In September 2019, Alastair Mactaggart, Board Chair and Founder of Californians for Consumer Privacy, put forward a new ballot initiative called the California Privacy Rights Act (“CPRA”). In June of this year, the CPRA received enough signatures to qualify for the November ballot. Last night, it passed.
56% of Californians voted in favor of the CPRA, legislation that, according to the Mactaggart, signals “the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data.” The CPRA is generally considered more stringent than the existing California Consumer Privacy Act (“CCPA”), which has been enforceable in part since July 1, 2020. The CPRA places California on the global stage in terms of protection of personal information, and experts have called the CPRA “a bellwether for the country.”
The CPRA changes the privacy landscape in a number of unique and historic ways. It puts new limits on companies’ collection and use of personal information, triples fines for violations involving children’s information, and creates a first-of-its-kind enforcement arm called the California Privacy Protection Agency. Substantive provisions of the CPRA take effect on January 1, 2023.
Restrictions on Use of Sensitive Data
Under the CPRA, consumers are allowed to limit the use and disclosure of their “sensitive personal information,” which includes a person’s Social Security number, account log-in credentials, financial account information, and data concerning sexual orientation, amongst other categories of information. Similar to the “Do Not Sell My Personal Information” link under CCPA, the CPRA requires a “Limit the Use of My Sensitive Personal Information” link.
California Privacy Protection Agency
The CPRA creates the first government agency in the US focused solely on privacy, called the California Privacy Protection Agency (“CPPA”), which will enforce and implement the CPRA. Additionally, the agency is tasked with building public awareness about privacy risks and giving businesses and consumers guidance on privacy. The CPPA also has the power to issue administrative fines for violations of the act: up to $2,500 per violation and up to $7,500 per intentional violation or violation that involves minors.
Furthermore, the CPPA and the California Attorney General will be able to require audits and risk assessments for companies that engage in data processing with significant risks to the privacy of consumers and to issue regulations requiring annual independent cybersecurity audits based on the business, its size, and the risks presented by how it processes data.
“Profiling” Disclosure Requirements
The CPRA also addresses businesses that engage in automated processing of personal information, where they use personal information to predict characteristics such as performance at work, economic situation, health, behavior, location, and others. The CPRA requires that new regulations be enacted to govern access and opt-out rights with respect to the businesses’ use of automated processing of personal information. Businesses responding to requests for access are required to include meaningful information around the logic behind the decision-making processes and the likely outcome of the process with respect to the consumer.
Contractual Cooperation Obligations for Information Shared with Service Providers and Third Parties
Businesses that share personal information with service providers, third parties, and contractors must enter into a contract with the recipient of that data where the recipients would be required to ensure the same level of privacy protection as outlined by the CPRA. In addition, the CPRA requires service providers and contractors to cooperate with the business in responding to a verifiable consumer request and to delete or enable the business to delete personal information collected about the consumer.
What This Means for You
Sometime this month, the California Secretary of State is expected to certify last night’s election results. Five days after the date of certification, certain existing CCPA exemptions (including for employee data and business-to-business processing) will be extended. On January 1, 2021, the CPRA will become operative, and all rulemaking undertaken pursuant to the CPRA must be completed by July 1, 2022. The CPRA is set to become fully operable by January 1, 2023.
It’s important for businesses to realize that the CPRA’s requirements are extensive and time consuming. For that reason, though the 2023 deadline may seem distant, covered businesses should begin making plans now to ensure compliance. For instance, it may make sense to begin creating an accurate data inventory and taking steps to segregate sensitive data.