Last November, California voters approved Proposition 24, enacting the California Privacy Rights Act (“CPRA”). The CPRA amends the California Consumer Privacy Act (“CCPA”), which was already the most sweeping consumer data protection law in the U.S. Wondering what you should know about California’s new Privacy Rights Act? We dug into the new law and identified the five biggest changes.
Among the most important changes—which take effect on January 1, 2023 (but apply to data collected beginning January 1, 2022)—are:
- A modified scope;
- New categories of personal information;
- New consumer rights;
- New third-party requirements; and
- New notice, consent, and design rules.
1. Modified Scope
The CPRA slightly modifies the CCPA’s definition of “business.” As under the CCPA, covered “businesses” are organized for profit, do business in California, collect consumers’ personal information (or have it collected on their behalf), and meet one of three criteria. The CPRA makes some changes to these three criteria.
First, consistent with the CCPA, a business is covered if its annual gross revenue is in excess of $25,000,000. The CPRA now clarifies that gross revenue is measured in the preceding calendar year, resolving an ambiguity in the CCPA.
Second, a business is covered if it buys, sells, or shares a certain threshold of consumer or household personal information. The CCPA’s threshold was 50,000 consumers or households (alone or in combination). The CPRA raises that threshold to 100,000.
Third, as under the CCPA, a business is covered if it derives at least 50% of its annual revenue from selling personal information. The CPRA adds “sharing” to this provision, such that deriving 50% of revenue from “selling or sharing” personal information now brings a business within the scope of the law. The CPRA defines sharing broadly, as: “communicating . . . a consumer’s personal information . . . to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
Another key change is that the CPRA narrows the common control avenue of applicability. The CCPA provided that an entity controlled by or controlling a covered business that shares common branding with the covered business, qualified as a covered “business” itself. The CPRA now adds the requirements that (1) an average consumer would understand that the entities were commonly owned due to a shared name, servicemark, or trademark and (2) the covered business shares consumers’ personal information with the commonly controlled entity.
The CPRA also creates two brand new categories of covered businesses. First, the law applies to a “joint venture or partnership composed of businesses in which each business has at least a 40 percent interest.” Thus, if the partners are covered businesses and own a large enough stake, so is the joint venture.
Second, an organization now qualifies as a “business” if it voluntarily certifies to the newly-created California Privacy Protection Agency that it complies with, and agrees to be bound by, California’s data privacy laws.
While these limited changes will not affect most entities already covered by the CCPA, it will change the scope of the law on the margin. Joint ventures and partnerships, in particular, should carefully review their status under the CPRA.
If your organization may be affected, you should consult experienced counsel well in advance of 2023, especially given the law’s one-year lookback period.
2. New Category of Personal Information
The CPRA adds sensitive personal information to the non-exclusive list of items that qualify as personal information under the CCPA. Once the CPRA becomes effective, consumers will have additional rights when it comes to their sensitive personal information.
The CPRA defines “sensitive personal information” as personal information that reveals a consumer’s (a) social security, driver’s license, state identification card, or passport number; (b) account log-in, financial account, debit card, or credit card number in combination with any required code or credential allowing access to an account; (c) precise geolocation; (d) racial or ethnic origin, philosophical beliefs, or union membership; or (e) mail, email, or text messages (unless the business is the intended recipient). A second category of sensitive personal information includes: (a) the processing of biometric information for the purpose of identifying a consumer; (b) personal information collected and analyzed concerning a consumer’s health; and (c) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
When it comes to their sensitive personal information, consumers may “direct a business that collects sensitive personal information . . . to limit its use of the . . . information to that use which is necessary to perform the services or provide the goods reasonably expected,” or to perform other specifically designated services. If a business uses sensitive personal information for other purposes, it must provide notice of that use and the opportunity to opt out.
3. New Consumer Rights
In addition to the new consumer rights regarding sensitive personal information discussed above, the CPRA provides additional rights for consumers to correct their personal information, to opt out of certain information sharing, and to bring private lawsuits.
The CPRA includes a new right for consumers to correct personal information. Businesses must disclose the right to request correction and must use commercially reasonable efforts to correct inaccurate information upon request.
The CPRA also modifies consumers’ ability to opt out of certain business practices by adding “sharing” to the law’s opt-out provisions. Under the CCPA, consumers could opt out of personal information sales. Under the CPRA, consumers can opt out of personal information sharing as well. This change will be significant for businesses that categorize their information distribution as “sharing” but not “selling.” That distinction will no longer exempt businesses from permitting consumers to opt out.
