Before we could know the efficacy of the California Consumer Privacy Act of 2018 (CCPA), which became effective January 1, 2020, California residents voted to enact the California Privacy Rights Act of 2020 (CPRA), which takes effect January 1, 2023. The CPRA makes several amendments to the CCPA, such as granting new rights to consumers, imposing greater penalties on businesses for certain violation, and creating a new state enforcement agency. The CPRA also enacts protections for the personal information of children under the age of 16.
While the CPRA will not take effect until January 1, 2023, it is important for businesses to understand how the CCPA will be impacted. The chart below is not exhaustive, but highlights some of these changes:
Effect on the CCPA
Broadens and Restricts the Entities Subject to the Act
In addition to businesses that buy or sell personal information, the CPRA expands the CCPA’s reach to include businesses that share personal information. The CPRA, however, narrows the application of the CCPA to only those businesses that buy, sell, or share the personal information of 100,000 or more consumers or households, which is an increase from the original 50,000 threshold. This will limit the applicability to small and midsize businesses.
Broadens the Type of Personal Information Subject to the Act
CCPA will now apply to a new dataset called “sensitive personal information,” which may include Social Security Numbers, driver’s license numbers, account log-in or debit/credit card information in combination with a password or PIN, among other pieces of information. This category is subject to new disclosure and purpose limitation requirements.
Consumers Have the Right to Opt-Out of Cross-Context Behavioral Advertising
Consumers will now have the right to opt-out of “cross-context behavioral advertising,” or the collection of a consumer’s activities across different websites or even different devices for the purposes of personalized and targeted advertising. Consumers have this right regardless of whether the “cross-context behavioral advertising” constitutes a “sale” of personal information.
Business-to-Business and Employee Data
The CCPA’s exemption of business-to-business and employee data was set to expire January 1, 2021, but the CPRA extends these exemptions until January 1, 2023.
However, businesses must disclose to job applicants, employees, and independent contractors the categories of personal information that are collected and for what purpose. The CPRA also extends anti-discrimination and anti-retaliation rights to employees who exercise their rights.
Large Fines for Violations Involving Children’s Data
Fines are tripled for violations involving children’s information. The CCPA currently fines businesses $2,500 for each violation and $7,500 for intentional violations. Starting January 1, 2023, violations involving children’s data are fined the same as intentional violations.
Removal of Notice-and-Cure
Business will no longer be allowed a 30-day period to cure violations following notice of a violation.
California Privacy Protection Agency: New State Enforcement Agency
Allocates $10 million per year to a new state agency to investigate and enforce against violations of consumer privacy laws.
Once the CPRA takes effect, consumers should be presented with at least three opt-out choices:
Businesses must be vigilant about getting privacy compliance and privacy implementation correct on the first try since they will no longer have the ability to cure violations.
The above discussion is not exhaustive of all of the implications of the CPRA’s effect on the CCPA. Businesses should carefully evaluate privacy practices in light of these changes and adjust their policies and procedures accordingly.