On November 3, Californians will get the chance to have their voices heard on data privacy. The current law in place regarding data privacy is the California Consumer Protection Act (CCPA), which is also the result of a ballot initiative from 2018. The California Privacy Rights Act (CPRA) is a ballot initiative, Measure 24, that will give Californians even more privacy protections than the CCPA. Similar to the CCPA, the CPRA is only applicable to residents of California.
Got a legal question?
Get legal advice in minutes. Real Lawyers. Real Answers. Right Now.
What is the CCPA?
The CCPA is a new California law that took effect January 1, 2020. It applies to for-profit entities that collect and sell consumer information or disclose personal data for business purposes. For businesses to fall within the scope of the CCPA, they must meet one of the following criteria:
- The company makes $25 million or more in gross revenue
- The company possesses the data of more than 50K consumers, households or devices
- The company earns more than half of its annual revenue selling consumers’ personal data
Does the CPRA apply to my company?
The CPRA has a higher threshold for companies that fall under its definition of a “business”, which will allow many small businesses to not fall under the scope of the CPRA, yet they must remain compliant under the CCPA until 2023 even if the CPRA passes. Businesses that would fall under the new definition of business would be those that meet one of the following criteria
- $25 million annual gross revenue the previous calendar year
- Increased the threshold from the CCPA from 50,000 consumers, households, or devices to 100,000
- Derives 50% or more of its revenue from selling or sharing consumers’ personal information
What is the difference between the CCPA and the CPRA?
If the CPRA passes, it will replace the CCPA but not until January 2023 and is only applicable to data collected after January 2022. The CPRA extends the CCPA exemptions for employee and b2b communications. The CRPA adds to the current data categories of the CCPA and adds a subcategory of “sensitive personal information” that gives consumers authority to limit the use and disclosure of government identification information, religious beliefs, race, geolocation, biometric information and sexual orientation. One of the main criticisms of the CPRA is the pay for privacy model, where companies are given the ability to charge more for their services or change the services provided based on the service package selected.
What new rights are there under the CPRA?
If the CPRA passes, consumers will gain the following rights:
- Correct inaccurate personal information
- Consumers under 16 years of age cannot have their information sold or shared without affirmative consent from either the individual (if they are at least 13) or from their parent or guardian (if younger than 13)
- Limitations on the use and disclosure of sensitive personal information
- Knowledge of how long their data will be retained
If this passes, what does my company need to do?
If you have any questions regarding data privacy and your company, it is suggested that you speak with an attorney.
This article contains general legal information and does not contain legal advice. Rocket Lawyer is not a law firm or a substitute for an attorney or law firm. The law is complex and changes often. For legal advice, please ask a lawyer.