On May 4, 2020, Californians for Consumer Privacy announced
that it submitted over 900,000 signatures to qualify the California Privacy Rights Act of 2020
”) for California’s November 2020 ballot. With the California Consumer Privacy Act of 2018
”) set to become enforceable on July 1, 2020, this new ballot initiative has left many wondering what the CPRA is and whether the CPRA will become law. We explore these questions further below.
What Is the California Privacy Rights Act of 2020?
Californians for Consumer Privacy, the same group responsible for introducing legislation that led to the creation of the CCPA, submitted the CPRA as a new ballot initiative to “strengthen” California privacy law and address what it describes as efforts by companies to “actively and explicitly prioritize weakening the law” and the evolution of “technological tools . . . that exploit a consumer’s data with potentially dangerous consequences.” The CPRA proposes a number of revisions to the CCPA to address ambiguities and overly burdensome requirements, while simultaneously introducing new privacy and security obligations for covered businesses.
Below is a list of highlights from the CPRA:
- Revises and expands the scope of covered “businesses” under Cal. Civ. Code § 1798.140(d). The CPRA:
- Narrows the second quantitative “business” threshold to only be met when the entity “[a]lone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumers or households.” (emphasis added) This departure from the text of the CCPA (which applies to a business that buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices) may help to exclude some smaller companies from coverage;
- Clarifies the indirect “business” definition applies only to entities controlling or controlled by a “business” that share common branding with the business in a manner the average consumer would understand as signifying common ownership, and with whom the business shares consumers’ personal information, which further helps to exclude separately-operated entities;
- Adds “[a] joint venture or partnership composed of businesses in which each business has at least a 40 percent interest,” but specifies that the JV or partnership and each business are treated as a separate, single business so long as personal information shared by one business with the JV or partnership is not shared with the other business, which may allow a business to avoid “sales” to the JV or partnership; and
- Adds “[a] person that does business in California and that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with, and agrees to be bound by,” the CPRA.
- Adds a second category of personal information—“sensitive personal information.” The CPRA adds a new category of personal information under Cal. Civ. Code § 1798.140(ae)—“sensitive personal information,” which is defined as not publicly available:
- Personal information that reveals
- A consumer’s social security, driver’s license, state identification card, or passport number;
- A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- A consumer’s precise geolocation;
- A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;
- The contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;
- A consumer’s genetic data;
- Biometric information processed for the purpose of uniquely identifying a consumer;
- Personal information collected and analyzed concerning a consumer’s health; or
- Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
This new category of personal information will require businesses to provide transparent disclosures about sensitive data they process and will subject businesses to heightened restrictions on its use.
- Broadens the notice at collection. The CPRA broadens the obligation of a business to provide notice to a consumer “at or before the point of collection” under Cal. Civ. Code § 1798.100 to include not only “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used” but also:
- Whether such information is sold or shared;
- Separate disclosures for “sensitive personal information” collected, its purpose for collection and use, and whether such information is sold or shared; and
- The length of time the business intends to retain each category of personal information or the criteria used to determine such period.
In addition, the CPRA clarifies that notice at collection must be provided in a “clear and conspicuous manner” at a physical location when the business collects personal information about a consumer on its premises. Businesses should still be able to provide the notice at collection through its privacy notice, but that notice will need to be
- Adopts an explicit, overarching purpose-limitation obligation. The CPRA imposes an overarching purpose limitation provision in Cal. Civ. Code § 1798.100, requiring a business to collect, use, retain and share a consumer’s personal information only as “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” This provision would codify a key concept found in the Fair Information Practice Principles and the General Data Protection Regulation (“GDPR”) that many companies already endeavor to implement regardless of legal obligation, meaning the new limitation is unlikely to have a significant impact on most businesses’ operations.
- Adds new consumer rights and revises existing obligations.
- Right to Know Categories and Specific Pieces of Personal Information. The CPRA maintains the right to know categories and specific pieces of personal information in Cal Civ. Code §§ 1798.110–115. However, for personal information collected on or after January 1, 2022, the CPRA expands consumers’ right to know beyond the current 12-month look-back in Cal. Civ. Code § 1798.130, so long as providing information beyond the 12-month period does not prove impossible and would not involve disproportionate effort. In time, this obligation would significantly increase the amount of data subject to a consumer’s right to know and bring California access rights closer in line to those provided in the European Union.
