What is the California Privacy Rights and Enforcement Act?
The California Privacy Rights and Enforcement Act of 2020, also known as Proposition 24, provides California residents with legislation aimed at protecting the privacy of consumers by giving them greater control over businesses and corporations’ use of their personal information. More specifically. The CCPA grants California residents the rights to:
- Opt-out of any sale of their personal information.
- Request that a business deletes its personal information.
- Know what specific kinds of personal information businesses are collecting about them, whether these businesses are disclosing this information to third parties, and the business’s exact purpose for collecting this information in the first place, among other pertinent details concerning the business’s processing of personal information.
- Protect consumers from discrimination relating to the exercising of property rights.
While a previous California Privacy Rights Act or CCPA was passed in 2019, the 2020 legislation or CCPA 2.0 expands on the privacy rights granted to residents of the state. Speaking generally, the CCPA 2.0 amends the CCPA by heightening privacy protections, expanding the reach and scope of consumer rights laws, and establishing an enforcement agency to identify and act upon threats relating to consumer privacy through enforcement of the law. More particularly, improvements implemented with the CCPA 2.0 include:
- Allows consumers to actively prevent businesses from sharing their personal information with consent.
- Enables consumers to correct any inaccurate information they may discover
- Creates a new category of personal information such as sex, race, religion, etc., and gives consumers the right to restrict a business’s use of this new category.
- Triples the penalty for violating the privacy rights of minors.
- Mandates that businesses remain transparent about their use of profiling and automated decision-making.
- Prohibits businesses from retaining personal information for any amount of time that is longer than deemed necessary.
- Establishes the California Privacy Protection Agency to enforce the law and protect the privacy rights of consumers.
The California Privacy Protection Agency is tasked with vigorously enforcing the privacy rights of California residents by means of law enforcement. Moreover, the agency is comprised of appointed experts in privacy, consumer rights, and technology, and provides guidance to both businesses and consumers concerning the navigation of California privacy laws. Furthermore, the agency has the authority to investigate suspected violations of privacy laws, issue administrative fines and injunctions, and bring a civil action against alleged violators.
Who must comply with the CCPA?
The CCPA does not solely apply to businesses physically located within the state of California, as all businesses that impact California residents are forced to maintain CCPA compliance at all times. Under the CCPA, a business is defined to include any legal entity that engages in any of the following actions:
- Pursues a profit.
- Operates within the state of California.
- Determines the specific “purpose and means” by which the personal information of California residents is to be processed online.
- Complies with one or more of the following conditions, has an annual gross income of more than $25 million, annually receives, shares, buys, or sells the personal information of at least 50,000 households, consumers, or devices within the state of California, derives at least 50% of its annual revenue from the collection and sale of the personal information of California consumers
As such, the CCPA is geared primarily towards large data brokers, social networks, and data brokers. Conversely, small businesses or medium-sized businesses, non-profits, and individuals who engage in financial transactions with California residents will not meet the criteria stated above, and subsequently are exempt from maintaining compliance with the CCPA.
What are businesses’ obligations under the California Privacy Protection Act of 2020?
Under CCPA 2.0, obligations that businesses must adhere to include setting forth responsibilities that essentially function as privacy principles such as data security, purpose and storage limitations, and transparency. More specific responsibilities include:
- Imposing general duties on businesses that collect any form of personal information. This includes informing consumers of the collection of their personal information or data. The collection, use, retention, and eventual sharing of personal data must be “reasonably necessary and proportionate to” the specific purposes of processing and obligating businesses to implement effective security measures aimed at protecting the confidentiality, integrity, and availability of personal information concerning California residents.
- Specify the particular methods for limiting the sale, sharing, and use of a person’s sensitive information.
- Mandate rules for the notice, disclosure, deletion, and correction requirements.
Ultimately, it is up to both businesses and consumers to work together to ensure that personal and sensitive information is safeguarded at all times. While it is important that businesses respect the privacy rights of California residents, it is also imperative that consumers understand what their rights are and how to exercise them. What’s more, as the state of California continues to improve upon legislation as was the case with the CCPA 2.0, consumers must stay on top of these changes and the impact that they will have on their digital interactions in the future. As time goes on, more and more personal information will continue to be shared on the internet through various platforms, and no amount of legal precedent or legislation will ever be able to fully combat those who are looking to use this information for dubious purposes.