Proposition 24, the California Privacy Rights Act (“CPRA”) was enacted in November of 2022. The CPRA amended and clarified some of the existing provisions of the California Consumer Privacy Act (“CCPA”). It also created new consumer rights and imposed additional obligations on businesses that collect personal information from California consumers and meet the statutory threshold. Finally, the CRPA created the California Privacy Protection Agency (“Agency”) and transferred all rulemaking and enforcement authority from the California attorney general to the Agency.

The new consumer rights and additional obligations include:

• The right to opt out of sharing personal information.
• The right to opt out of certain uses and disclosures of “sensitive personal information,” which is defined as Social Security numbers, driver’s licenses, state ID cards, or passport numbers; account log-ins, financial accounts, debit cards, or credit card numbers in combination with a security or access code, password or credentials; your precise geolocation; your racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s email and text messages, unless the business is the intended recipient of the communications; a consumer’s genetic data; a consumer’s biometric data, in certain circumstances; a consumer’s health data; and data concerning a consumer’s sex life or sexual orientation.
• The right to correct or update inaccurate personal information.
• The right to review a company’s information practices, including information about data retention periods.
• Restrictions of data retention, data minimization, and the purpose for which the data is collected.
• Companies are required to pass on deletion requests to service providers, contractors and third parties to which the company has sold or shared information. The CPRA also requires that these provisions be included in contracts with service providers, contractors, and any third parties.
  

The CPRA applies to companies that do business in the state of California, and/or collect personal information from California consumers, even if your company does not maintain physical presence within the state. Non-profit companies are not subject to the requirements.

The Threshold:

• Applies from the beginning of the calendar year if the company exceeded $25 million in gross revenue in the preceding calendar year.
• The company buys, sells, or shares the personal information of 100,000 or more consumers or households within a 12-month period.
• The company derives 50% or more of its annual revenue from selling or sharing consumers' personal information.
  

If any of the thresholds are met, the company will be subject to the provisions of the CPRA. If your company is involved in collecting personal information for any reason and meets the statutory thresholds you should consider how your company will comply with the CPRA as soon as possible. These steps include:

• Evaluating your data collection policies and procedures.
• Updating privacy notices on your website.
• Implementing mechanisms for honoring consumer requests.
• Reviewing contracts with service providers, contractors and third parties.
• Updating data minimization policies and data retention principles.
• Conducting data protection impact assessments.
  

The CPRA may be enforced beginning on July 1, 2023, and only as to violations that occur on or after that date. Given ongoing rulemaking activity, businesses need to remain flexible to be able to shift their compliance strategies accordingly.