1. ADDITIONAL PRIVACY NOTICE DISCLOSURE OBLIGATIONS
Once the CPRA goes into effect, companies must include “sensitive personal information” in their privacy notice to California consumers, disclosing whether or not the company collects, sells, or shares such information. The privacy notice must also disclose the company’s retention policy for each category of personal information.
2. NEW RIGHTS FOR “SENSITIVE PERSONAL INFORMATION”
The CPRA creates additional consumer rights and protections for “sensitive personal information," which includes particularly sensitive matters such as social security numbers, the contents of electronic communications, and protected class characteristics. California consumers will have the ability to direct a business to limit its use of such information to specified purposes. To enable consumers to exercise this right, any business that collects or uses “sensitive personal information” must either post a “Limit the Use of My Sensitive Personal Information” button on its website or have a single button that allows consumers to limit the use of all personal information (including “sensitive personal information”).
In addition to the categories of “third-party vendors” and “service providers” under the CCPA, the CPRA adds “contractor” as a distinct class of regulated entities. A contractor is a third party to whom a business makes consumer’s personal information available for a business purpose. In contrast, a service provider is a person or entity that processes personal information on behalf of a business. As with service providers, contractors must enter into a written contract and agree to take appropriate steps to protect covered electronic data.
4. NO MORE “CURE PERIOD”
Enforcement of the CCPA includes a 30-day “cure period” following notice of non-compliance from the California Attorney General during which a business has the opportunity to cure the alleged non-compliance without penalty. Once the CPRA takes effect, companies will no longer have the advantage of this 30-day “cure period” before incurring potential civil penalties.
5. “SHARING” OF PERSONAL INFORMATION IS NOW REGULATED
The CCPA primarily governed the “sale” of personal information. The CPRA adds requirements with respect to “sharing” personal information, including sharing a consumer’s personal information for cross-contextual behavioral advertising “whether or not for monetary or other valuable consideration.” Consumers will have the right to opt-out of the sharing of personal information, to request to know what personal information about them is shared and with whom, and to request the deletion of shared personal information.
6. CONSUMERS MAY REQUEST CORRECTION
Adding to consumers’ data rights, the CPRA enables consumers to request the correction of inaccurate personal information about the consumer that a business has or uses, similar to consumers’ rights with respect to consumer financial reporting agencies. Each covered business must use commercially reasonable efforts to make a consumer’s requested corrections.
7. ADDITIONAL OBLIGATIONS FOR REQUESTS TO DELETE PERSONAL INFORMATION
Upon receipt of a consumer’s request to delete personal information, the CPRA mandates that the business must notify all contractors, service providers, and third-party vendors to whom it has sold or shared personal information and instruct each to delete the consumer’s personal information. Service providers and contractors are required to cooperate with the business to delete personal information and must also instruct any of their own service providers, contractors, or third-party vendors to comply with the deletion request.
8. ESTABLISHMENT OF THE CALIFORNIA PRIVACY PROTECTION AGENCY
Whereas enforcement of the CCPA is only one of the many responsibilities delegated to the California Attorney General, the CPRA will establish and provide funding for a new regulator dedicated to CPRA enforcement: the California Privacy Protection Agency (CPPA). We anticipate that establishing the CPPA as an agency entirely focused on privacy laws will significantly increase future enforcement of privacy laws in California.
9. NEW AND AMENDED THIRD-PARTY CONTRACTS
Each business that sells or shares consumer personal information is required under the CPRA to enter into an agreement with each recipient to specify the purpose for the sale or sharing of personal information and to obligate the third party to comply with CPRA.
10. DATA MINIMIZATION
In a manner similar to practices established under the European Union’s General Data Protection Regulation (GDPR), the CPRA establishes a policy of data minimization under which a business may only keep consumer personal information for limited purposes, provided that such purposes have been disclosed to the consumer. In general, a business’s collection, use, retention, and sharing of a consumer’s personal information must be “reasonably necessary and proportionate to achieve the purpose for which the personal information was collected or processed."
Although the CPRA will make significant changes to data privacy practices, the CCPA remains in effect and will continue to be enforced by the California Attorney General.