Back to overview
05. March 2021

California Proposition 24 Passed: Now What?

One of the latest developments in US data privacy is the California Privacy Rights Act, or the CPRA. What’s changed, and what are we doing to address it?

As data privacy laws continue to evolve in the United States, Aparavi continues to ensure our platform’s compliance. One of the latest developments in US data privacy is the California Privacy Rights Act, or the CPRA. Widely referred to as Proposition 24, the name of the ballot initiative, this law expanded and added to the existing California Consumer Privacy Act (CCPA). So, what’s changed, and what are we doing to address it?

How the CPRA Impacts Data Privacy Compliance

Data Transfers

The biggest change to the CCPA has to do with how data is transferred between companies. Under the original text, businesses only had to comply if they “buy, receive, or sell” personal information. That covers two forms of data intake but only one form of data export. What if you simply give away your data?

That’s precisely what began to happen. Companies claimed that they weren’t actually selling data but rather simply sharing it with partners. Consumers could only stop companies from selling data outright, and since this was very easy to dodge, activist groups lobbied for the word “sharing” to be sprinkled throughout the text of the CPRA.

Now that Proposition 24 has passed, consumers have the right to prevent a company from sharing their data, not just selling it. You’ll need to be able to comply with these requests. Aparavi’s platform is ready to handle these situations. You can quickly label your data and prevent it from being shared according to consumers’ wishes.

New Consumer Rights

Originally, consumers gained the right to transparency: to know and access the personal information a company had on file. They could then exercise their right to ask the company to delete that information or prevent the company from selling it. Additionally, a very broad “right to non-discrimination” was included that essentially forces companies to treat all consumers equally, regardless of their status with the business.

Proposition 24 kept all of those rights in place and added a couple of new ones. The right to rectification requires companies to promptly rectify any erroneous information on file after a consumer notifies them about the error, or if it’s identified internally. Finding your files can be tricky unless you use a smart platform like Aparavi, which can parse all of your data and dig up even the most buried files.

Consumers also gained the right to limit the use and disclosure of sensitive personal information. This expands the definition of personal information by creating this “sensitive information” category. Sensitive personal information covers things like your SSJN and biometric information, as well as your location.

Changes to Enforcement

Perhaps one of the most glaring weaknesses of the original law was its lack of a true enforcement system. All violations were handled by the state attorney general. Asking the state’s top law enforcer to handle these violations was an impossible task, and lawmakers recognized this.

Proposition 24 created a whole new agency, the California Privacy Protection Agency (CPPA), which will provide guidance to businesses so they can become compliant, and fine those who don’t. Expect the number of fines to increase as this agency will have much more capacity to process complaints and pursue violators of the law.

Another change that could impact your business is the removal of the 30-day grace period. Under the original text, if you were caught violating the CCPA, you had 30 days to rectify the situation and prove that you were now compliant. Doing so could prevent a fine. Well, now that’s gone. If you break the law, you get fined immediately.

Fines and Punishment

Overall, the penalties for breaking the law haven’t changed much. The most significant change is the fine for mishandling information of underage Californians. Originally the fine was $2,500 per violation, and now it’s tripled to $7,500.

Using Aparavi, you can easily find data on minors with our powerful search tool. Once you’ve identified all of these files, you can lock them down and ensure your compliance.

Preventative Measures

The CPRA wisely includes a couple of preventative measures to keep breaches and violations from happening in the first place. However, these only apply to businesses that “present a significant risk” to consumer data privacy. Significant risk is determined by the size of the business and the volume of personal information they handle.

If your business qualifies, you’ll need to perform annual cybersecurity audits and send risk assessments to the CPPA in order to remain compliant. If you’re in doubt as to whether this applies to you, then you should contact the CPPA for more guidance on the issue.

One way to reduce your risk and impress the CPPA is to use a smart data management platform. Aparavi has built-in protocols for various data privacy laws, including the updates to California’s rules. With one click you can ensure your data is compliant.

Get a Demo Today

Data privacy laws are only going to continue to expand. Aparavi is committed to data privacy compliance and will always be ready for changes to the law. Your business can be ready too. Just call Aparavi or schedule an appointment for a demo to see how our platform can help you.

Learn more about CPRA in our webinar, CCPA 2.0