California's Proposition 24
The California Privacy Rights and Enforcement Act of 2020, also known as Proposition 24, was passed by California voters on Tuesday. Summarized by the California Secretary of State, Proposition 24:
Permits consumers to: prevent businesses from sharing personal information, correct inaccurate personal information, and limit businesses’ use of "sensitive personal information," including precise geolocation, race, ethnicity, and health information. Establishes California Privacy Protection Agency.
Even before this new expansion, the California Consumer Privacy Act of 2018 (CCPA) was a monumental initiative aiming to protect and regulate the sale and use of consumer data. Importantly, the mandates set by the CCPA affect any company that handles Californian residents’ personal data—with penalties for any non-compliance—regardless of a company’s home state or country. Much like the European Union’s General Data Protection Regulation (or GDPR), the CCPA has a ripple effect that is forcing companies to rethink their privacy and security measures.
According to Business Insider, Proposition 24 would expand the existing framework set forth by the original CCPA, in that it will:
• Create a broad category of "sensitive" personal data—a designation that includes such things as a person's racial or ethnic origin, their genetic data, their sexual orientation, and information about their health, among other information—which consumers can limit to approved uses.
• Give consumers the right to correct information businesses have on them.
• Strengthen opt-in requirements for data on children, with stronger penalties for forbidden use or sharing.
• Provide an opt-out for "cross-context behavioral advertising," defined in CPRA as targeted advertising based on users' personal information that was collected across a variety of digital touchpoints, such as websites, apps, and services.
Notably, the new provisions in Proposition 24 center around protecting consumer data with no new language added regarding additional protections for personal employee data.
As it stands, the rest of the country has not caught up with California’s CCPA initiatives; however, a new federal bill was put forth by the U.S. Senate in September, the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. Outlined on the U.S. Senate’s website, the proposed bill would require organizations nationally to take additional measures to protect consumer data while allowing consumers to have more direct control of their data. Additionally, it would give the Federal Trade Commission more expansive oversight in regulation and enforcement of noncompliance with these laws.
With these regulatory changes, organizations should be proactive in the management and implementation of their data privacy programs. This election is just another indicator that the public and the government are going to be pushing for more privacy regulation in the future.