- New Right to Correction. The CPRA adds a new right in Cal. Civ. Code § 1798.106 (Right to Correction), which grants consumers a right to request a business correct inaccurate personal information maintained about the consumer, taking into account the nature of the personal information and the purposes of the processing of the personal information. Many businesses provide consumers this functionality regardless of legal obligation, but the stakes for properly implementing a correction mechanism increase when required by law.
- New Right to Limit Use and Disclosure of Sensitive Personal Information. The CPRA adds a new right in Cal. Civ. Code § 1798.121, which grants consumers a right to direct a business to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services, to perform certain enumerated services set forth in Cal. Civ. Code § 1798.140(e), and as authorized by future CPRA regulations. The business is required to create a “Limit the Use of My Sensitive Personal Information” link on its online services pursuant to Cal. Civ. Code § 1798.135, or a combined sensitive personal information, sale and sharing opt-out link. Alternatively, the business can respect automated opt-out preference signals. Notably, the CPRA requires businesses to pass these limitations down to service providers and contractors. However, there is an exception for sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer. These heightened restrictions and opt-out options for sensitive personal information increase the complexity and burden of compliance for businesses, particularly when considering how to present both a “Do Not Sell/Share” option and “Limit My Sensitive Personal Information” option.
- Right to Opt Out of “Sales” or Sharing for Cross-Context Behavioral Advertising. The CPRA expands the right to opt out in Cal. Civ. Code § 1798.120 to include not only “sales” of personal information but also the “sharing” of personal information, which is defined in Cal. Civ. Code § 1798.140(ah) as the transfer or making available of “a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” By expanding the right to opt out to include the sharing of personal information for behavioral advertising purposes, the CPRA seeks to settle the debate of whether businesses need to provide consumers a right to opt out of third-party adtech cookie collection on the businesses’ online services.
- The CPRA revises the required link in Cal. Civ. Code § 1798.135 to “Do Not Sell or Share My Personal Information.” As an alternative to the “Do Not Sell” link, the business can respect automated opt-out preference signals.
- The CPRA also expands the anti-avoidance provision in Cal. Civ. Code § 1798.190 to include the disregard of steps or transactions taken “to purposely avoid the definition of sell or share by eliminating any monetary or other valuable consideration, . . . but where a party is obtaining something of value or use.”
- Right to Deletion. In response to a verifiable consumer deletion request in Cal. Civ. Code § 1798.105, the CPRA requires businesses to notify service providers and contractors, and all third parties to whom the business sold or shared personal information, to delete the consumer’s personal information from their records. In addition, the CPRA obligates service providers and contractors to cooperate with the business, delete the personal information and pass the deletion request downstream to parties who accessed the consumer’s personal information. However, the CPRA expands the exceptions to the right to deletion by indicating they apply any time it is reasonably necessary to maintain the consumer’s personal information to accomplish one of the pre-enumerated deletion exceptions. Businesses are likely to face significant challenges with this broad deletion flow-down requirement, particularly as it pertains to third parties to whom personal information was sold or shared. Not only is the requirement likely unworkable in non-service provider or contractor relationships, it could severely undermine the value of data in a license agreement. Depending on how this provision is interpreted, we would expect substantial pushback from the market.
- Right to Nondiscrimination. The CPRA maintains the right to nondiscrimination in Cal. Civ. Code § 1798.125 but clarifies that the right “does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs consistent with” the CPRA. However, it does prohibit a business from requesting a consumer provide opt-in consent for a financial incentive program for at least 12 months after the consumer last refused to provide opt-in consent. The explicit exception for loyalty, rewards, premium features, discounts, or club card programs consistent with the CPRA is a welcome addition after businesses’ efforts to get an amendment to the CCPA passed last year to address this issue failed.
- The CPRA defines “consent” in Cal. Civ. Code § 1798.140(h) as “any freely given, specific, informed and unambiguous indication of the consumer’s wishes . . . [signifying] agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.” This definition is closely aligned with the definition of consent found in the GDPR.
