CCPA 2.0: How the CPRA or California Proposition 24 Could Impact Your Company’s Data Privacy

California enacted the CCPA (California Consumer Privacy Act) in 2018, the first-ever state-wide data privacy legislation in the United States. The CCPA only recently went into effect on January 1, 2020, and on July 1, 2020 the Attorney General began enforcing the CCPA. Although substantially different from the European Union’s GDPR, the CCPA was widely seen as a move toward GDPR-like levels of data privacy protection in the U.S.

However, some felt it didn’t go far enough. The California Privacy Rights and Enforcement Act (CPRA), also known as Proposition 24, or CCPA 2.0, which is slated to appear on this November’s ballot, is intended to address those concerns.

We’ll examine what Proposition 24 brings to the table and how it may affect your business if passed on November 3rd, 2020.

Shortcomings of the CCPA

Much of the content of Prop 24 was supposed to be included in the original CCPA. However, negotiations from the opposition pushed certain items off the table for the time being, some of which are now encompassed in November’s CPRA ballot initiative.

The CCPA gave Californians new rights regarding the protection of their personal data, including:

• The right to know what personal information a company collects about you, and how it is used
• The right to determine whether a company can sell your personal data
• The right to request that all of your personal information is deleted from a company’s servers
• The right to non-discrimination for requesting that a company comply with their rights under the CCPA

But, as many noted, the CCPA was far from perfect and left several loopholes that companies could exploit. The CPRA aims to plug those holes and strengthen data privacy overall.

Enforcement: The California Attorney General

The first issue with the CCPA pertained to the method of enforcement. Currently, under the existing CCPA, the California Attorney General’s office is in charge of issuing fines for non-compliance. Given that an AG’s office often has to deal with a high volume of other serious legal cases, some thought that the CCPA would not be adequately enforced.

One of the reasons the original CCPA hasn’t faced such staunch opposition from businesses was that the bill lacked teeth. It is difficult to envision an Attorney General’s office delivering punishing fines to Californian businesses in cyberspace. In fact, even though the law went into effect on January 1st, 2020, the law still prevented the AG from acting until July 1st.

Violation notices were sent out shortly after that date. In addition, the original CCPA allows businesses 30 days to correct their errors upon receiving notice.

Scope


Another issue with the original CCPA is which businesses are liable under the law. Currently the CCPA applies to any business that earns more than half of its revenue from selling personal information, or to any company that buys, receives, or sells the personal information of 50,000 or more consumers. Any company with more than $25 million in gross revenue is also within the scope of the CCPA.

Rather than admit liability under the CCPA, some companies argued they were simply “sharing” personal data with third parties, not selling or earning revenue from these transfers. Citizens only have the right to prevent the sale of their data under the CCPA, so companies could also dodge their obligations to citizens by using the “sharing” language.

We’ll dive into how Proposition 24 addresses these shortcomings below.

The Proposition 24 Ballot Initiative

An aggressive campaign that started in late 2019 pushed this proposition to the front of Californian political discussion. After acquiring enough signatures in May, the signatures were validated in June and the referendum was allowed. It will appear on the ballot in California during the 2020 election on November 3rd.

Will the ballot initiative pass? Most estimates suggest that yes, it will. Should the CPRA succeed, its new requirements would become effective at the start of 2021, but enforcement would not start until January 1, 2023.

To proactively anticipate the requirements of the new legislation, you should know what those changes mean for your business and how Aparavi can help you mitigate the headaches that come with increasing data privacy legislation.

Proposed Changes That Could Impact Your Company’s Data Privacy Obligations

Scope

If your company is already compliant with the CCPA and abiding by its rules, then you will not need to make major changes to how you manage your data. If you’re a small business that does not fall under the CCPA’s current rules, be mindful that sharing data will be considered the same as selling it, so this may require your company to become compliant. By adding that the sharing of information is the same as selling it many more companies will fall within the scope of the law.

Interestingly, the revised law allows companies to self-certify voluntarily to a newly created enforcement entity, the California Privacy Protection Agency, regardless of whether they meet any of these requirements. Let’s talk about that agency, because it’s probably the single most significant change to California’s data privacy.

Enforcement: The California Privacy Protection Agency (CPPA)


Should Proposition 24 pass, the bill would create a new government agency: the California Privacy Protection Agency (CPPA). Being its own agency with a specific scope and authority, fines for non-compliance become far, far more likely. We cannot emphasize this enough. In addition, Proposition 24, removes the 30-day period to cure violations, and instead calls for immediate fines.

With the expansion of what constitutes a violation of the law, Prop 24 will give the CPPA plenty to do.

Other Amendments that will Impact your Business

Here are some of the most important changes to the rules that will affect your company:

• First, since sharing has been added to every clause, you must respect a customer’s request to stop sharing their data.
• Next, you cannot retain data for longer than “reasonably necessary,” and it would be in your best interest to establish a transparent company policy with firm data deletion deadlines.
• The new proposition also takes the 50,000 user data threshold and raises it to 100,000, essentially increasing the size of businesses that are covered.
• In addition, the proposition expands covered data types to include “sensitive personal information” not just “personal information.” The rights are similarly expanded to include the right to correct and the right to restriction, bringing the CCPA closer in line with GDPR privacy rights.
• Another newly introduced requirement is proportionality, meaning a company’s use of personal or sensitive data should be proportional to the business need.
• Finally, it’s important to note that the amount of damages for the collection or sale of minors’ data is TRIPLED under the amendment.

For more information about CCPA 2.0, check out our webinar on the topic, available on-demand.

How Aparavi Can Help

Aparavi’s intelligent data management platform can help you to easily identify data on your company’s servers that falls under the scope of the CCPA or CPRA. We built this platform with modern data privacy laws in mind, and it is automatically updated as new data privacy laws are introduced or modified. The Platform’s smart policies help you automate data management to make compliance easier than ever. Call Aparavi today to find out more.