On November 3, 2020, California voters convincingly approved the California Privacy Rights Act (“CPRA”) ballot initiative. The CPRA builds upon and amends the California Consumer Protection Act (“CCPA”), aligning it more with the EU’s General Data Protection Regulation (“GDPR”) and expanding the privacy rights of California residents. Although the CPRA does not come into effect until January 1, 2023, its provisions apply to personal information collected by a covered business on or after January 1, 2022. Businesses that have already established a CCPA compliance program should familiarize themselves with the CPRA to understand what changes to existing procedures may be required, while business that are still working on implementing CCPA compliance measures should consider the impact of the CPRA on their compliance plans.
We outline below some of the CPRA’s key provisions, and offer insight on what businesses must do to comply with the CPRA.
Scope And Definitions
- Narrows the CCPA’s definition of a “business” by (i) increasing the number of California residents (“consumers”) or households about which a business buys, sells, or “shares” personal information from 50,000 to 100,000, and (ii) focuses strictly on actual natural persons by removing “devices” from the calculation. The CPRA also narrows the scope of activities that trigger this volumetric threshold by removing the act of receiving or sharing personal information for commercial purposes from the list of relevant processing activities.
- Establishes a new category of “sensitive personal information,” which includes Social Security, driver’s license, or passport numbers; financial account information; precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation. The CPRA empowers consumers to restrict the use of sensitive personal information, including for advertising or marketing purposes.
- Extends the CCPA’s employee and business-to-business (“B2B”) exemptions to January 1, 2023.
- Adds a right for consumers to correct inaccurate personal information.
- Expands the CCPA’s definitional exclusion for “publicly available” personal information to include information “lawfully made available to the public by the consumer or from widely distributed media.”
- Excludes from the definition of personal information “lawfully obtained, truthful information that is a matter of public concern,” reducing the exposure of media organizations to potentially problematic CCPA rights requests (for example, if a public figure were to make a deletion request to silence critics).
Enforcement And Liability
- Creates the California Privacy Protection Agency (“Agency”) to implement and enforce the law by investigating alleged violations and imposing fines. The Agency will be comprised of appointed experts in privacy, technology, and consumer rights, and will provide guidance to businesses and consumers on their responsibilities and rights.
- Grants the California and the Agency rulemaking authority to issue regulations regarding over a wide variety of areas, including, but not limited to, (i) the definition and use of sensitive personal information; (ii) the performance of cybersecurity audits or risk assessments; and (iii) the creation of a program for covered businesses to voluntarily certify compliance. The CPRA also grants the Agency broad authority to perform “all other acts necessary or appropriate” to strengthen consumer privacy while “giving attention to the impact on businesses.”
- Makes email address and password (or security question and answer) that allows access to an account subject to the definition of Personal Information Security Breach. While email and password information is subject to California’s current data breach law, it was not subject to the CCPA’s enhanced penalties (including statutory damages and a private right of action) for data breaches. The CPRA would resolve that inconsistency.
- Removes the compulsory 30-day cure period prior to administrative enforcement actions for CCPA violations, while granting the Agency authority to provide a business a time period in which it may cure violations. (The 30-day cure period for private claims related to data breaches remains unchanged, although implementation and maintenance of reasonable security practices following a breach does not constitute a cure.)
- Changes the civil penalty for CCPA violations to an administrative fine that would no longer be required to be assessed and recovered in a civil action. The penalty amounts remain largely unchanged (up to $2,500 per violation or $7,500 for each intentional violation), although fines for violating the CCPA’s opt-in-to-sale requirement for consumers under 16 are now tripled to up to $7,500 per violation.
- Broadens consumers’ control over their data by allowing them to opt out of “sharing” personal information (in addition to the current CCPA right to opt out of “sales”). “Share” is any disclosure or transfer of personal information to a third party “for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” “Cross-context behavioral advertising” includes targeted advertising based on prior browsing activity (commonly known as behavioral advertising/retargeting).
- This change clarifies that disclosures related to behavioral advertising/retargeting will not be a “sale” of personal information, but creates a new consumer opt-out right for it. While this does not necessarily affect the interpretation of “sale” under the CCPA, it does serve as a useful goalpost – honoring opt-outs for behavioral advertising/retargeting – that businesses can start working towards sooner rather than later.
