McAfee & Taft

In a November 2019 article titled “New year to ring in nation’s most comprehensive privacy law,” we gave an update on the California Consumer Privacy Act (CCPA), the nation’s most robust consumer privacy law that governs the collection of personal information by certain businesses regardless of whether they are physically located in California.

Nearly one year later, a majority of California voters approved the California Privacy Rights Act of 2020 (CPRA), which amends and expands the CCPA and establishes the nation’s first government regulator dedicated to consumer privacy.

CPRA: Brief overview

The CPRA was a ballot measure created by Californians for Consumer Privacy, the same nonprofit group that proposed the 2018 ballot initiative that ultimately led to the 2019 passage of the CCPA. Following the enactment of the CCPA, the group drafted a new ballot measure, Proposition 24, in an attempt to amend California’s privacy law to further mirror the European Union’s General Data Protection Regulation (GDPR).

Prop. 24 faced staunch opposition from numerous groups and coalitions such as the online advertising industry and other trade organizations as well as the American Civil Liberties Union of Northern California. Those opposing the law felt it was a premature amendment to the CCPA and ill-timed in view of the COVID-19 pandemic. California voters felt differently, however, as the law passed with 56.2% of California voters with over nine million voters in favor of the new law. While most of the CPRA’s amendments will not apply until 2022 at the earliest, the new law marks many firsts in U.S. data privacy law that may create significant risks for unprepared businesses.

What California’s privacy protection means for the rest of the nation

CCPA advocates have hoped California’s privacy law will pave the way for national consumer privacy reform. While a wide-sweeping federal consumer privacy law remains to be seen, lawmakers from both sides of the aisle have proposed federal privacy legislation within the last 18 months and 30 states proposed consumer privacy legislation in 2020.

With the passage of the CPRA amid a national pandemic, there is likely to be an increased push for new privacy laws at the federal level to ensure uniformity of U.S. regulation in a global economy. In the interim, businesses should be aware of how the CPRA modifies the CCPA and that similar laws may be adopted in other states across the nation.

Creation of the California Privacy Protection Agency

The most significant change by the CPRA may be the establishment of the California Privacy Protection Agency, the first government agency in the United States devoted solely to consumer data privacy laws. Prior to the CPRA’s passage, the California attorney general was responsible for interpreting and enforcing the CCPA. That rulemaking and enforcement authority will soon belong to the newly created five-member board the appointments for which should take place in early 2021. The new board will have its hands full, as the California attorney general has not yet finalized CCPA regulations and proposed new regulations as recently as December 10, 2020.

An expanded, but still limited, private right of action

The CCPA provides for a limited private right of action by private plaintiffs for breaches of non-encrypted, non-redacted personal information. The CPRA did not expand this right to any violation of California’s privacy law but does add the right for private plaintiffs to sue businesses for the unauthorized access or disclosure of a private email address along with a password or security question.

The CPRA also eliminated a key protection for businesses alleged to be non-compliant. Under the CCPA, businesses enjoy a 30-day cure period to remedy a violation following a formal notice of alleged noncompliance. The CPRA eliminates this cure period in 2022. The CPRA also tripled the maximum penalty for violations of the CCPA concerning consumers under the age of 16.

Continued exemptions for employees and business-to-business interactions

Amendments to the CCPA in November 2019 stalled CCPA applicability to employee/employer relationships and business-to-business interactions. The CPRA extends these limited exemptions through January 1, 2023.

New requirements for “contractor”

Amendments under the CPRA also create a new category of “contractors,” which broadens the applicability of the CCPA to any entity that receives a consumer’s personal information from a CCPA-covered business. Under the CPRA amendments, covered businesses will be required to enter into agreements with all “contractors” that include specific provisions such as limiting use of personal information to specified purposes and contractually requiring privacy protections equal to those required by the CCPA.

New consumer rights

The CPRA also expands consumers’ rights under the CCPA. Similar to the European Union’s GDPR, the CPRA amends the CCPA to require that the collection, use, retention and sharing of personal information by businesses is “proportional” to the purpose for which the personal information was collected. While the scope of “proportionality” is still unknown, enforcement and rulemaking by California’s new Privacy Protection Agency may provide guidance.

The CPRA also expands consumer’s rights to object to certain uses of their personal information as well as businesses’ obligations when responding to such requests. Under the CCPA, consumers have the right to opt out of the “sale” of their personal information. The CPRA expands this right to include opting out of the sharing of personal information for “cross-context behavioral advertising,” which is advertising targeting consumers using information from a consumer’s activity across different websites and applications. This amendment resolves uncertainty regarding how the CCPA applies to the online advertising industry, but may also expand the reach of the CCPA’s mandatory disclosures to non-advertising businesses, particularly those that use automated cookies to track online users. Problematically, questions still remain as to what actions will need to be taken by businesses and ad technology companies in response to these consumer opt-outs. Amendments under the CPRA will also require that covered businesses pass consumer deletion requests on to service providers and third parties to which the business has shared or sold information and service providers must pass these deletion requests on to their subcontractors.

What comes next

The CPRA’s passage signifies a continued push for consumer privacy reform that is likely to only increase in 2021. Although the majority of the CPRA’s amendments will not go into effect until January 1, 2023, several of its provisions will apply to personal information collected on or after January 1, 2022. Additionally, the CPRA did not stall the applicability of the originally-passed CCPA, which remains in effect and will soon be enforced by California’s new Privacy Protection Agency. As a result, businesses should take the time now to review their privacy policies and vendor agreements to ensure compliance with the CCPA and other privacy laws as well as to prepare for the CPRA and potentially new state and federal privacy laws in this rapidly evolving regulatory landscape.