By almost 1.5 million votes, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”). The CPRA amends and expands the California Consumer Privacy Act of 2018 (“CCPA”) and is affectionately referred to as “CCPA 2.0.” While the CPRA’s requirements do not take effect until January 1, 2023, the CPRA ushers in significantly more privacy protections for California residents, while also amending some of the CCPA’s jurisdictional requirements. Below, we touch on some of the CPRA’s requirements.
First, from a jurisdictional standpoint, previously one prong of the CCPA’s jurisdictional test was if a business reached 50,000 California consumers, then it was subject to the CCPA. Practically speaking, this meant if a business had a website that received on average 137 hits per day from California, it could be subject to the CCPA’s requirements. Under the CPRA, this threshold is bumped up to 100,000 consumers/households. This change benefits small and midsize businesses, which otherwise would not meet the other jurisdictional requirements of having revenue above 25 million dollars per year, or a business that receives 50% of its income from the sale of personal information of CA consumers.
Second, similar to GDPR, the CRPA establishes a new category of “sensitive personal information.” Under the CPRA, sensitive personal information includes an individual’s precise location, race, religion, sexual orientation, and specified health information, among others. With regard to this sensitive information, individuals will have greater control. The CPRA will allow individuals to opt out of a business’ use or disclosure of such sensitive personal information.
Third, the CPRA strengthened protections for minors, as it triples fines related to violations for minors under 16.
Lastly, the CPRA establishes the California Privacy Protection Agency. This agency will enforce and implement consumer privacy laws and can administer fines for businesses that violate California’s privacy laws.
Much like the CCPA, we expect the CPRA to evolve and change prior to the January 1, 2023 implementation date.