Before businesses can even breathe a sigh of relief for getting into compliance with the California Consumer Privacy Act (“CCPA”), they will now need to gear up for yet another first-of-its-kind privacy law in the form of the California Privacy Rights Act (“CPRA”). The CPRA, enacted by ballot initiative Proposition 24, appears to have passed with approximately 56% of the vote, though ballot results will not be certified until December 11.
The CPRA, sometimes dubbed “CCPA 2.0,” amends and expands the CCPA, keeping certain provisions in place while revising or adding new provisions. All businesses, especially those collecting sensitive personal information or information of minors, should re-evaluate their data collection, sharing, and use practices again in light of the new law and make necessary changes.
Select key provisions of CPRA include the following:
- California Privacy Protection Agency (“CPPA”) – CPRA creates an independent agency – the first of its kind – with authority and jurisdiction to implement and enforce CCPA. With an agency like this focused solely on enforcing privacy violations, businesses can expect much more rigorous enforcement of privacy laws in California. The CPPA would take over authority for issuing regulations from the Attorney General’s office, and it will be interesting to see how this new agency functions and what its priorities of enforcement will be.
- Sensitive Personal Information – CPRA introduces a new category of personal information called “sensitive personal information” encompassing health data, sexual orientation, race, origin, geolocation, financial data, genetic data, biometric data, social security number, driver’s license, etc. It also allows consumers the right to limit the use and disclosure of such sensitive personal information by businesses. Accordingly, businesses may need to add yet another link to their website homepage to allow consumers to exercise their rights to limit the use of their sensitive information.
- Behavioral Advertising – Importantly, the CPRA attempts to address the gray area in the CCPA regarding whether opt-out rights applicable to data “sales” apply to the sharing of personal information for behavioral advertising. The CPRA explicitly extends consumer opt-out rights to the sharing of personal information by a business to a third party for “cross-context behavioral advertising.” Many companies may have already been treating such data sharing as a potential “sale” under the CCPA, in which case, the CPRA may not require further significant modifications to current practices. But companies that were taking the position that the opt-out right did not apply to behavioral advertising will have to alter their practices.
- Definition of Covered Businesses – CPRA modifies the definition of a “business” to only include those businesses that collect information of 100,000 California consumers or households. This threshold is double the current 50,000 California consumers or households trigger. However, CPRA will not be effective until 2023, requiring businesses falling in that 50,000 threshold to comply with the CCPA in the interim. Additionally, the CPRA expands its application to businesses that derive 50% of their revenue from selling – or “sharing” – personal information.
- Expanded Consumer Rights – CPRA will give consumers additional rights such as the right to correct their data, right to not be retaliated against for exercising their rights, right to prevent companies from storing their data longer than necessary, right to opt-out of companies tracking precise geolocation within less than 1/3 of a mile, etc. Consumers’ Right to Know will also be expanded under the CPRA to include all information collected about them as opposed to only information collected by the business in the past 12 months.
- Increased Liabilities – The CPRA leaves in place the CCPA’s private cause of action for data breaches, but adds consumer login credentials, such as email and password or security questions and answers, to the types of data that trigger the private right of action. The CPRA also triples fines related to the collection and sale of personal information of minors.
The CPRA becomes effective January 1, 2023, but businesses will need to comply with certain provisions and requirements with respect to information collected as of January 1, 2022. Covered businesses must still comply with the CCPA, and enforcement of the CCPA by the Attorney General is expected to continue in the meantime.