- On Nov. 3, 2020, a substantial majority of California voters passed the California Privacy Rights and Enforcement Act (CPRA).
- The CPRA replaces the California Consumer Privacy Act (CCPA), bringing California Privacy law more in line with the European Union’s General Data Protection Regulation (GDPR) and considerably strengthening the privacy rights of California residents.
- CPRA will go into effect on Jan. 1, 2023.
After the CCPA came into effect earlier in the year, businesses worked hard to put in place privacy programs to comply with the law. After just a few short months in existence, the CPRA will replace the CCPA in an attempt to further strengthen the privacy rights of California residents. Businesses that have taken steps to become CCPA compliant, or businesses that are in the process of doing so, will need to review the changes CPRA will bring, and consider what additional steps they will be required to take in the coming months and years before the CPRA will go into effect.
Below is an illustrative list of the more significant changes CPRA will bring:
- Definition of Business – Under the CCPA, any business that buys, sells, or shares for business purposes the personal data of 50,000 consumers, households, or devices annually has been required to comply with the law. However, the CPRA narrows the CCPA’s definition of a “business” by revising the collection threshold to 100,000 consumers or households and removing devices from the definition of household, which will likely reduce the number of businesses that will need to comply with the law. Importantly, the other two thresholds (i.e., annual gross revenue in excess of $25M, or 50 percent or more of annual revenues derived from selling or sharing of consumers’ personal information have not been modified and will remain in effect.
- New Type of Personal Information – The CPRA created a new subset of personal information: sensitive personal information (SPI). SPI includes social security, driver’s license, passport, or financial account numbers; race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation. This definition closely tracks that found in the EU GDPR.
- New Consumer Rights – For the foregoing category of sensitive personal information, consumers will have the right to request limitations on the use and disclosure of such information. Also, consumers will have the right to ask businesses to rectify inaccurate personal information maintained by the business. Lastly, in addition to providing consumers the right to opt-out of the sale of personal information under the CCPA, the CPRA will require businesses to allow consumers to opt-out of sharing of personal information for cross-context behavioral advertising, such as digital advertising.
- Creation of New Enforcement Agency – The CPRA creates the new California Privacy Protection Agency (CPPA) for enforcement and guidance and grants the CPPA the sole rule-making authority to issue regulations. The CPPA is apportioned a budget of $10M that must be increased by the legislature “as may be necessary to carry out the provisions of this title.” Notably, the CPRA removes the 30-day cure period that businesses currently enjoy under the CCPA after being formally notified by the Attorney General’s Office of an alleged violation.
- Private Right of Action – While the CPRA does not seem to alter the private right of action under the CCPA, it adds a consumer’s email with password or security question to the subset of personal information that, if breached, could trigger a private right of action, if a hacker was able to access a consumer’s email account.
- Triple Penalties for Violations Involving Minors The CPRA triples the maximum penalty for privacy violations involving consumers under 16 years of age ($7,500 per intentional violation).
- Notice at Collection – A notice must now include a retention period for each category of personal information and sensitive personal information, or include criteria for determining the retention period if setting a retention period is not possible.
- Data Retention Requirement – The CPRA will also prohibit businesses’ to retain personal information or sensitive personal information for longer than reasonably necessary for the disclosed purpose for which the information was collected.
- Extension of Employee and B2B Exemptions – The CPRA extends the current employee personal information and B2B exemptions from Jan. 1, 2021, until Jan. 1, 2023.
- Timeline – After certifying the results of the election, the CPRA will become operative on Jan. 1, 2021, essentially blocking any other privacy legislation to preempt it. The CPPA will need to adopt final regulations by July 1, 2022. The CPRA will come into effect on Jan. 1, 2023, with a look-back provision to data collected starting Jan. 1, 2022.
Business will have to revisit their privacy practices and amend their privacy programs to comply with the new requirements of the CPRA. That said, the CPRA generally becomes operative beginning Jan. 1, 2023, and during this time, the CPPA is expected to provide additional information on compliance and enforcement implications of the CPRA. Companies should continue to monitor CCPA/CPRA developments and consult with counsel to ensure their privacy programs and procedures remain aligned with current compliance requirements.