The Situation: Less than one year after the California Consumer Privacy Act ("CCPA") became effective, California voters approved the California Privacy Rights Act ("CPRA"), a consumer privacy ballot initiative that amends and expands the CCPA.
The Issues: The CPRA affords California residents significantly more control over their personal information, imposes heightened compliance obligations on covered businesses, and establishes a new enforcement agency dedicated to consumer privacy.
Looking Ahead: The CPRA's substantive provisions become effective January 1, 2023, and new regulations are expected to be introduced by July 1, 2022. Covered businesses therefore should monitor regulatory developments and carefully review their privacy compliance programs to address the law's key changes.
On November 3, 2020, California voters approved the CPRA, a consumer privacy ballot initiative that introduces significant amendments to the landmark CCPA. The CPRA will become law as written and grants the Attorney General, and subsequently the newly established California Privacy Protection Agency ("CalPPA"), the authority to adopt regulations on a range of issues. Although the law's substantive provisions do not become effective until January 1, 2023, companies should begin assessing compliance obligations in light of the CPRA's newly introduced consumer rights and extensive changes to existing CCPA business requirements. Until then, the CCPA will remain in force.
Below we outline some of the CPRA's more impactful provisions.
Altered Scope of Covered "Businesses"
The CPRA modifies the threshold requirements for covered "businesses" that collect consumers' personal information. A for-profit entity doing business in California must meet one of the three amended thresholds to become a "business":
The CPRA also alters the scope of other entities that must comply with the law:
New Category of "Sensitive Personal Information"
The CPRA creates a new category of personal information called "sensitive personal information," which includes data elements including, among others, a consumer's identification numbers (e.g., Social Security number, driver's license number, etc.), financial information, account log-in credentials, precise geolocation, racial and ethnic information, personal communications, genetic data, biometric or health information, and information about one's sex life or sexual orientation.
New and Revised Consumer Rights
The CPRA grants consumers new rights:
The CPRA also modifies the obligations on businesses arising from existing CCPA consumer rights, including:
Expanded Notice at Collection Requirements
The CPRA expands upon businesses' notice obligations. Businesses must now inform consumers "at or before the point of collection" as to: whether personal information is sold or shared; information about the collection, processing, and disclosure of "sensitive personal information"; "the length of time the business intends to retain each category of personal information" or, if not possible, "the criteria used to determine such period," among other information.
Additional Third-Party Obligations for Service Providers, Third Parties, and Contractors
The CPRA introduces the term "contractors" defined as persons to whom a business makes available a consumer's personal information for a business purpose pursuant to a written contract with the business.
The CPRA imposes broader contracting requirements for businesses that sell, share, or disclose personal information to "service providers," "contractors," and "third parties." The agreement must, among other requirements: (i) specify that the information sold or disclosed by the business is "only for limited and specified purposes"; (ii) obligate the third party, service provider, or contractor to comply with the CPRA and "provide the same level of privacy protection as" required by the CPRA; (iii) require the third party, service provider, or contractor to notify the business if it can no longer meet its CPRA obligations; and (iv) allow the business to "take reasonable and appropriate steps to stop and remediate unauthorized use of personal information" and to ensure the receiving entity uses the personal information in a "manner consistent with the business's obligations" under the CPRA.
The newly created "contractor" designation also introduces contractual requirements, which, among other things, prohibit the contractor from sharing or selling personal information it receives; using or disclosing the personal information for any purpose other than those business purposes outlined in the contract; and combining the personal information with data received or collected through other means, subject to certain exceptions. Businesses should also review changes to the "service provider" contracting requirements to ensure existing agreements with such entities comply with the CPRA.
The CPRA also alters existing statutory exemptions, including:
Clear Reasonable Security Requirements
The CPRA introduces affirmative requirements for businesses to implement "reasonable security procedures and practices" for covered personal information. Notably, as discussed above, the CPRA provides that certain third parties, service providers, and contractors provide the "same level of privacy protection" as required of the covered business, potentially expanding the obligation to provide reasonable security to entities other than the covered business.
Enforcement and Liability
The CPRA makes important changes concerning enforcement and liability, including:
Forthcoming Regulations and Enforcement
Businesses should monitor closely subsequent rulemakings under the CPRA as the law grants the Attorney General, and subsequently the newly created CalPPA, the authority to issue regulations on a wide range of topics, including: updating the definition of "deidentified," "unique identifiers," and "sensitive personal information"; identifying the circumstances under which service providers and contractors may combine personal information from multiple sources; and regulating businesses whose processing of personal information "presents significant risk to consumers' privacy or security" by requiring them to perform annual cybersecurity audit and regular risk assessments. The CPRA calls for final regulations to be adopted by July 1, 2022, one year before the CPRA becomes enforceable.
Three Key Takeaways