- New Regulatory Automated Decision-Making Technology Right. The CPRA adds an obligation to Cal. Civ. Code § 1798.185(a)(16) for the California Attorney General to adopt regulations “governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved . . . [and] a description of the likely outcome of the process with respect to the consumer.” Outside of the Washington Facial Recognition Law’s obligations for government agencies using facial recognition (a summary of which is available here), the proposed CPRA automated decision-making regulations would be a significant step toward governing the use of artificial intelligence and other automated decision-making platforms. The obligation to provide meaningful information about the logic involved in automated decision-making and the likely outcome of the process would potentially be difficult for most businesses today and would present new risks to businesses’ proprietary technologies.
- Expands contracting requirements.
- Overarching Contract Requirements. The CPRA creates an overarching contract requirement in Cal. Civ. Code § 1798.100(d) for businesses that sell, share or disclose for a business purpose the personal information of a consumer to a third party, service provider or “contractor” to enter into an agreement that:
- Specifies the information is sold or disclosed only for limited and specified purposes;
- Obligates the contracting party to comply with the CPRA and provide the same level of privacy protection as required by the CPRA;
- Requires the contracting party to notify the business if it can no longer meet its obligations under the CPRA; and
- Grants the business rights to take “reasonable and appropriate steps” to help ensure the contracting party uses the personal information in a manner consistent with the CPRA or to stop and remediate unauthorized use of personal information.
Although the CCPA already imposes contract obligations on service providers and the newly relabeled “contractors,” imposing contracting obligations with third parties would significantly increase the scope and flow-down impact of the CPRA on business transactions.
- New “Contractor” Label and Contract Specifications. In Cal. Civ. Code § 1798.140(j), the CPRA relabels the former non-third-party designation found in Cal. Civ. Code § 1798.140(w)(2) as a “contractor” designation, distinct from a “service provider” designation, and adds contractual limitations on the ability to combine the personal information received from or on behalf of multiple businesses, a contractual obligation to allow the business to monitor the contractor’s compliance with the contract, and to pass down “contractor” restrictions to any other person engaged to assist in the processing of personal information on behalf of the business. This revision likely seeks to resolve the debate of whether the formerly non-third-party designation is a distinct designation from the “service provider” designation, but, due to broad revisions to both definitions, there remains substantial overlap between the two designations that is likely to continue to add to the confusion.
- New “Service Provider” Contract Specifications. In Cal. Civ. Code § 1798.140(ag), the CPRA revises the definition of a “service provider” adding a contractual obligation not to sell or share personal information, a contractual restriction not to retain, use or disclose personal information outside the direct business relationship between the service provider and business, and a contractual limitation on the ability to combine the personal information received from or on behalf of multiple businesses. The new definition also expressly provides that the contract may permit the business to monitor the service provider’s compliance with the contract, and the service provider is obligated to pass down “service provider” restrictions to any other person engaged to assist in the processing of personal information on behalf of the business. Overall, these revisions are likely to have limited impact on the business and service provider relationship but may require updates to contractual language to ensure compliance with the law.
- Modifies statutory exceptions.
- Personnel/Employee Exception. The CPRA extends the sunset provision for the personnel/employee exception in Cal. Civ. Code § 1798.140(m) from January 1, 2021 to January 1, 2023.
- B2B Exception. The CPRA extends the sunset provision for the B2B exception in Cal. Civ. Code § 1798.140(n) from January 1, 2021 to January 1, 2023.
- Financial Information Exception. In Cal. Civ. Code § 1798.145(e), the CPRA revised the financial information exception to apply to “personal information collected, processed, sold, or disclosed
pursuant subject to the federal Gramm-Leach-Bliley Act . . . , or the California Financial Information Privacy Act, . . . or the Federal Farm Credit Act of 1971.” (emphasis added) By changing one word in the exception (from “pursuant to” to “subject to”), the CPRA may be seeking to narrow the interpretation of the financial information exception. Without further regulator guidance, it is difficult to predict the true impact this revision may have.
- New Household Data Exception. In Cal. Civ. Code § 1798.145(p), the CPRA creates an exception for household data from Cal. Civ. Code § 1798.105 (Right to Deletion), 1798.106 (Right to Correction), and 1798.110–115 (Right to Know). This revision helps businesses avoid difficult verification process decisions that often arise when multiple people are connected to the same personal information.
