Is your organization ready for California’s latest privacy rights law, enacted at the end of 2020 – the CPRA? This article addresses some key considerations to help you determine whether your organization may be subject to the CPRA.
With the enactment of the California Privacy Rights Act (Proposition 24) (“CPRA”) on December 16, 2020, businesses will now need to ensure that their protection of consumer data not only complies with the California Consumer Privacy Act, Cal. Civ. Code § 1798.100-1798.199 (“CCPA”), but also with the CPRA. The CPRA extends some of the rights already provided by the CCPA, and it also further defines some of the existing definitions and provisions in the CCPA.
Most of the CPRA’s provisions are not operative until January 1, 2023. Final CPRA regulations are to be adopted by July 1, 2022.
The CPRA creates a new California agency for the protection of consumers’ personal information and privacy – the California Privacy Protection Agency. Initially, the Attorney General of California will be responsible for creating regulations under the CPRA, but the Agency will take over the rulemaking responsibilities by July 1, 2021.
Violations of the CPRA are similar to those for violations of the CCPA. For unintentional violations, there is a fine of $2,500 per violation, and for intentional violations, there is a fine of $7,500 per violation.
The definition of “business” under the CPRA is similar to the definition under the CCPA, but there is greater clarity in the CPRA with regard to some of the grey areas in the CCPA. For example, the CPRA provides that the $25 million annual gross revenue provision applies to the preceding calendar year. Additionally, the CPRA clarifies that the threshold for buying, selling or sharing personal information applies annually, and it doubles the number of consumers or households from 50,000 in the CCPA to 100,000 in the CPRA. Additionally, the threshold for businesses that derive 50% of their annual revenue with regard to selling consumers’ personal information is broadened to include also the “sharing” of information under the CPRA.
Some key provisions of the CPRA include the following:
- Businesses are required to disclose to consumers information about their right to correct their personal information.
- Businesses are required to disclose the length of time that a business maintains consumers’ personal information, at or before the time that the personal information is collected.
- Businesses have an obligation of data minimization and purpose limitation, similar to the EU’s General Data Protection Regulation (“GDPR”).
- With regard to the existing right of data portability under the CCPA, the CPRA provides that data must be transported, to the extent technically feasible, in a structured, commonly-used, and machine-readable format.
- The CPRA includes an affirmative requirement to implement and maintain the “reasonable security” of personal information, but “reasonable security” is not specifically defined.
- A new category of personal information is created for “sensitive personal information,” which is similar to GDPR. Sensitive personal information includes:
- Social security number;
- Driver’s license number;
- State identification number;
- Passport number;
- Account login, credit card, debit card or financial account number, along with the access code or password;
- Precise geolocation data (the area of a circle with a radius of 1,850 feet or less);
- Genetic data;
- Mail, email, and text content;
- Racial or ethnic origin;
- Religious or philosophical beliefs;
- Union membership;
- Biometric information for the purpose of identifying a particular consumer;
- Health, sex life, or sexual orientation identification.
- A business that collects sensitive personal information must provide notice of collection to consumers at the time of collection, as well as the categories of sensitive personal information that are collected, the purposes of collection of each category, and whether each category is sold or shared.
- Consumers have the right to limit the use of their sensitive personal information.
- Businesses may:
- Post two links on the business’s homepage labeled “Do Not Sell or Share My Personal Information” and “Limit the Use of my Sensitive Personal Information,”
- Include in a single link on the business’s homepage that provides the options for Do Not Sell or Share My Personal Information and Limit the Use of my Sensitive Personal Information, or
- Respect an opt-out preference signal sent with the consumer’s consent by a platform, technology or mechanism.
- Consumers have a right to limit the use and disclosure of precise geolocation data.
California continues to lead the way in the U.S. for the protection of personal data and privacy. We expect other states to start following California’s lead with similar versions applicable to each state. Or, with the new administration in effect as of January 20, 2021, we may finally see a federal data protection and privacy law passed.
If your organization is subject to compliance with the CCPA, it may very well have to comply with the CPRA, as well. Your organization should consider consulting with legal counsel regarding potential compliance with the CPRA and approving a budget for any additional privacy compliance efforts that may be needed.