The CPRA also expands the scope of information that, if subject to unauthorized access and exfiltration, theft, or disclosure, can result in private liability. As we’ve written about previously, the CCPA’s private right of action references personal information as defined in Section 1798.81.5(1)(A), which is narrower than the categories of personal information covered elsewhere in the CCPA (and expanded by the CPRA). The CPRA supplements the CCPA’s private right of action by adding “email address in combination with a password or security question and answer that would permit access to the account” to the categories of information that, if stolen, can result in liability. Thus, under the CPRA, if an email address and password is exfiltrated due to a business’s failure to employ reasonable security procedures, a business may be vulnerable to private litigation.
Relatedly, the CPRA limits the ways in which businesses may “cure” a breach to avoid liability. While the CPRA does not provide a positive definition of “cure”—and it remains ambiguous how a breach may be “cured” under the California law—the CPRA explicitly states that the “implementation and maintenance of reasonable security procedures and practices” following a breach will not constitute a cure. This suggests that a business cannot avoid suit by merely enhancing its security after a breach has occurred, but must do something to address the damage that has already been done. It remains to be seen how courts resolve disputes concerning the notice-and-cure provision of the CCPA and CPRA.
Beyond these additional statutory rights, the CPRA creates the California Privacy Protection Agency (“CalPPA”). CalPPA will be responsible for issuing administrative rules supplementing the CPRA’s statutory consumer rights. We will address CalPPA in depth in upcoming posts.
4. New Third-Party Requirements
The CPRA includes significant new obligations when it comes to third parties. It creates specific contract requirements for businesses that collect, then sell or share, personal information to third parties, or that disclose personal information to service providers or contractors.
Such businesses “shall enter into an agreement” that (1) specifies the limited purposes for which the personal information can be used; (2) obligates the counterparty to comply with California’s data privacy regime; (3) permits the business to take reasonable steps to ensure the third party complies with its obligations; (4) requires the third party to notify the business if it determines that it can no longer meet its obligations; and (5) grants the business “the right . . . to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.”
The CPRA also expands the requirements for third parties to comply with consumer deletion requests by creating a chain of applicability. The CCPA already required businesses to delete consumers’ personal information upon request and to “direct any service providers” to do the same. The CPRA adds that in responding to a consumer deletion request, service providers and contractors must “notify any of [their] own service providers or contractors to delete personal information about the consumer” and “notify any service providers, contractors, or third parties who may have accessed personal information from or through the service provider or contractor . . . to delete the consumer’s personal information unless this proves impossible or involves disproportionate effort.”
5. New Notice, Consent, and Technical Design Rules
As discussed above, the CPRA provides additional rights to consumers when it comes to their personal information. To ensure that consumers are empowered to enforce and make decisions about these new rights, the CPRA introduces new notice, consent, and website design rules.
The CCPA’s notice requirements applied to businesses that “collect” consumers’ personal information. The CPRA expands the notice requirements to businesses that “control the collection of a consumer’s personal information,” even if the collection is done by a third party. As to the content of the notice, the CCPA already required businesses to disclose the categories of personal information collected and the purposes for which they were collected or used. New to the CPRA, a business must disclose the “length of time the business intends to retain each category of personal information . . . or if that is not possible, the criteria used to determine that period.” Most importantly, the CPRA no longer permits businesses to “retain a consumer’s personal information . . . for longer than is reasonably necessary for th[e] disclosed purpose.”
The CPRA also singles out the use of “dark patterns,” stating expressly that “agreement obtained through use of dark patterns” does not constitute consent. A dark pattern is “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.” In other words, dark patterns use website design or social engineering to nudge (or shove) users into making certain choices. For example, a website may utilize a confusing mix of opt-in and opt-out dialogue boxes. Or a social media platform may ask for access to your contact list, ostensibly to find connections, only to spam your friends with advertising. The use of dark patterns and issues of consent have been an early focus of rulemaking under the CPRA, and we expect this trend to continue both in regulations and enforcement.
* * *
This post summarizes some of the most important changes in the CPRA, but the law is lengthy and complex. We will provide additional insights and observations about the CPRA, including steps businesses can take to prepare, key issues to watch, and other important topics.