The California Privacy Rights Act (CPRA) is a ballot initiative that, if passed in November, will significantly amend the California Consumer Privacy Act (CCPA). With a few notable exceptions, the CPRA generally expands the protection of a consumer’s personal information and privacy rights.
Last week, the California Secretary of State confirmed that the CPRA will be included on the ballot in California this November. Although a lot can change between now and then, the CPRA is currently expected to pass. If the CPRA passes, it will significantly revise the CCPA and introduce new privacy and security requirements for businesses, with most provisions taking effect on January 1, 2023.
Key Developments in the CPRA
The CPRA includes many changes to the CCPA, ranging from minor changes in the language, to helpful clarifications, to new and onerous obligations. We have highlighted what we view as the most significant changes as follows:
- Extension of Employee and B2B Contact Exemptions: The CPRA will immediately extend the CCPA’s exemptions for information relating to employees, job applicants and business-to-business (“B2B”) contacts. If the CPRA does not pass, these exemptions are scheduled to sunset under CCPA on January 1, 2021.
- Important Changes (for Small Businesses) to Definition of a Business: The CPRA builds in higher thresholds for the definition of “business,” which should result in many small businesses falling outside the scope of the CPRA. Unfortunately, this threshold change would not go into effect until January 1, 2023. Therefore, some small businesses may continue to have obligations under the CCPA until then, unless the California Attorney General issues guidance to the contrary.
- New Concept of “Sharing” and Online Advertising: The CPRA defines “sharing” personal information as disclosing personal information to a third party for “cross-context behavioral advertising,” which is the practice of targeted advertising using information gathered about an individual across multiple businesses. The CPRA places similar obligations on sharing as selling, including the right to opt-out and a requirement to include a “Do Not Sell or Share My Personal Information” link. The CPRA provides more flexibility than the CCPA on how to opt-out, but the addition of “sharing” will end the debate over whether opt-out requirements for “sales” apply to cross-context behavioral advertising.
- Limitations on Use of Sensitive Personal Information: The CPRA introduces the concept of “sensitive personal information” (much like the GDPR) and attaches heightened requirements to such personal information, including a consumer’s right to limit the processing of sensitive personal information, special notice requirements, and a requirement to add a “Limit the Use of My Sensitive Personal Information” link.
- New Notice Requirements at Point of Collection: In addition to the existing CCPA requirements for notice a point of collection, the CPRA requires a business to put consumers on notice, at or before collection, on the following: whether information is sold or shared; information on sensitive categories of personal information that are being collected (see below); and how long personal information is retained.
- New Requirements for Service Provider Agreements: The CPRA adds requirements for agreements with service providers that process personal information on behalf of the business. The CPRA requires agreements to include certain terms. For example, the agreement must limit use of personal information only for “limited and specified purposes,” must provide the business with audit rights, etc.
- Expanded Private Right of Action: The CPRA also emphasizes the importance of implementing security to safeguard consumers’ personal information by expanding the scope of the private right of action. The CCPA’s private right of action only applies if there is a breach of nonencrypted and nonredacted personal information as defined by California’s breach notification statute (which is much narrower than the CCPA’s definition of personal information), and the CCPA allows for a thirty day cure period in the aftermath of a breach. The CPRA’s private right of action retains the concept of personal information as defined under Cal. Civ. Code § 1798.150 but expands the scope by including e-mail addresses when combined with a password (or equivalent) that would permit access to an account. Additionally, the CPRA clarifies the “implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach,” such that the business could avoid a private suit. This shift away from the cure period provided under CCPA has the potential to significantly increase litigation risk for businesses subject to a data breach.
- Improved Exemption for Clinical Trials: Aside from extending exemptions for employee and B2B information, the CPRA generally retains the various exemptions (e.g., HIPAA, GLBA) from the CCPA with a few improvements. For example, the CPRA clarifies that the clinical trial exemption applies where a clinical trial or other biomedical research study is conducted in accordance with the Common Rule. (As it stands under the CCPA, the exemption only applies where the study is subject to the Common Rule, begging the question of how the CCPA applies to studies that comply with but are not subject to the Common Rule).
- Enforcement through the California Privacy Protection Agency: The CPRA will create the first U.S. state agency dedicated to privacy enforcement, the California Privacy Protection Agency, to implement and enforce the CPRA. The agency would be initially funded with $5 million dollars in 2020-2021, and $10 million each year to follow.
- Risk Assessments and Audits: The CPRA directs the California AG to issue regulations requiring businesses whose processing of personal information presents “significant risk to consumers’ privacy or security” to perform an annual cybersecurity audit and submit a risk assessment to the California Privacy Protection Agency on a regular basis. Meaning, the CPRA essentially adopts the GDPR concept of DPIAs but takes it a step further, by affirmatively requiring such assessments to be submitted to a regulatory body on a regular basis.
Recommended Next Steps
Even assuming the CPRA passes, much could still change between now and January 2023 making the privacy landscape ahead even more challenging to navigate. For example, a federal law could preempt; other states could pass laws similar to CPRA; or California could develop alternatives through future ballot initiatives or legislation. With that in mind, we recommend that businesses begin discussing (but not implementing) the concepts under the CPRA and thinking through the ways in which their existing privacy practices and programs address the obligations contemplated under the CPRA.
More specifically, we recommend businesses that operate within the scope of the CPRA take the following steps:
- Gather information on current privacy and data processing practices. The first step is to better understand what your business is doing today. The CPRA provides another benchmark to measure your business’s progress. If the GDPR and CCPA has not already pushed your business to conduct data mapping, gap assessments, and other similar projects, the CPRA is another reason to do so. Further, these projects sometimes take much longer than imagined to complete, so it is not unreasonable to begin doing so years ahead of schedule.
- Continue with CCPA compliance projects. The CCPA is the law in effect unless it is amended by the CPRA, and aside from a few specific amendments, CCPA efforts will move business closer to CPRA compliance.
- Practice Data Minimization and Transparency. Even where not strictly mandated, it is a best practice to implement data minimization and other strategies to mitigate privacy risks. Transparency with respect to how you are processing personal information is also key. The CPRA, much like the CCPA, adds another justification to the list, if there is a need to persuade other stakeholders in the business of the importance of investing resources in more transparent and robust privacy and information governance practices. Even if the CPRA does not pass, it underscores a broader trend of increased privacy obligations and more transparent processing of consumer data.
We will continue to track developments in the CPRA and other legislation.