Notifications And Disclosures
- Expands the CCPA’s transparency requirements by mandating that businesses provide notice of why they collect personal information, how much information they collect, and for how long they retain personal information.
- Requires businesses to disclose the role of automated decision making in certain instances, including performance at work, economic situation, heath, personal preferences and others, as well as allowing certain opt-out rights in relation to the use of automated decision making.
- Requires businesses to provide links on their homepage to allow consumers to opt out of the sharing of personal information for behavioral advertising/retargeting and limit the use of sensitive personal information (in addition to providing the CCPA-mandated “Do Not Sell My Personal Information” link if engaging in sales).
Internal Obligations On Businesses
- Requires businesses to implement data minimization and data integrity principles – principles that borrow from the GDPR. Under these principles, businesses must (A) minimize their data by assessing whether their use of personal information is reasonably necessary and proportionate to the purposes for which the information was collected; and (B) protect the integrity of their data by taking reasonable steps to prevent the collection, retention, or sharing of inaccurate personal information.
- Businesses may want to consider additional data mapping and creating records (or updating existing GDPR records) to document compliance with this requirement, and should ensure it is ready to handle consumers’ requests to correct their personal information.
- Allows businesses to refuse to honor access requests for information used for security purposes or that would expose trade secrets.
- This is significant for companies that are able to rely on similar exceptions under the GDPR.
Commercial Arrangements
- Requires businesses to enter into contracts with third parties, service providers, and contractors that (i) state that personal information is sold or disclosed for limited and specified purposes; (ii) require the third party or service provider to provide at least the level of privacy protection required by the CCPA and notify the business if it cannot; and (iii) allow the business to audit the third party, service provider, or contractor’s use of personal information and remediate unauthorized uses. Because the CCPA currently does not mandate these contractual terms, businesses, service providers, third parties, and contractors should update (or create) CCPA addenda now to address these requirements.
- Requires service providers to (i) assist businesses in complying with their CCPA obligations, (ii) alert businesses when they engage sub-processors, and (iii) enter into contracts with such sub-processors. These measures bring the CCPA closer into line with the similar GDPR obligations for data processors.
My Business Just Became CCPA Compliant - What Else Do I Need To Do?Businesses that are already in compliance with the CCPA will need to make changes to their privacy policies and privacy operations before the CPRA’s January 1, 2023 effective date. For example, if a business collects sensitive personal information, its privacy policy must be updated to include proper notice to their consumers of what categories of sensitive personal information are collected, and how they will be used. Businesses will also need to build consumer-facing tools and add links on their homepages that enable consumers to control and limit the sale, sharing, and use of their sensitive personal information, as well as the use of their personal information for behavioral and retargeted advertising. Business will also want to build in data minimization standards to their data processing activities, and give their consumers notice of and the ability to exercise their right to amend and correct inaccurate personal information. Additionally, to the extent businesses are not already entering into CCPA-compliant data processing agreements with their outside vendors, once the CPRA is effective, they will need compliant contracts not only with service providers and other vendors, but with any third party that handles or has access to the businesses’ data. If you are a business that is not yet required to be CCPA compliant, now is a good time to familiarize yourself with the CPRA and determine if and when you will meet the new definition of a covered “business” under the CPRA. As a covered “business” your company will be expected to fully comply with the provisions of the CPRA as of its effective date. Businesses should closely follow, and consider participating in, the AG’s (and then the Agency’s) public rulemaking process, as we look towards final regulations being adopted by July 1, 2022. The details have not yet been made public but the rulemaking process typically involves public notice and comment procedures, including meetings during which interested stakeholders can offer testimony. By staying apprised of the proposals, businesses will be better prepared to update or revise their compliance programs in plenty of time for the January 1, 2023 effective date. |
Conclusion
The CPRA’s path may take several twists and turns between now and the issuance of its final regulations. We will continue to keep you apprised of key developments.
Goodwin’s California privacy team, led by Steve Charkoudian and Jackie Klosek.
Goodwin's long-standing Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients' data protection needs. Our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include four Legal 500 recommended lawyers and a “Next Generation Partner” in Cyber Law and Data Breach Response, several former federal prosecutors, and multiple FTC, GDPR, CCPA, HIPAA, GLBA and COPPA experts. We deliver practical solutions to complex regulatory challenges and design strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks and advise on over 700 public and private transactions per year.