The California Privacy Rights Act, CPRA, AKA Prop 24, was approved by voters on November 3rd. This is a continuing story on its potential impact.
Some simple answers first:
When does it go into effect: January 1, 2023.
Who has to comply: That is still murky. There was a $25 million revenue minimum in CCPA and that is still here. It now says that the revenue was for the prior year, but it does not say whether that is California revenue or worldwide revenue. Do you feel lucky?
Number of records: That number has doubled from 50,000 to 100,000, but for most companies, that is still a small number of visitors to a website. It also now excludes devices in the count, so that adds some relief to the number. It is still a small number.
Revenue: CCPA only counts revenue from selling data, but companies like Facebook don’t sell your data – so they tried to claim they were exempt. CPRA says revenue from sharing your data (a new term) is now included in the calculation.
Commonly controlled entities: The new law says that you only have to add numbers together for commonly controlled entities if the entities have common branding and consumers are likely to understand that the entities re the same company.
New data category: sensitive information: Like GDPR in Europe, there is now a category of sensitive information that includes your ID numbers, financial information, account credentials, geolocation data, race and ethnicity , biometric information, health information and sexual orientation. That is a lot of the information that companies collect today.
New right: Limit the use of my sensitive information: This right says that a resident can say that they only want the business to use sensitive information to perform the function that I asked you to perform. This may require a new, special, opt-out link.
New right: Correct my information. Somehow CCPA forgot this one. Now residents will have the right to have their information corrected and businesses will need to track these requests.
Opt out rights expanded. The new law allows not only the right to opt of sale but also the right to opt out of sharing data for behavioral advertising purposes, whether money changes hands or not.
Expanded right to deletion: Under the new law, you now have to track everyone that you share data with. If someone asks you to delete their data, you have to get third parties to delete that data too.
Watch for part 3. This law is a bit of a beast. Getting ready now is a good plan.
Credit: The Jones Day law firm