[co-author: Shannon Knapp]
New Year, New Rules: California Passes the California Privacy Rights Act
On Election Day, Nov. 3, 2020, California voters were tasked with more than casting their votes in the presidential election. Californians also voted on California Proposition 24, which is the California Privacy Rights Act (CPRA). Proposition 24 passed, receiving about 56% of the vote. Proposition 24 both supplements and revises certain aspects of the California Consumer Privacy Act (CCPA), the first domestic data privacy statute of its kind, which was signed into law in 2018.
To date, California is the only state that has a comprehensive consumer data privacy law in place. The CCPA’s main provisions took effect on Jan. 1, 2020, and regulations implementing the CCPA became effective on Aug. 14, 2020. Since its inception, the CCPA has been periodically edited, clarified and changed by the legislature. Of note, on Sept. 25, 2020, the California governor, Gavin Newsom, signed a bill establishing new exemptions under the CCPA for certain types of medical and health information. Other nonsubstantive changes were implemented on Sept. 30, 2020.
However, the biggest change to California’s privacy law came with the passing of the CPRA. Although the law does not become effective until Jan. of 2023, enforcement agencies may review a business’s compliance with the CPRA as of Jan. 2022 when assessing penalties for violation of the law. Just as businesses started to become compliant with CCPA, new regulations under the CPRA will require additional measures to be taken by businesses to protect consumers’ information. Some of the many changes under CPRA are detailed below.
Business Specific Changes
The CPRA changes the definition of covered “businesses” in several respects. On the one hand, it expanded the definition of “business” to include certain types of joint ventures and partnerships that were not included under the CCPA. The CPRA also includes businesses that voluntarily agree to be subject to it. On the other hand, the CPRA narrowed the definition of covered businesses by increasing the threshold for coverage based on the collection of consumer information. Under CCPA, a business that collected the personal information of 50,000 or more California consumers, households, or devices was subject to the CCPA. Under the CPRA, that number is now 100,000.
Much like the EU’s notorious General Data Protection Regulation (GDPR), the CPRA requires data minimization. This means that businesses must minimize the use, retention and sharing of personal information to “what is reasonably necessary and proportionate to achieve the purposes” for which the information was collected. In other words, covered businesses must take inventory of their data collection and retention practices and determine whether the information collected is necessary for the operation of their business. If it is not, it should not be collected.
The CPRA also extended the CCPA’s limited employee and business-to-business exemptions until Jan. 1, 2023. These exemptions limit data subject rights for employees, job applicants and independent contractors.
Consumer Rights Changes
In terms of consumers’ rights, the CPRA made changes to the right to know, the right to correct and the right to delete provisions. It removed the CCPA’s 12-month lookback period, drastically expanding the right to know. This change gives consumers the right to request information that predates the previous 12 months. The right to correct was created under CPRA. This right allows a consumer to request that a business correct any inaccurate personal information it maintains about them. Lastly, the CPRA creates the right to delete, allowing consumers to request that a business delete their data. However, businesses can deny a person’s request to delete such data when maintaining the information is “reasonably necessary and proportionate” to security and integrity purposes.
Further, the CPRA allows consumers to stop a business from sharing their personal information with third parties for the purpose of engaging in “cross-context behavioral advertising,” which is essentially targeted advertising. Businesses can comply by either displaying an opt-out link that states “do not sell or share my personal information,” or by following the consumer’s preferences communicated through a cross-platform global privacy control.
In addition, the CPRA created a new category of information called “sensitive personal information” that is entitled to additional protections. Broadly defined, sensitive personal information includes government-issued identifiers, account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages, genetic data, biometric information and more.
Lastly, the CPRA expanded breach liability for the unauthorized access or disclosure of email addresses and passwords, or security questions, that would permit access to accounts if businesses fail to maintain adequate security.
One of the most significant changes introduced by the CPRA is the establishment of the California Privacy Protection Agency, which is tasked with implementing and enforcing California privacy laws. The agency will be governed by a five-member board. The chair and one member will be appointed by the governor. The attorney general, the speaker of the assembly, and the Senate Rules Committee each get to select one of the additional seats. It is expected that the members of the board will be announced at the end of Jan. 2021. Although the new agency has enforcement power, the California attorney general still retains the power to enforce the CPRA through civil penalties. The agency, once assembled, will be tasked with clarifying and making new rules concerning the CCPA and CPRA.