Prop 24 passes in California What is it? What does it mean for privacy?

The United States election of November 3, 2020 featured a big win for consumer privacy. 56% of California residents approved Proposition 24 by voting “Yes” to the measure on their ballots. So, what is Prop 24, what does it mean for privacy, and how should all states, not just California, prepare for it? 

What it is

The approval of Prop 24 means that the California Consumer Privacy Act (CCPA), which was signed into law in mid-2018, will be amended to become the California Privacy Rights Act (CPRA). The provisions of Prop 24 allow Californians the ability to tell businesses not to sell or share particular categories of sensitive information, such as race, religion, health, location, and biometric. The CPRA also makes explicit that companies cannot share/sell data between each other. Fines have been tripled from their original value for any violations of data in which the consumer is under 16 years old.

Additionally, the CPRA requires businesses to obtain permission from the consumer before collecting their data if they are under 16, and permission from a parent or guardian if the consumer is under 13.

The amendment establishes the California Privacy Protection Agency, a new enforcement agency for California privacy laws.

What it means

California continues to pioneer progressive laws for privacy, and with the passage of Prop 24, it continues to set the standard. Several other states have tried to pass their own version of a consumer privacy law, but none has been quite as strong.

Undoubtedly, CPRA will impact tech companies that rely on collecting data to sell to advertising partners. This makes up the bulk of revenue for such companies, and likely will require tech companies to embrace an evolving profit strategy to navigate the new regulatory climate.

But this law extends beyond the tech giants.

While some companies have extended their standards for CCPA protections to all states, they are not required to do so, and are not required to do so at a federal level. With that being said, any companies that do business with Californians do need to pay attention, and to plan now to comply with CPRA.

Even for companies that do not do business with California residents, Prop 24 provides food for thought. With the passage of another strong privacy law by California, it might be the start of a federal legislation that would affect all businesses.

How to Prepare

The CPRA will not officially be enforced until January 2023, but preparation can and should begin as early as possible, especially for any companies already doing business with California residents.

Here are some ways to begin preparing for CPRA:

• Awareness - Ensure that appropriate members of your organization are aware of the new regulation, and consider how it impacts the business.
  • This includes all level of employees, from the decision-makers to the personnel who might handle relevant data.
• Policies and Procedures - Review privacy policies and procedures already in place and update them as needed to reflect CPRA requirements.
  • Key to this preparation step is reviewing that these privacy policies cover all rights to individuals (such as an opt-out option).
• Data Mapping – Understand the nature and extent of personal data acquired and held by the business. 
  • Especially any data from California residents.
  • In general, gain an understanding of the personal data held, where it comes from, and who it might be shared with.
  • This data should be inventoried if possible and reviewed by an appropriate authority, determining business justification.
• Technical Controls - Review your data protection controls and determine how they can be strengthened to avoid breaches and stringent fines.
• Seek Expertise - Reach out to a trusted and knowledgeable authority, such as Schneider Downs, to help you prepare to and continue to maintain compliance with CPRA.