California Privacy Rights Act

Last updated
Proposition 24
Flag of California.svg
November 3, 2020 (2020-11-03)
Privacy Rights and Enforcement Act Initiative
Results
Choice
Votes %
Check-71-128-204-brightblue.svgYes9,384,12556.23%
Light brown x.svgNo7,305,02643.77%
2020 California Proposition 24 results map by county.svg

The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, is a California ballot proposition that was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020. [1] [2] [3] This proposition expands California's consumer privacy law and builds upon the California Consumer Privacy Act (CCPA) of 2018, which established a foundation for consumer privacy regulations. [4]

Contents

The proposition enshrines more provisions in California state law, allowing consumers to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses' usage of "sensitive personal information", which includes precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information. The Act creates the California Privacy Protection Agency as a dedicated agency to implement and enforce state privacy laws, investigate violations, and assess penalties of violators. [5] The Act also removes the set time period in which businesses can correct violations without penalty, prohibits businesses from holding onto personal data for longer than necessary, triples the maximum fines for violations involving children under the age of 16 (up to $7,500), and authorizes civil penalties for the theft of specified login information. [6] [7]

The California Privacy Rights Act took effect on January 1, 2023, applying to personal data collected on or after January 1, 2022. [8] The law cannot be repealed by the state legislature, and any amendments made by the legislature must be “consistent with and further the purpose and intent” of the Act. [9]

Background

As technology has become more integrated into daily life lawmakers around the world have pushed for greater regulation of data privacy. [10] Beginning in 1950, the European Convention on Human Rights asserted that data privacy should be subject to legal protections. [10] [11] Several episodes of unknown use and sale of consumer data, such as the Cambridge Analytica scandal, have led to US lawmakers pursuing better data privacy protections particularly those at the state-level. [10] [12] Additionally, the EU’s passage of the General Data Protection Regulation (GDPR) in 2018 spurred greater interest in adopting a similar measure in the US. [11] The GDPR is the strictest data privacy law in the world, with few exceptions and hefty fines. In California, these concerns manifested as the California Consumer Protection Act somewhat modeled on the EU’s GDPR. [11]

The CCPA’s initial drafting and placement on the 2018 ballot was led by Alastair Mactaggart. [12] He later came to an agreement with Californian lawmakers to pass a scaled back version of the CCPA which was ultimately signed into law by Governor Brown. Although passed in 2018, the CCPA would not come into effect until January 1, 2020. [11] In 2020 Proposition 24, or the CPRA, appeared on the California ballot. The CPRA was designed to amend the CCPA to expand consumer data privacy. [13] Most notably, the CPRA altered the criteria that subjects a business to its rules and established the California Privacy Protection Agency to take the lead on enforcement of the CCPA. [11] The CPRA was passed with 56.2% of California voters in favor of the proposition and went into effect on January 1, 2023. [14]

The initiative represents an expansion of provisions first laid out by the California Consumer Privacy Act. Key changes include requiring businesses to obtain permission from consumers younger than 16 before collecting their data and permission from a parent or guardian before collecting data from consumers younger than 13. [15] The CPRA also altered the CCPA to apply to businesses buying, selling, or sharing personal information of 100,000 or more consumers compared to the previous 50,000 or more. [15] In addition to the consumer protections, the proposition creates the California Privacy Protection Agency. [4] The agency initially shared consumer privacy oversight and enforcement duties with the California Department of Justice. [4] Another effect of the initiative is requiring businesses to obtain permission from consumers younger than 16 before collecting their data and permission from a parent or guardian before collecting data from consumers younger than 13. [16]

Purpose and intentions

The overall intention of the act is to resolve information asymmetry between consumers and businesses concerning the use of personal information. To that end the key rights of the Act include:

  1. Control the use of personal information and limiting the use of sensitive personal information through the right to opt out of sale.
  2. The ability to correct, delete, and transfer personal information.
  3. The right to easily accessible self-serve tools to opt-out of sale or limit use of personal data
  4. Exercise privacy rights without being penalized or discriminated against.
  5. Hold businesses accountable for failing to take reasonable information security precautions.
  6. Know who is collecting a child's personal information, how it is being used, and to whom it is disclosed. [17]

