California’s passage of proposition 24 sets the stage for a statewide privacy agency. More specifically, California Privacy Rights Act (“CPRA”) is a bit broader than the current California Consumer Privacy Act (“CCPA”) that we currently have in place.
But wait, what’s the structure of the agency?
- Five board members appointed by the governor, attorney general, U.S. Senate Committee on Rules and Administration, and speaker of the Assembly. They’ll need to be “Californians with expertise in the areas of privacy, technology, and consumer rights.” Generally, these members are limited to a term of eight consecutive years.
- The agency will also consist of an executive director, appointed by the board, and a chief privacy auditor. According to IAPP, “staff support for the agency is to be provided by the attorney general until it is able to hire its own staff.”
And… how will this agency be funded?
- IAPP confirms that the funding for this agency will come from California’s General Fund of $5 million and then $10 million each fiscal year after.
Got it, but what will this agency be doing?
Investigations and Enforcement:
- The agency will investigate violations either “on its own initiative” or upon receiving a “sworn complaint.”
- There’s a few factors the agency will consider when deciding whether or not to investigate or provide time for the potential violator to cure the problem: (1) whether there was an intent to violate the law and (2) whether the potential violator made any efforts to cure the issue before there was awareness of the complaint.
- According to IAPP, the agency will also have the “power to subpoena witnesses and the production of documents, compel witness attendance and testimony, and take evidence (1798.199.65). ” Plus,”its auditing authority will be the subject of future regulation (1798.185(a)(18)).”
- Once there’s a probable cause of a violation, the agency will hold an administrative hearing.
- CPRA also says the agency will be responsible for promoting “public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information, including the rights of minors with respect to their own information, and provide a public report summarizing the risk assessments filed with the Agency.”
- CPRA also describes how the agency will “provide guidance to consumers regarding their rights …”
So, what’s the sanction if there’s a violation found from the agency’s investigation?
- According to IAPP, the agency can either: “(1) cease and desist; and/or (2) pay an administrative fine of up to $2,500 per violation or up to $7,500 for each intentional violation and each violation involving the personal information of minor consumers.”
What are some of the other changes?
- According to OneTrust, below are the major differences between CCPA and CPRA.
- Allow consumers to prevent businesses from sharing their personal information.
- Enable consumers to correct inaccurate personal information.
- Create a new category of sensitive personal information, such as race, ethnicity, religion, genetic information, sexual orientation, precise geolocation, and financial information, and give consumers the right to restrict businesses’ use of that information.
- Triple penalties for violating the rights of minors.
- Require businesses to be transparent about their use of automated decision-making and profiling.
- Prohibit businesses from retaining personal information for longer than is reasonably necessary.
- Establish the California Privacy Protection Agency to enforce the law and protect consumers’ privacy rights.
- Executive Summary of GDPR vs CPRAm Tom Kemp
- CPRA’s top-10 impactful provisions, Caitlin Fenessey
- How CPRA Is Forcing Privacy To Become A Part Of Good Business, Jodi Daniels
- What Does the CPRA Mean for Your Privacy Program?, OneTrust
- CPRA analysis: The ‘good’ and ‘bad’ news for CCPA-regulated ‘businesses’ Jim Halpert, Marc Berrios, Lael Bellamy