On November 3, 2020, California voters passed Proposition 24, the California Privacy Rights Act (CPRA), by approximately 56-44%. This act will amend and supersede the still recent California Consumer Privacy Act (CCPA), once it goes into effect on January 1, 2023.
The law builds on the existing framework of the CCPA, expands consumer privacy rights to more closely align with the EU’s GDPR, imposes additional obligations on businesses, and establishes the nation’s first agency dedicated to privacy regulation and enforcement, the California Privacy Protection Agency (CCPA). Below we have outlined the key points that you need to know to start preparing for the CPRA.
As is often the case with privacy, the earlier the preparation, the easier the compliance.
WHAT YOU NEED TO KNOW
Key dates and immediate changes
Operative and enforcement dates: The CPRA as a whole will not go into effect until January 1, 2023 and will only apply to information collected on or after January 1, 2022. Enforcement will not begin until July 1, 2023. Until then, the CCPA will remain the governing privacy regime.
Immediate changes: The law’s passage will have some immediate impacts, including:
- Extension of Employee Exemption: Exemptions for employee and business-to-business data are extended until January 1, 2023.
- Creation of the California Privacy Protection Agency (CPPA): The watchdog privacy agency, the CPPA, becomes effective immediately. The CPPA’s five-member board must be appointed within 90 days of the law’s enactment, which occurs 5 days after the Secretary of State certifies the final vote.
Definitional changes: There are several important changes to definitions in the CPRA, including:
New sub-category of “sensitive” personal information: The CPRA maintains the CCPA’s eleven categories of personal information (PI), but adds the new subcategory of “sensitive” personal information (Sensitive PI). Consumers will now have heightened rights when Sensitive PI is involved, including a new right to limit the use and disclosure of such data. Sensitive PI includes (1) social security, driver’s license, state ID or passport number; (2) account log-in information with a password; (3) a consumer’s precise geographic location; (4) racial or ethnic origin, religious belief or union membership; (5) contents of a consumer’s mail, email or text, unless the business is the intended recipient; (6) consumer’s genetic information; (7) processing of biometric information to identify the consumer; (8) PI analyzed concerning a person’s health; and (9) PI analyzed about a consumer’s sex life or sexual orientation.
New definition of “third party”: The CPRA adds a new definition of third party, which is defined in the negative to exclude service providers, contractors, and any business with whom the consumer intentionally interacts and that collects information from the consumer as part of the consumer’s interaction with the business. These exceptions are particularly important given the newly expanded consumer right to opt-out of the “sharing” of their information with third parties (discussed below)..
New definition of (and partial limitation on) “profiling”: The CPRA adds a definition of “profiling” which means “any form of automated processing” of PI used “to analyze or predict aspects of a person’s preferences, economic situation, work performance, health, interests, behavior, location, reliability, or movements” Profiling may now be partially limited by consumers through the right to limit the use and disclosure of sensitive PI to specific “business purposes” (discussed below), which exclude profiling unless the consumer reasonably expects that profiling is necessary to perform the services or provide the goods requested. This could have significant implications for how Artificial Intelligence can be used and explained.
Changes to business obligations
Limits data retention and requires disclosure of retention periods: The CPRA requires businesses to inform consumers of the length of time the business intends to retain each category of PI, including Sensitive PI. If for some reason specifying the length of time is not possible, the business must at a minimum inform consumers of the criteria used to determine the retention period. In no case may the business retain the consumer’s PI or Sensitive PI longer than is reasonable necessary for the disclosed purpose for which it was collected.
Adds a right to limit the use and disclosure of Sensitive PI: As noted above, with the addition of the Sensitive PI subcategory comes a new consumer right to limit the use and disclosure of this category of information. This right to limit use and disclosure is triggered where Sensitive PI is collected or processed for the purpose of inferring characteristics about the consumer. The consumer can limit the use or disclosure of their Sensitive PI to: (1) what is necessary to perform services or provide goods, and (2) certain limited “business services.” Sensitive PI that is not collected or processed for the purpose of “inferring” characteristics about the consumer shall be treated as PI and will not be subject to this limitation. Sensitive PI must be separately disclosed in the privacy notice and consumers must be provided notice of, and ability to exercise, their right to opt-in to limiting the use and disclosure of their Sensitive PI.
