The California Privacy Rights Act (“CPRA”) has received enough signatures to qualify for the November 2020 ballot in California. Based on preliminary polling, many expect voters to approve it. If approved, substantive provisions of the CPRA would take effect on January 1, 2023. The CPRA — touted as the California Consumer Privacy Act (“CCPA”) 2.0 — would amend the CCPA to (1) create additional privacy rights for California consumers and obligations on businesses and (2) address some ambiguities and unintended consequences of the CCPA. The new obligations would be enforced by a first-of-its-kind enforcement agency starting on July 1, 2023. Californians for Consumer Privacy, the group that submitted the initiative, secured 931,000 signatures from Californians. According to Alastair Mactaggart, the group’s founder, California consumers are “overwhelmingly supportive of being in control of their most sensitive personal data … .”
NEW RIGHTS AND OBLIGATIONS
Opt-In Consent for Sensitive Data
Under the CPRA, consumers would be allowed to limit the use and disclosure of their “sensitive personal information,” which includes a person’s Social Security number, account log-in credentials, financial account information, and data concerning sexual orientation, amongst other categories of information. Similar to the “Do Not Sell My Personal Information” link under CCPA, the CPRA would require a “Limit the Use of My Sensitive Personal Information” link.
Higher Fines for Violations Involving Children’s Data
The CPRA also includes a mandatory opt-in for minors under the age of 16 in order for a business to sell or share their personal data. Businesses could be liable for three times the ordinary fine ($7,500 per violation) for knowingly mishandling a child’s data.
Codifying Fair Information Practice Principles (“FIPPs”)
The CPRA codifies several fair information practice principles such as data quality, data minimization, security safeguards and use limitation. For those who don’t speak FIPPs, these principles are translated into the following rights and obligations:
- A right to correct inaccurate personal information;
- Prohibition on retaining a consumer’s sensitive personal information for longer than reasonably necessary, along with an obligation to regularly delete unnecessary data;
- A new private right of action that would allow a consumer to bring an action for failing to maintain reasonable security that results in an unauthorized access or disclosure of an email address and password or security question in a combination that permits account access; and
- A right to limit the use of “sensitive personal information” for any secondary purpose (i.e. a purpose other than the purpose for which the information was originally collected).
Creation of the California Privacy Protection Agency
The CPRA would create the first government agency solely focused on privacy in the US, called the California Privacy Protection Agency (“CPPA”), that would enforce and implement the CPRA. Additionally, the CPPA would be tasked with building public awareness about privacy risks and giving businesses and consumers guidance on privacy. The CPPA would also have the power to issue administrative fines for violations of the act: up to $2,500 per violation and up to $7,500 per intentional violation or violation that involves minors.
Furthermore, the CPPA and the California Attorney General would be able to require audits and risk assessments for companies that engage in data processing with significant risks to the privacy of consumers. The Attorney General and the CPPA would also be able to issue regulations requiring annual independent cybersecurity audits based on the business, its size, and the risks presented by how it processes data.
A Version of GDPR’s “Profiling” Disclosure Requirements
The CPRA also addresses businesses that engage in automated processing of personal information, where they use personal information to predict characteristics such as performance at work, economic situation, health, behavior, location, and others. The CPRA requires that new regulations be enacted to govern access and opt-out rights with respect to the businesses’ use of automated processing of personal information. Businesses responding to requests for access would be required to include meaningful information around the logic behind the decision-making processes and the likely outcome of the process with respect to the consumer.
Contractual Cooperation Obligations for Information Shared with Service Providers and Third Parties
Businesses that share personal information with service providers, third parties, and contractors must enter into a contract with the recipient of that data where the recipients would be required to ensure the same level of privacy protection as outlined by the CPRA. In addition, the CPRA requires service providers and contractors to cooperate with the business in responding to a verifiable consumer request and to delete or enable the business to delete personal information collected about the consumer.
Higher Threshold for Applicability
The CPRA increases the threshold for qualification as a “business” subject to the CCPA by increasing the minimum number of consumers or households that a business interacts with from 50,000 to 100,000. Significantly, the word “devices” will be removed from this threshold. Under the CPRA’s new definition, to determine applicability, a business need not consider the number of “devices” with which it interacts. This change purports to alleviate confusion caused by the inclusion of “devices” in the current CCPA definition of a “business.”
Employee and B2B Information Moratoria Extended
Under the current version of the CCPA, employers do not have to respond to requests to delete or requests for information from its employees with respect to employment-related information, and business-to-business information is excluded. But, these exemptions are set to expire on January 1, 2021. Acknowledging “the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses,” the CPRA extends these exemptions until January 1, 2023.
Loyalty and Discount Programs Are Not Prohibited
The CCPA leaves businesses in uncertain territory when balancing the requirement not to discriminate against consumers for exercising their opt-out rights with programs that are based on the use of the very personal information for which the consumer has requested deletion or use limitation. The CPRA seeks to remove some of this uncertainty by expressly stating that loyalty, rewards, premium features, discounts, and club card programs are not prohibited. However, these programs are permitted only if they are “consistent with the [CCPA],” which reintroduces some of the uncertainty regarding what programs are permitted under the CCPA’s non-discrimination provisions.
Cross-Context Behavioral Advertising Not a Sale
The CPRA defines cross-context behavioral advertising as the targeting of advertising to a consumer based on the consumer’s personal information obtained from a consumer’s activity across businesses other than the one with which the consumer is interacting. In an apparent attempt to clarify the meaning of “sale” under the CCPA, a business involved in cross-context behavioral advertising under the CPRA is said to “share” personal information and will be expressly excluded from the definition of “sale.” In addition, the CPRA differentiates cross-context behavioral advertising from “advertising and marketing services” and states that it does not qualify as a business purpose under the CPRA.
WHAT THIS MEANS FOR YOU
If your organization is covered by the CCPA due only to the collection of information from over 50,000 consumers, households, or devices, passage of the CPRA may warrant a reassessment of the applicability of the CCPA.
If your organization has already made efforts to comply with the CCPA, then the CPRA will require you to take additional steps to build out your compliance program. Although the enforcement deadline is not until July 1, 2023, it may be prudent to review your data inventory soon and implement measures to isolate the categories that will be considered “sensitive” under the CPRA. If this data is currently mixed with all other data and is not easily parsed, preparing to comply with a “Limit the Use of My Sensitive Personal Information” request may require significant time to change your workflows and infrastructure.