California ballot initiative, Proposition 24, has passed. Less than a year after the California Consumer Privacy Act (CCPA) took effect, Californians voted on November 3rd to approve the California Privacy Rights Act (CPRA) which will amend and expand the CCPA. The CPRA, sometimes referred to as “CCPA 2.0,” will take effect on January 1, 2023, with an enforcement start date of July 1, 2023; but its new requirements will apply to personal information collected on or after January 1, 2022.
The History of the CCPA and CPRA
To understand the CPRA, it is helpful to look at the history of the CCPA. Two years ago, prior to the 2018 election, a consumer advocacy group called Californians for Consumer Privacy developed a ballot initiative that would become the precursor to the CCPA. Industry advocates opposed the ballot initiative, and in order to prevent it from appearing on the 2018 ballot, passed the CCPA as a legislative compromise. Several amendments to the CCPA have since followed, as well as, implementing regulations drafted by the California Attorney General. Disappointed that the CCPA provided what they believed were weaker consumer protections than the original ballot initiative, Californians for Consumer Privacy drafted the CPRA which was included on the 2020 ballot. In many respects, the passage of the CPRA brings California privacy law more in line with the European Union’s General Data Protection Regulation (GDPR).
Below are some of the key changes the CPRA will make to the CCPA:
Revises the Definition of “Business”
The CPRA revises the definition of a “business” to which the CCPA applies. Currently, the CCPA defines a “business” as an organization that does business in the State of California and that: (a) has annual gross revenues greater than $25 million; (b) annually buys, receives, sells, or shares for commercial purposes, the personal information of 50,000 consumers; or (c) derives 50% or more of its annual revenues from selling consumers’ personal information. With regard to the first threshold, the CPRA clarifies that the $25 million should be calculated as of January 1st of the preceding calendar year. The CPRA increases the second threshold from 50,000 consumers to 100,000 consumers. Finally, with regard to the third threshold, the CPRA includes revenue from sharing, in addition to selling, personal information.
Restricts Sharing, Not Just Selling, of Personal Information
The CPRA expands the right for consumers to opt-out of the sale of their personal information to also include the sharing of their personal information for cross-contextual behavioral advertising, regardless of whether monetary consideration is exchanged. Cross-contextual behavioral advertising is when advertising is targeted to a consumer based on personal information obtained from the consumer’s activity on another business’ websites and applications.
Establishes the California Privacy Protection Agency (CPPA)
The CPPA will replace the California Office of the Attorney General (OAG) as the governmental agency tasked with implementation and enforcement of the CCPA. The creation of this new, dedicated agency likely will result in an increase in enforcement activity.
Extends the Employee and B2B Exemption
The CPRA extends until January 1, 2023, the CCPA’s exemptions for personal information collected for employment purposes and personal information collected in connection with business-to-business (B2B) communications. Previously, on September 29, 2020, California Governor Gavin Newsom signed into law an amendment (AB 1281) that extends the employee and B2B exemptions until January 1, 2022.
Establishes a New Category of Information Called “Sensitive Personal Information”
The CPRA establishes notice requirements related to the use of “sensitive personal information” and grants consumers the right to limit the collection and disclosure of this type of data. “Sensitive personal information” includes Social Security Number, driver’s license number, passport number; account log-in, financial account, debit card, or credit card number in combination with access code or password allowing access to the account; geolocation data; information about race, ethnicity, or religion; certain biometric, genetic, and health data; information about sexual orientation; and other information.
Grants Consumers the Right to Request that a Business Correct Inaccurate Personal Information About Them
In addition to the right to know, the right to delete, and the right to opt-out of a sale already provided by the CCPA, the CPRA adds a right for consumers to correct inaccurate information businesses hold about them.
Imposes Data Minimization and Data Retention Obligations on Businesses
The CPRA requires that a business’ collection, use, retention, and sharing of a consumer’s personal information “be reasonably necessary and proportionate to achieve the purposes for which the personal information is collected, or for another disclosed purpose.” A business must disclose the length of time it intends to retain each category of personal information.
Expands Consumers’ Private Right of Action
The CPRA expands the private right of action for breaches of unencrypted, unredacted personal information—which currently applies to a limited list of personal information—to also apply to the unauthorized access of an “email address in combination with a password or security question and answer that would permit access to an account.”
The CPRA will take effect on January 1, 2023. In the meantime, the California OAG continues to update and revise the CCPA regulations, just last month proposing new modifications to the “final” regulations. Separately, in Washington, D.C., the passage of federal privacy legislation in the U.S. Congress that would preempt such state laws remains a possibility, although perhaps a distant one.
Organizations should begin assessing their potential CPRA compliance obligations in advance of its effective date to determine how the CPRA may affect their business operations and to update their compliance programs as may be appropriate. As a starting point, many businesses may need to update their CCPA privacy notice to include information about their collection, use, and disclosure of “sensitive personal information,” their retention schedules for personal information, and consumers’ rights to correct and to opt-out of the sharing of personal information.