California voters passed Proposition 24, widely considered to be version 2.0 of the California Consumer Privacy Act (CCPA).
The CCPA was a ground-breaking piece of legislation for the US, the first of its kind to so vigorously protect the privacy of consumers. In many ways, the CCPA was the American equivalent of the EU’s GDPR. Although the law was unique to California, some industry leaders vowed to apply its protections to all customers, even those outside of California.
Proposition 24, officially known as the California Privacy Rights Act (CPRA), picks up where the CCPA left off, expanding the CCPA, closing loopholes and increasing protections even more.
One of the biggest changes is the creation of a new agency that will oversee the enforcement of the regulation. Another change is that the CPRA makes companies collecting data responsible for what any companies they share that data with do with it.
In addition, the CRPA differentiates between personally identifiable information and sensitive personally identifiable information, such as Social Security number, logins, precise location data and biometrics. This gives companies more options to fine-tune their marketing to use non-personal information, rather than lose access all-together.
The legislation includes many other improvements, including more opt-in requirements, limits on how long companies may retain personal information, limits to how sensitive personal information may be used, reasonable expectations data will be kept secure, legal options if companies fail to do so and more.
It’s a safe bet these increased measures and a dedicated enforcement agency will likely increase the CRPA’s reach even more than the CCPA’s. Since companies will be responsible for how third-party partners—including non-California partners—use data, many more companies will likely opt to apply CRPA protections to all of their customers in the interest of simplicity.