With the commencement of the California Consumer Privacy Act (CCPA) enforcement on our heels, we are now looking ahead to CCPA 2.0 – the California Privacy Rights Act of 2020 (CPRA). If voters approve the ballot initiative this November, CPRA would drastically amend CCPA, create a privacy protection agency, and incorporate additional foundational privacy principles, including data retention and minimization. Because the measure appears to have broad public support, businesses should begin to evaluate modifications they may need to make to their privacy compliance programs in light of CPRA’s requirements. This alert provides a high-level overview of the ballot initiative, the most significant CPRA provisions, and the implementation timeline.
Didn’t California just enact a Sweeping Privacy Law, why did CPRA come about?
CPRA is the second data privacy ballot initiative advanced by the Californians for Consumer Privacy, a non-profit led by Alastair and Celine Mactaggart. Alastair Mactaggart was the architect of CCPA. His organization filed the CPRA initiative on November 13, 2019 – just one month after Governor Gavin Newsom signed the CCPA amendments into law – due to concerns that the 2019 legislative amendment process weakened the privacy protections in CCPA and that there would be future legislative attempts to do so. On June 25, 2020, CPRA qualified for the November 3, 2020 ballot with over 900,000 signatures in support.
What’s new in CPRA?
Formation of the California Privacy Protection Agency
CPRA creates a new agency – the California Privacy Protection Agency – dedicated to implementing and enforcing CPRA. The Agency will be governed by a five-member board, each of whom will serve for a single eight-year term. The board will be comprised of individuals with expertise in privacy, technology, and consumer rights. The Governor will appoint the chair and one board member. The Attorney General, Senate Rules Committee, and Speaker of the Assembly will each appoint one member to the board. The Agency will also appoint a Chief Privacy Auditor to conduct audits of businesses to ensure compliance with CPRA.
CPRA both modifies existing rights under CCPA and grants new rights. CPRA requires service providers and contractors to cooperate with responding to consumers’ deletion requests and to delete consumers’ personal information when directed. CPRA also expands consumers’ right to opt-out of the sharing in addition to the sale of their information. Sharing is a new defined term under CPRA and includes providing personal information to a third party for cross-context behavioral advertising.
Notably, consumers are given the right to opt out of not just the sale, but also the sharing, of their personal information. Under CPRA, sensitive personal information includes ID numbers, account details, location data, diversity data, mail content, genetic data, biological data. Accordingly, businesses are required to update the opt-out link already required under CCPA to state, “Do Not Sell or Share My Personal Information.”
The Act also grants consumers the right to correct inaccurate personal information and the right to restrict the use of sensitive personal information. In addition to the opt-out link above, businesses are required to provide a “Limit the Use of My Sensitive Personal Information” link unless the business abides by opt-out preference signals.
New Obligations and Restrictions on Businesses and Service Providers
CPRA increases the transparency and data government requirements by requiring businesses to disclose the length of time the business intends to retain personal information. CPRA also requires that all businesses have a contact with each entity with which they share personal information that includes purpose limitations and that requires the same level of protection of PI as the CPRA.
CPRA also makes substantial changes to the definition of “business purpose,” which is a threshold for determining whether an organization constitutes a business directly subject to CCPA or a service provider not directly subject to it. Under CCPA a transfer of personal information is not a “sale” when a business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose and certain conditions are met. The CPRA specifies that non-personalized advertising based on a consumer’s current interaction with a business is a valid business purpose. But it also provides that such advertising cannot involve a consumer’s precise geolocation, which CPRA defines as a radius of 1,850 feet surrounding a person.
In addition, CPRA provides that cross-context behavioral advertising is not a business purpose, and defines it as “the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.” This change indicates that entities that employ such advertising cannot constitute service providers under CPRA.
CCPA was intended to apply to large businesses. CPRA increases the existing applicability threshold to businesses that process over 100,000 California consumers’ personal information (from a previous threshold of 50,000) to further that purpose.
Governing Agreement Requirements
CPRA requires businesses to enter into governing agreements with any entity to which the business discloses information, including service providers, contractors, and third parties. The agreement must specify the limited and specific purposes for which personal information is disclosed.
How will CPRA prevent the California Legislature from weakening CRPA’s Privacy Protections?
Californians for Consumer Privacy embedded an amendment provision in CPRA that permits the California Legislature to amend the Act by statute so long as the amendments are consistent with and further the purpose and intent of the Act. The amendment provision expressly states that the Act prevails over any conflicting legislation enacted after January 1, 2020 and that any conflicting legislation is considered null and void upon its passage.
When will CPRA go into effect if voters approve the ballot initiative?
If CPRA passes on November 3, 2020, there will be a two-year delay to allow businesses to evaluate and update their compliance programs. Most provisions will go into effect on January 1, 2023. CCPA provided two exemptions for B2B and employee data, which sunset at the end of 2020. CPRA extends these exemptions until January 1, 2023.
The new California Privacy Protection Agency will assume rulemaking and enforcement authority, which currently rest with the office of the Attorney General. The CPRA rulemaking process will begin on July 1, 2021. The Agency is required to adopt the final regulations by July 1, 2022. Similar to CCPA, there is a six-month delay in enforcement after CPRA goes into effect on January 1, 2023. The Agency may begin enforcement actions on July 1, 2023.