The primary purpose of the CPRA is to further protect personal consumer information. [10] The act defines consumer information as any information that could reasonably identify or be related to a specific person or household. [10] [17] This includes names, addresses, email address, social security number, and characteristics defined as being protected under California and federal law such as race, gender, or religion. [17] The CPRA also alters the criteria for businesses to be subject to the act. The act applies to businesses meeting any of the three following criteria: (1) have $25 million in annual gross revenue in the preceding year (2) buys, sells, or shares the personal information of 100,000 or more consumers or households (3) businesses whose majority of revenue (50% or more) is earned from selling or sharing personal consumer information. [11] [17]

The ability to revoke consent for a business to sell or share a consumer's information through easily accessible tools is an integral part of the CPRA's modification of the CCPA. The CPRA mandates that a business' homepage must clearly display a link titled "Do Not Sell My Personal Information." [17] A business may not require a consumer to make an account or go through multiple steps to opt out. [17] This right essentially permits Californian consumers to require businesses to stop selling their information, thereby preventing the kinds of misuse and unknown sales of personal data that spurred the creation of the CCPA. [10]

Results

The proposition passed with roughly 55% of California voters voting in favor of the measure. [18]

Notes

    Partisan clients

      Related Research Articles

      Consumer privacy is information privacy as it relates to the consumers of products and services.

      The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 185 national constitutions mention the right to privacy. On December 10, 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR); while the right to privacy does not appear in the document, many interpret this through Article 12, which states: "No one shall be subjected to arbitrary interference with their privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks."

      A data broker is an individual or company that specializes in collecting personal data or data about people, mostly from public records but sometimes sourced privately, and selling or licensing such information to third parties for a variety of uses. Sources, usually Internet-based since the 1990s, may include census and electoral roll records, social networking sites, court reports and purchase histories. The information from data brokers may be used in background checks used by employers and housing.

      A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

      Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

      Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

      Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

      Consumer Watchdog is a non-profit, progressive organization which advocates for taxpayer and consumer interests, with a focus on insurance, health care, political reform, privacy and energy.

      Data as a service (DaaS) is a cloud-based software tool used for working with data, such as managing data in a data warehouse or analyzing data with business intelligence. It is enabled by software as a service (SaaS). Like all "as a service" (aaS) technology, DaaS builds on the concept that its data product can be provided to the user on demand, regardless of geographic or organizational separation between provider and consumer. Service-oriented architecture (SOA) and the widespread use of APIs have rendered the platform on which the data resides as irrelevant.

      <span class="mw-page-title-main">Ed Chau</span> American judge

      Edwin “Ed” Chau is an American jurist and politician who served in the California State Assembly as a Democrat representing the 49th state assembly District from 2012 to 2021. On November 29, 2021, California Governor Gavin Newsom appointed Chau to be a judge in the Los Angeles County Superior Court.

      <span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

      The General Data Protection Regulation, abbreviated GDPR, or French RGPD is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

      <span class="mw-page-title-main">Chris Hoofnagle</span>

      Chris Jay Hoofnagle is an American professor at the University of California, Berkeley who teaches information privacy law, computer crime law, regulation of online privacy, internet law, and seminars on new technology. Hoofnagle has contributed to the privacy literature by writing privacy law legal reviews and conducting research on the privacy preferences of Americans. Notably, his research demonstrates that most Americans prefer not to be targeted online for advertising and despite claims to the contrary, young people care about privacy and take actions to protect it. Hoofnagle has written scholarly articles regarding identity theft, consumer privacy, U.S. and European privacy laws, and privacy policy suggestions.

      <span class="mw-page-title-main">2020 California elections</span>

      The California state elections in 2020 were held on Tuesday, November 3, 2020. Unlike previous election cycles, the primary elections were held on Super Tuesday, March 3, 2020.

      The gathering of personally identifiable information (PII) refers to the collection of public and private personal data that can be used to identify individuals for various purposes, both legal and illegal. PII gathering is often seen as a privacy threat by data owners, while entities such as technology companies, governments, and organizations utilize this data to analyze consumer behavior, political preferences, and personal interests.