- Trade Secret Exception. The CPRA clarifies in Cal. Civ. Code §§ 1798.100(f) and 1798.185(a)(3) that a business is not required to disclose trade secrets as part of its obligation to provide notice at collection or in response to a verifiable consumer request. Although the CCPA maintained a similar requirement for trade secrets and intellectual property rights to be addressed in the regulations, the California Attorney General has to date ignored this direction and failed to provide any guidance on this matter.
- Deidentified Information Exception. The CPRA revises the definition of “deidentified” information in Cal. Civ. Code § 1798.140(m) to mean “information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer,” (emphasis added) provided the business that possesses the information:
- takes reasonable measures to ensure the information cannot be associated with a consumer or household;
- publicly commits to maintain and use the information in deidentified form and not attempt to reidentify the information absent an exception; and
- contractually obligates any recipients of information to do the same.
By requiring businesses to publicly commit to deidentification practices, the CPRA creates heightened risks for claims of deceptive or unfair trade practices by businesses relying on the deidentified information exception.
- Public Information Exception. The CPRA expands the exception for publicly available information in Cal Civ. Code § 1798.140(v)(2) to also include:
- lawfully obtained, truthful information that is a matter of public concern;
- information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or
- information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.
This revision brings true “public” information within the exception and would likely have a significant impact on the compliance posture of online consumer platforms, such as social media networks.
- Imposes a “reasonable security” obligation. In Cal. Civ. Code § 1798.100(e), the CPRA requires a business to “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.” This revision may cause existing California reasonable security obligations to extend to all personal information, as defined in the CPRA, rather than the narrower subset defined in the security laws. Moreover, this addition fills the gap left by the CCPA’s failure to impose a duty to implement reasonable security, causing potential confusion as to when the consumer private right of action applies in the wake of a data breach.
- Expands the breach private right of action, increases fines for children’s privacy violations, and creates new enforcement agency.
- Private Right of Action. The CPRA expands the private right of action in Cal. Civ. Code § 1798.150 to apply to “[a]ny consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security questions and answer that would permit access to the account, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” (emphasis added) In addition, the CPRA clarifies the “implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach,” such that the business could avoid a private suit. These revisions significantly increase litigation risk for businesses subject to a data breach, particularly given how frequently email addresses and passwords are exposed in security incidents.
- Fines for Children’s Privacy. The CPRA increases the fines in Cal. Civ. Code § 1798.155 to $7,500 for “violations involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge is under 16 years of age.” As a result, ordinary CPRA violations relating to children’s personal information would be subject to three times the monetary fines currently available under the CCPA.
- New Administrative Enforcement Agency. In Cal. Civ. Code § 1798.199.10 et seq., the CPRA establishes the California Privacy Protection Agency, which is vested with full administrative power, authority and jurisdiction to implement and enforce the CPRA. In addition to administering, implementing and enforcing the CPRA, the California Privacy Protection Agency will also assume rulemaking responsibilities under the CCPA and CPRA, when ready. The creation of this new agency focused solely on consumer privacy would create a regulatory landscape in California similar to the data protection authority regime currently in place in the European Union and increase the resources available to undertake significant and numerous privacy-related investigations.
- New Call for Regulatory Requirements for Annual Risk Assessments and Cybersecurity Audits. The CPRA directs the California Attorney General to promulgate regulations to further clarity a number of compliance obligations under the law. Cal. Civ. Code § 178.185(a)(15) calls for regulations requiring businesses “whose processing of consumers’ personal information presents a significant risk to consumers’ privacy or security” to perform an annual cybersecurity audit and submit a risk assessment to the California Privacy Protection Agency on a regular basis. The risk assessment requirement evokes the GDPR concept of the data privacy impact assessment, but goes further by requiring such assessments to be submitted to a regulatory body.
- Provides multiyear ramp-up period. If passed into law, the extensions of the personnel/employee exception and B2B exception, the creation of a “Consumer Privacy Fund,” the direction for the Attorney General to adopt regulations, and the establishment of the California Privacy Protection Agency becomes operative on the CPRA’s effective date. The remainder of the CPRA will become operative January 1, 2023, and with the exception of the right of access, shall only apply to personal information collected by a business on or after January 1, 2022. Until then, the provisions of the CCPA remain in full force and effect. As a result, the full impact of the CPRA is unlikely to be felt for a number of years.