Extends consumer’s opt-out rights to the sharing of PI for cross-contextual advertising: Under the CCPA, consumers have the right to direct businesses not to sell their PI (known as the Right to Opt-Out of Sale). Under the CPRA, this right is extended to allow consumers to prevent businesses from “sharing” their information with third parties as well. “Sharing” in this context means a business sharing, disclosing, or renting a consumer’s PI to a third party for cross-contextual behavioral advertising, whether or not for money or other valuable consideration, including where no money is exchanged. “Cross-contextual advertising” means targeting advertising to a consumer based on PI obtained from the consumer’s activity across business, websites, apps or services other than the one with which the consumer intentionally interacts. Similar to the Right to Opt-Out of Sale in the CCPA, the opt-out right to sharing does not extend to sharing PI with service providers and contractors.
Extends the non-discrimination provision to include non-retaliation: The CPRA amends the consumer right of non-discrimination to include a prohibition on retaliation against an employee, applicant for employment, or independent contractor for exercising any of their rights under the act.
Adds contract requirements for all persons that receive PI: The CPRA adds new contract requirements for all persons that receive PI, including selling and sharing, as well as service providers and contractors. The contract must now:
- Specify that information is provided for limited and specified purposes;
- Obligate the person receiving information to comply with the CPRA and “provide the same level of privacy protection as is required by” the CPRA;
- Grant the business the right to ensure that information is being transferred “in a manner consistent with the business’s obligations under this title”;
- Require the person receiving the PI to notify the business if it can no longer meets its obligations of the CPRA;
- Grant the business the right to take steps to stop and remediate unauthorized use of PI.
Increased rights of children
Increases administrative fines for children’s PI: The CPRA increases the administrative fines for any violations of the act involving the PI of children under 16 years of age up to a potential $7,500 per violation. Under the CCPA, this penalty was reserved only for intentional violations. The $2,500 maximum fine for all other non-intentional acts involving persons 16 years of age and older remains the same.
Requires opt-In consent for sharing PI of children under 16: Just as the CPRA extends the right of consumers to opt-out of the selling of PI to include the right to opt-out of sharing PI with third parties, the CCPA’s requirement that a business obtain affirmative opt-in consent to sell PI of children under 16 now also extends to the sharing of children’s PI. The CPRA also calls for rulemaking to “establish technical specifications for an opt-out preference signal that allows the consumer, or the consumer’s parent or guardian, to specify that the consumer is less than 13 years of age or at least 13 years of age and less than 16 years of age.”
New watchdog privacy agency, new rulemaking, and extended private right of action
Establishes the new California Privacy Protection Agency (CPPA): As noted above, the CPRA establishes a new agency, the CPPA, “to implement and enforce” the CCPA and the CPRA (when it becomes operative). The CPPA will be the first privacy agency in the United States devoted solely to consumer data privacy and will have a broad mandate to investigate possible violations of the CPRA, enforce the CPRA through administrative action, and promulgate rules.
Requires a new rulemaking on insurance: The CPRA requires the CPPA to “review the existing California Insurance Code” regarding consumer privacy, except provisions relating to insurance rates and pricing. The CPPA must determine whether the Insurance Code provides greater privacy protections than the CPRA, and if not, the CPPA “shall” adopt a regulation that applies the greater protections of the CPRA to insurance companies. The Insurance Commissioner, however, shall maintain jurisdiction over insurance rates and pricing.
Requires a new rulemaking on cybersecurity and privacy: The CPPA shall issue regulations requiring businesses “whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security” to (1) perform a cybersecurity audit on an annual basis and (2) submit a risk assessment to the CPPA with respect to their processing of PI.
Extends the scope of the private right of action: The CPRA extends the scope of the private right of action by adding a cause of action for the unauthorized access and exfiltration, theft, or disclosure of an email address in combination with a password or security question and answer that could permit access to content. Previously the CCPA only recognized a cause of action relating to nonencrypted or nonredacted PI. The CPRA also clarifies that the implementation and maintenance of reasonable security procedures and practices following the breach does not constitute a cure.
The CPRA is yet another example of the rapidly evolving privacy landscape. But underlying the volatility is a clear trend towards enhanced privacy obligations on companies, which will almost certainly continue apace, both in the United States and across the globe. In this environment, those that prepare early, and those that have a firm handle on the law and on what data they have, where it came from, where it goes, and how long they retain it, will be those that are best positioned to comply.