California passed Proposition 24, which made several changes and updates to the California Consumer Privacy Act (CCPA). Amendments to the original language[1] of the law are extensive and include clarifications and changes to all the major privacy rights consumers enjoyed under the initial law. The amendments were submitted by Alastair Mactaggart on Nov. 13, 2019. Mactaggart also submitted a proposal to include data privacy on the state ballot in 2018, which resulted in the California legislature adopting the CCPA later that year.
The changes seek to clarify a number of outstanding issues and, most importantly, create a California Privacy Protection Agency to take charge of data privacy issues. The initial law was unclear regarding enforcement and placed the responsibility solely on the shoulders of the state attorney general. The new language establishes a dedicated agency, explicitly states that consumers have the right to prohibit the sharing of personal data and delineates the rights laid out in the initial law. The measure still leaves the burden of opting out of collection of information on the consumer, which means consumers will have to navigate a web of privacy notices, cookie pop-ups and other spam in order to truly control their data. The amendments also do not give consumers direct rights to sue companies over violations, leaving that to the enforcement agency the amendments created.
The California Privacy Protection Agency
Section 24 of the amendments deals with the creation of the agency “vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act” to “protect the fundamental privacy rights of natural persons with respect to the use of their personal information.”
The members of the agency are appointed by the governor of California, the state attorney general, the Senate Rules Committee, and the speaker of the assembly. Members of the agency’s board, according to the language of the law, should be Californians with expertise in technology, data protection and consumer rights. Members are also precluded from working with entities that went through an enforcement action or with any entity seeking to influence an action of the agency itself. Members are paid USD 100 per diem for their services.
The majority of the work the agency will be doing is educational and promotional, helping consumers and businesses understand their rights and obligations under the new law and also providing technical assistance to entities seeking to comply with the regulations or better understand them. The agency does have enforcement powers, which include the power to order an entity to cease and desist any violation and the power to impose fines of between USD 2,500 and USD 7,500 per violation, depending on the nature of the violation.
The agency, upon receiving a complaint, must also provide alleged violators of the law with at least 30 days’ written notice before attempting a ruling on probable cause. There is also a five-year statute of limitations for the agency to pursue violations of the CCPA as amended; fraudulent concealment extends this statute of limitations to the period of concealment.
The agency is funded by USD 5 million for fiscal year 2020-2021 and USD 10 million each year afterward.
The establishment of an agency dedicated to enforcing privacy laws will have an impact nationally. The CCPA is already a model for other states considering similar privacy legislation, and there are few companies that do business in the U.S. and do not do business in California; the refinement of the CCPA is another step toward a U.S. national data protection framework.
Takeaways
-
California voted to adopt amendments to the CCPA passed in 2018.
-
The amendments clarify several of the rights consumers and businesses enjoy, and also create an agency with enforcement powers dedicated to data privacy protection in California.