Will the California Consumer Privacy Rights Act Become Law?
The State of California grants its citizens the right to propose laws and constitutional amendments (“initiatives”) without the support of the Governor or Legislature. As outlined by the California Attorney General and California Secretary of State, the steps for an initiative to become law can be summarized as follows:
- Write the text of the initiative. This step can be completed solely by the initiative’s proponents, or the proponents may seek advice and assistance from private counsel or designated California government resources.
- Submit the initiative to the Attorney General for title, summary and public review. This step requires the proponents to submit the initiative draft to the Attorney General for official title and summary, during which time the Attorney General’s Office posts the initiative on its website and facilitates a 30-day public review and amendment process.
- Obtain sufficient signatures from registered California voters. This step provides proponents a maximum of 180 days to circulate initiative petitions and obtain signatures of registered California voters for initiative statutes equaling at least 5% of the total votes cast for the office of Governor at the last gubernatorial election (currently 623,212 votes). More votes are needed for constitutional amendments.
- Verify the signature totals with county election officials. Once the requisite number of signatures has been collected, the initiative petitions are filed with the appropriate county elections official(s), who are responsible for verifying the submitted signatures by:
- Conducting a raw count of the signatures within eight working days; and
- If the raw count equals 100 percent or more of the total number of signatures needed, verifying a random sample of the signatures in each county within 30 working days, the results of which are submitted to the Secretary of State to determine the projected statewide total of valid signatures.
- Qualify the initiative for the next California ballot. If the projected statewide total of valid signatures is greater than 110 percent of the required number of signatures, the Secretary of State will be able to certify that the initiative is eligible for the next statewide general election held at least 131 days later and will issue a certificate of qualification for the ballot. If the projected statewide total of valid signatures is between 95 percent and 110 percent of the required number of signatures, the Secretary of State will direct the county elections officials to verify every signature on the petition and only qualify the initiative if 100 percent of the required number of signatures are verified.
- Obtain sufficient approval from California voters for the ballot initiative to become law. A ballot initiative that is approved by a majority vote at the statewide general election takes effect the fifth day after the Secretary of State certifies the election results, unless the initiative provides otherwise.
On May 4, 2020, the Californians for Consumer Privacy announced that it submitted well over 900,000 signatures to qualify the CPRA for the November 2020 ballot. Based on these self-reported numbers, it is likely the CPRA will have sufficient verified signatures to qualify for the next statewide California general election at least 131 days after verification. It is, however, difficult to predict the pace at which signatures may be verified, particularly as the United States faces an unprecedented health crisis due to the COVID- 19 pandemic, so it remains too early to make a determination as to whether the CPRA is likely to meet its deadline.
If a sufficient number of the CPRA petition signatures are verified and the CPRA is qualified for a ballot vote, the Californians for Consumer Privacy currently predict 88 percent of California voters would vote YES to support a ballot measure expanding privacy protections for personal information, like the CPRA. As a result, there appears to be sufficient support for the CPRA to become law whether on this year’s or next year’s ballot. However, it is possible the California legislature will try to negotiate the withdrawal of the CPRA from the ballot, if qualified, in exchange for substantially similar amendments to the CCPA in order to avoid amendments being passed into law without substantive legislative input. It is important to note this is exactly what occurred when the CCPA qualified for the California ballot in 2018.
In summary, the CPRA appears to have garnered sufficient statewide support to either become law on its own or to put sufficient pressure on California lawmakers to make substantially similar amendments to the CCPA through the legislative process. Although a number of the amendments proposed by the CPRA would increase burden on businesses, there are also several amendments that would be beneficial to businesses by reducing ambiguity in the law and introducing more balanced compliance obligations. However, the CPRA still leaves significant gaps in compliance details to be addressed through the rulemaking authority of the California Attorney General and the proposed California Privacy Protection Agency. As a result, it is likely the CPRA will impact businesses’ compliance with California privacy law, but the full extent of the impact will continue to evolve as this proposed ballot measure makes its way through the lawmaking process.