November 16, 2020

By: Karl E. Gerner and Steven M. Nakasone

While most of the attention has been focused on the presidential and congressional races, the passage of down ballot propositions in California may substantially impact your business. By passing Proposition 24, Californians voted to amend and significantly expand the obligations on businesses already in effect under the California Consumer Privacy Act (CCPA) and to create and fund the California Privacy Protection Agency (CPPA) to take over administrative authority to implement and enforce the law.

If your business has not yet updated its privacy policy and established the internal procedures necessary to comply with the CCPA, it should do so immediately. The Attorney General has been enforcing the CCPA since July 1, 2020 and the dedicated new agency is likely to greatly increase enforcement capacity.

The new amended law adds “Sensitive Personal Information” as a category of personal information that must be tracked and disclosed by a business, and creates additional consumer rights that companies must be able to honor including:

  • right to correct personal information
  • right to know length of data retention
  • right to opt-out of advertisers using precise geolocation
  • right to restrict usage of sensitive personal information

The law removes the original CCPA’s provision allowing businesses 30 days to cure violations before penalization, and expands the private right of action for data breaches to include unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security. The law also specifies that implementation of security procedures after a breach is not a cure.

The law introduces a new requirement that businesses must obtain permission before collecting information from consumers under 16 years of age, and permission from parents for consumers under 13 years of age. Previously, collection of this information did not require permission for collection, but the law required these practice be disclosed in the business’s public privacy statement and included restrictions around selling of this information.

While most of the law is set to take effect in 2023, businesses are still subject to the CCPA’s annual disclosure requirements, and the addition of many new requirements means that businesses should begin preparing for this transition early since establishing the IT infrastructure and operational procedures necessary to comply will require advance planning and budgeting, including a formal procedure to track privacy impacts from new vendors, products and processes.

Buchalter has a dedicated team of attorneys in its Data Privacy group who can assist companies to address the many legal and business issues that may arise in compliance with the CCPA and other privacy laws. Please feel free to contact any one of the following attorneys in our group:

Steven M. Nakasone
Karl E. Gerner
Frank X. Curci
Akana K. J. Ma
Weiss B. Hamid
Daniel J. Zarchy


This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.