Things You Should Know Leading Up to World Data Privacy Day 2021

Bond Schoeneck & King PLLC

Bond Schoeneck & King PLLC

[co-author: Shannon Knapp]

New Year, New Rules: California Passes the California Privacy Rights Act

On Election Day, Nov. 3, 2020, California voters were tasked with more than casting their votes in the presidential election. Californians also voted on California Proposition 24, which is the California Privacy Rights Act (CPRA). Proposition 24 passed, receiving about 56% of the vote. Proposition 24 both supplements and revises certain aspects of the California Consumer Privacy Act (CCPA), the first domestic data privacy statute of its kind, which was signed into law in 2018.

To date, California is the only state that has a comprehensive consumer data privacy law in place. The CCPA’s main provisions took effect on Jan. 1, 2020, and regulations implementing the CCPA became effective on Aug. 14, 2020. Since its inception, the CCPA has been periodically edited, clarified and changed by the legislature. Of note, on Sept. 25, 2020, the California governor, Gavin Newsom, signed a bill establishing new exemptions under the CCPA for certain types of medical and health information. Other nonsubstantive changes were implemented on Sept. 30, 2020.

However, the biggest change to California’s privacy law came with the passing of the CPRA. Although the law does not become effective until Jan. of 2023, enforcement agencies may review a business’s compliance with the CPRA as of Jan. 2022 when assessing penalties for violation of the law. Just as businesses started to become compliant with CCPA, new regulations under the CPRA will require additional measures to be taken by businesses to protect consumers’ information. Some of the many changes under CPRA are detailed below.

Business Specific Changes

The CPRA changes the definition of covered “businesses” in several respects. On the one hand, it expanded the definition of “business” to include certain types of joint ventures and partnerships that were not included under the CCPA. The CPRA also includes businesses that voluntarily agree to be subject to it. On the other hand, the CPRA narrowed the definition of covered businesses by increasing the threshold for coverage based on the collection of consumer information. Under CCPA, a business that collected the personal information of 50,000 or more California consumers, households, or devices was subject to the CCPA. Under the CPRA, that number is now 100,000.

Much like the EU’s notorious General Data Protection Regulation (GDPR), the CPRA requires data minimization. This means that businesses must minimize the use, retention and sharing of personal information to “what is reasonably necessary and proportionate to achieve the purposes” for which the information was collected. In other words, covered businesses must take inventory of their data collection and retention practices and determine whether the information collected is necessary for the operation of their business. If it is not, it should not be collected.

The CPRA also extended the CCPA’s limited employee and business-to-business exemptions until Jan. 1, 2023. These exemptions limit data subject rights for employees, job applicants and independent contractors.

Consumer Rights Changes

In terms of consumers’ rights, the CPRA made changes to the right to know, the right to correct and the right to delete provisions. It removed the CCPA’s 12-month lookback period, drastically expanding the right to know. This change gives consumers the right to request information that predates the previous 12 months. The right to correct was created under CPRA. This right allows a consumer to request that a business correct any inaccurate personal information it maintains about them. Lastly, the CPRA creates the right to delete, allowing consumers to request that a business delete their data. However, businesses can deny a person’s request to delete such data when maintaining the information is “reasonably necessary and proportionate” to security and integrity purposes.

Further, the CPRA allows consumers to stop a business from sharing their personal information with third parties for the purpose of engaging in “cross-context behavioral advertising,” which is essentially targeted advertising. Businesses can comply by either displaying an opt-out link that states “do not sell or share my personal information,” or by following the consumer’s preferences communicated through a cross-platform global privacy control.

In addition, the CPRA created a new category of information called “sensitive personal information” that is entitled to additional protections. Broadly defined, sensitive personal information includes government-issued identifiers, account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages, genetic data, biometric information and more.

Lastly, the CPRA expanded breach liability for the unauthorized access or disclosure of email addresses and passwords, or security questions, that would permit access to accounts if businesses fail to maintain adequate security.

Enforcement Agency

One of the most significant changes introduced by the CPRA is the establishment of the California Privacy Protection Agency, which is tasked with implementing and enforcing California privacy laws. The agency will be governed by a five-member board. The chair and one member will be appointed by the governor. The attorney general, the speaker of the assembly, and the Senate Rules Committee each get to select one of the additional seats. It is expected that the members of the board will be announced at the end of Jan. 2021. Although the new agency has enforcement power, the California attorney general still retains the power to enforce the CPRA through civil penalties. The agency, once assembled, will be tasked with clarifying and making new rules concerning the CCPA and CPRA.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bond Schoeneck & King PLLC | Attorney Advertising

Written by:

Bond Schoeneck & King PLLC

Bond Schoeneck & King PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.