Prop 24 passes in California What is it? What does it mean for privacy?

The United States election of November 3, 2020 featured a big win for consumer privacy. 56% of California residents approved Proposition 24 by voting “Yes” to the measure on their ballots. So, what is Prop 24, what does it mean for privacy, and how should all states, not just California, prepare for it? 

What it is

The approval of Prop 24 means that the California Consumer Privacy Act (CCPA), which was signed into law in mid-2018, will be amended to become the California Privacy Rights Act (CPRA). The provisions of Prop 24 allow Californians the ability to tell businesses not to sell or share particular categories of sensitive information, such as race, religion, health, location, and biometric. The CPRA also makes explicit that companies cannot share/sell data between each other. Fines have been tripled from their original value for any violations of data in which the consumer is under 16 years old.

Additionally, the CPRA requires businesses to obtain permission from the consumer before collecting their data if they are under 16, and permission from a parent or guardian if the consumer is under 13.

The amendment establishes the California Privacy Protection Agency, a new enforcement agency for California privacy laws.

What it means

California continues to pioneer progressive laws for privacy, and with the passage of Prop 24, it continues to set the standard. Several other states have tried to pass their own version of a consumer privacy law, but none has been quite as strong.

Undoubtedly, CPRA will impact tech companies that rely on collecting data to sell to advertising partners. This makes up the bulk of revenue for such companies, and likely will require tech companies to embrace an evolving profit strategy to navigate the new regulatory climate.

But this law extends beyond the tech giants.

While some companies have extended their standards for CCPA protections to all states, they are not required to do so, and are not required to do so at a federal level. With that being said, any companies that do business with Californians do need to pay attention, and to plan now to comply with CPRA.

Even for companies that do not do business with California residents, Prop 24 provides food for thought. With the passage of another strong privacy law by California, it might be the start of a federal legislation that would affect all businesses.

How to Prepare

The CPRA will not officially be enforced until January 2023, but preparation can and should begin as early as possible, especially for any companies already doing business with California residents.

Here are some ways to begin preparing for CPRA:

  • Awareness - Ensure that appropriate members of your organization are aware of the new regulation, and consider how it impacts the business.
    • This includes all level of employees, from the decision-makers to the personnel who might handle relevant data.
  • Policies and Procedures - Review privacy policies and procedures already in place and update them as needed to reflect CPRA requirements.
    • Key to this preparation step is reviewing that these privacy policies cover all rights to individuals (such as an opt-out option).
  • Data Mapping – Understand the nature and extent of personal data acquired and held by the business. 
    • Especially any data from California residents.
    • In general, gain an understanding of the personal data held, where it comes from, and who it might be shared with.
    • This data should be inventoried if possible and reviewed by an appropriate authority, determining business justification.
  • Technical Controls - Review your data protection controls and determine how they can be strengthened to avoid breaches and stringent fines.
  • Seek Expertise - Reach out to a trusted and knowledgeable authority, such as Schneider Downs, to help you prepare to and continue to maintain compliance with CPRA.


You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
President Biden Signs Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence
What are the OCC’s Key Areas of Focus for Fiscal Year 2024?
Americans with Disabilities Act – What to Know about Web Content Accessibility Guidelines 2.1
Prevention and Detection – Key Methods to Protect Against Identity Fraud
Top 5 Identity Fraud Schemes of 2023
Identity Theft vs. Identity Fraud – What’s the Difference?
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.