On Election Day, California voters supported Proposition 24, the “California Privacy Rights Act of 2020” (CPRA). This voter initiative amends California’s privacy laws and creates a new regulatory body to enforce the CPRA, among other important aspects of the law. Garnering less attention but no less important are the CPRA provisions that relate to the responses of businesses in connection with criminal investigations.
Prop 24 amends the “exemptions” that previously existed under California law with respect to business operations governed by the CPRA. Under the newly approved Section 1798.145 of the California Civil Code, businesses will now have additional responsibilities and opportunities to cooperate with criminal investigations as follows:
- Subpoenas. The prior iteration of the CPRA provided only that it did not restrict businesses’ abilities to comply with federal, state, or local laws. Prop 24 makes express that nothing in the CPRA prohibits businesses from “comply[ing] with a court order or subpoena to provide information.” Therefore, if a business receives a subpoena, including in connection with a criminal investigation, the CPRA may not provide a basis to refuse to comply, and businesses may need to address the validity of the subpoena independent of the CPRA.
- Preservation Requests. Prop 24 creates a new obligation for businesses to comply with requests to preserve information from a law enforcement agency (LEA) for up to 90 days, and possibly more, even if the consumer has requested the information be deleted. Specifically, an LEA “may direct a business pursuant to a law enforcement agency approved investigation with an active case number not to delete a consumer’s personal information, and upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumer’s personal information.” The 90-day preservation period can be extended for additional 90-day periods if an LEA, “for good cause and only to the extent necessary for investigatory purpose,” directs businesses to continue to preserve consumer information. Prop 24 does not expressly limit the number of additional 90-day preservation periods.
During the time the business is preserving the information, the business cannot use the information for any purpose beyond cooperation with the LEA unless a different exemption applies. This may require businesses to develop new protocols to ensure that information that would otherwise have been deleted but is preserved pursuant to the directive of an LEA is segregated from other consumer data that may be used for other purposes.
- Continued Cooperation with Law Enforcement on Suspected Criminal Activity. Prop 24 leaves undisturbed the prior iteration of the CPRA that permitted businesses to “[c]ooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.” Thus, businesses will still need to determine whether and when to contact an LEA if the business suspects there are criminal violations discovered by the business in connection with consumer data.
- Law Enforcement Emergency Requests for Information. Prop 24 also creates a new situation where an LEA is permitted on an emergency basis to request access to a consumer’s personal information even without a subpoena or court order. Specifically, Prop 24 provides that the CPRA does not restrict businesses’ ability to “[c]ooperate with a government agency request for emergency access to a consumer’s personal information if a natural person is at risk or danger of death or serious physical injury.” For this emergency access situation to apply, three criteria must be met: (1) the request must be “approved by a high-ranking agency officer,” (2) the “request is based on the agency’s good faith determination that it has a lawful basis to access the information on a nonemergency basis,” and (3) “[t]he agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.”
With Prop 24 having passed, businesses will need to assess how these new obligations to cooperate with criminal investigations will impact their operations, and the procedures they will need to put in place to meet these obligations. While questions remain about whether a business is permitted to decline the emergency requests, or if the business faces potential exposure when responding to a request for emergency access if the LEA cannot show the request was necessary for an investigation, these will likely be answered by the courts and policymakers as situations arise under the CPRA. In the meantime, along with all the other additional obligations under the CPRA, businesses will need to have procedures in place by 2023 to navigate how to respond to requests from LEAs for access to consumer information in connection with criminal investigations.