples the fines introduced by the CCPA for any violations involving children’s information. This means that any businesses that handle children’s personal data will need to be much more restrictive moving forward.
9. Sensitive Personal Info
Prop 24 adds the option for California consumers to stop usage of their most sensitive data, meaning data about their race, location, religion, union membership, genetics, biometrics, sexual orientation, etc.
10. Right to See ALL Personal Info
Prop 24 allows consumers to request that they see ALL personal data a business has collected on them, whereas the CCPA rule only allowed them to look at data going back 12 months.
11. Precise Geo-Location
Prop 24 makes it illegal for businesses to track individuals within around 250 acres of their current location, which will prevent businesses from being able to track your “precise geo-location”.
Prop 24 allows consumers to object to automated decision-making, and to request information about the logic businesses use for decision-making rules based on their personal data.
13. Removing 30 Day Right to Cure
Prop 24 removes the 30 day window that CCPA gave businesses so that they’ll now have to handle privacy violations immediately.
14. Right to Opt Out of Cross-Context Behavioral Advertising
Prop 24 will limit the ability of businesses to use retargeting strategies for digital advertising, meaning they won’t be able to show you ads based on your previous browsing behavior.
15. Creation of a Data Protection Agency
Prop 24 requires that California create a new data protection agency that will be solely tasked with protecting Californians data privacy, which is a huge expansion of protections compared to the CCPA. The new law removes exclusive enforcement by the CA Attorney General (AG) and instead lets 58 county DA's and 4 city DA’s start enforcing the law via the Business & Professions Code Sec. 17200, affording the CA AG with the option of intervening to take over any particular case.
16. Annual Cybersecurity Audits
Prop 24 requires that businesses with a high risk to consumer privacy and security run annual cybersecurity audits to ensure that they have proper data protections in place.
17. Annual Risk Assessments
Prop 24 requires that businesses with a high risk to consumer privacy and security run annual risk assessments, again, to ensure they’re doing a good job of protecting consumer privacy.
18. Chief Privacy Auditor
Prop 24 requires that the new Data Protection Agency includes a position of “Chief Privacy Auditor”, who will be the person in charge of auditing businesses for compliance with the new data protection laws.
19. Consumer Privacy Fund
Prop 24 requires the creation of a new account that will be funded via industry fines and annual interest, which can be used to fund additional consumer privacy protection initiatives, services, enforcement activity, et
20. Protections Against Weakening the Law
Prop 24 includes a provision that says any amendments in furtherance of consumer privacy can be adopted by a simple majority vote in the CA State Legislature.
To summarize, Prop 24 is far more comprehensive and much more detailed than CCPA, and the changes it introduces to CA privacy data protection laws need to be taken seriously by businesses.
Who Must Abide by Prop 24’s New Rules?
Prop 24 applies to the same businesses that the CCPA did.
Any business that meets any of the following conditions is regulated by CCPA and will thus need to abide by the new Prop 24 data protection laws:
- Has an annual gross income in excess of $25 million
- Receives, sells or shares personal information for 50,000 or more customers and consumers, households, or devices.
- Receives more than half of its annual revenue, whatever that may be, from sales of private consumer data
When Does Prop 24 Take Effect?
Prop 24 is set to go into effect on January 1st, 2023, but the new rules will apply to any personal information collected by businesses on or after January 1st, 2022.
It’s important to start taking the new rules introduced by CPRA seriously, and preparing your business to follow the new guidelines, because failing to enact these protections could lead to significant fines, fees and penalties.
What Fines, Fees and Penalties Does Prop 24 Include?
First, Prop 24 makes it much more likely that companies will be hit with fines, fees and penalties for violating consumer data protection rules, because it eliminates the 30-day remediation window offered by the previous CCPA law.
Under CCPA’s rules, businesses found to have breached consumer privacy laws were given a 30-day window to fix the problems before fines would be levied, but under Prop 24, businesses will be fined immediately for violating any of the data privacy protection rules.
This means that Prop 24 is likely to generate far more fines, fees and penalties, since businesses will need to take the rules more seriously, developing solutions to abide by them in advance.
CCPA rules included fines of up to $2,500 per data privacy violation, with up to $7,500 in fines for each intentional violation of data privacy laws, but Prop 24 takes this even further.
Prop 24 will leave the CCPA’s fine limits in place, but it will triple the fines for any violations related to children’s privacy, meaning that a violation of privacy rights related to children’s information will now come with a fine of up to $7,500 per violation.
How Will Prop 24 Be Enforced?
Prop 24 is going to be enforced by a new state agency created specifically to oversee, regulate and enforce CA state consumer privacy protection laws.
This agency will be tasked with investigating violations and assessing penalties, so you can expect to see far more legal activity on consumer privacy laws in the years ahead.
How Should My Business Respond to Prop 24?
If your business is impacted by the passage of Proposition 24, then you’ll need to review the changes and updates this Prop introduces to CA consumer privacy protections laws, and you’ll need to start planning and updating policies and procedures to ensure that your company follows the new regulations.
If you have any concerns, questions, or uncertainties regarding the rules, or if you need assistance determining what your company needs to do to get compliant, then please consider scheduling a free consultation with MatrixPoint to learn more about our data protection consulting services.
We can help you understand the new CPRA rules and guidelines, help your organization adapt to the new regulations, and ensure that you’ll be in full compliance with the new law when it takes effect in 2023.