      The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the state of California in the United States. The bill was passed by the California State Legislature and signed into law by the Governor of California, Jerry Brown, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg.

      The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).

      The California Privacy Protection Agency (CPPA) is a California state government agency created by the California Privacy Rights Act (CPRA). As the first dedicated privacy regulator in the United States, the agency implements and enforces the CPRA and the California Consumer Privacy Act.

      <span class="mw-page-title-main">Personal Information Protection Law of the People's Republic of China</span> Chinese personal information rights law

      The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

      A personal information removal service is designed to help individuals reduce their digital footprint by removing their private data from the internet, particularly from data brokers and people search websites. These services cater to internet users' concerns over data privacy and data brokers' widespread collection and sale of personal information.

      The California Delete Act is a state law that provides a one-stop shop deletion mechanism for consumers to direct data brokers to delete their personal information. The law requires data brokers to register with the California Privacy Protection Agency annually beginning January 2024, process deletion requests submitted through the deletion mechanism beginning August 2026, and undergo an independent audit every three years beginning January 2028. It was the first law of its kind to be passed in the United States.

      References

      1. Dustin, Gardiner (September 21, 2020). "California's Proposition 24 would protect data-privacy law from being weakened in Legislature". San Francisco Chronicle. Retrieved September 24, 2020.
      2. "Text of Proposed Laws - Proposition 24" (PDF). California Secretary of State.
      3. Hooks, Chris Nichols, Kris. "What We Know About California Proposition Results". www.capradio.org. Retrieved 2020-11-11.{{cite web}}: CS1 maint: multiple names: authors list (link)
      4. 1 2 3 "California Consumer Privacy Act (CCPA)". State of California - Department of Justice - Office of the Attorney General. 2018-10-15. Retrieved 2020-11-09.
      5. "California Proposition 24: New rules for consumer data privacy". CalMatters. 9 September 2020. Retrieved 2020-11-09.
      6. "California Proposition 24, Consumer Personal Information Law and Agency Initiative (2020)". Ballotpedia. Retrieved September 24, 2020.
      7. "Proposition 24 Official Title and Summary | Official Voter Information Guide | California Secretary of State". voterguide.sos.ca.gov. Retrieved 2020-12-10.
      8. "Move Over, CCPA: The California Privacy Rights Act Gets the Spotlight Now". news.bloomberglaw.com. Retrieved 2020-12-10.
      9. "The California Privacy Rights Act (CPRA) Has Been Enacted into Law". www.paulhastings.com. Retrieved 2020-12-10.
      10. 1 2 3 4 5 6 Saquella, Alexandria J (January 2020). "Personal Data Vulnerability: Constitutional Issues with the California Consumer Privacy Act". Jurimetrics. 60 (2): 215–45 via EBSCOhost.
      11. 1 2 3 4 5 6 Lisowski, Jena (March 1, 2024). "California Data Privacy Law and Automated Decision-making". The Journal of Corporation Law. 49 (3): 701–26 via EBSCOhost.
      12. 1 2 Rothstein, Mark A.; Tovino, Stacey A. (September 2019). "California Takes the Lead on Data Privacy Law". Hastings Center Report. 49 (5). doi:10.1002/hast.1042. ISSN   0093-0334.
      13. "Text of Proposed Laws" (PDF). California Secretary of State. Retrieved July 23, 2024.
      14. "Complete Statement of the Vote" (PDF). California Secretary of State. December 11, 2020. Retrieved July 22, 2024.
      15. 1 2 "Text of Proposed Laws" (PDF). California Secretary of State. Retrieved July 23, 2024.
      16. "Qualified Statewide Ballot Measures". Secretary of State of California . Retrieved July 2, 2020.
      17. 1 2 3 4 5 6 "Text of Proposed Laws" (PDF). California Secretary of State. Retrieved July 23, 2024.
      18. Morrison, Sara (2020-11-03). "Live results for California's data privacy ballot initiative". Vox. Retrieved 2020-11-08.
      This page is based on this Wikipedia article
      Text is available under the CC BY-SA 4.0 license; additional terms may apply.
      Images, videos and audio are available under their respective licenses.