Riding on the heels of the California Consumer Privacy Act’s (“CCPA”) recent enactment, Californians voted on November 3rd to pass Proposition 24, otherwise known as the California Privacy Rights Act of 2020 (“CPRA”). While California consumers are looking forward to broader privacy protection, businesses must adjust and enhance their privacy and data protection programs to comply with more stringent standards.
I. Effective Date of the CPRA
The CPRA becomes effective January 1, 2023; however, the law will retroactively apply to personal information (“PI”) that is collected beginning January 1, 2022 if an exception does not apply. Exceptions for certain business-to-business activity and business employees will extend until at least January 1, 2023. The CCPA will remain in effect until the CPRA goes into effect.
II. Key CPRA Provisions to Know
- Modified Covered Business Criteria.
To be a covered business under the CCPA, a business had to meet one of three requirements. The CPRA modifies those requirements so that it both decreases and increases applicability to businesses. Notably, the CPRA decreases the applicability of the law to smaller businesses by increasing the threshold number of 50,000 to 100,000 consumers or households from which a covered business buys, sells, or shares PI. However, the CPRA increases applicability to businesses that share PI for cross-context behavioral advertising and businesses that derive at least 50% of their annual revenue from sharing or selling California consumers’ PI. Additionally, the CPRA extends its scope to include joint ventures or partnerships that are composed of covered businesses in which each business has at least a 40 percent interest.
- New Protection for Sensitive Personal Information
The CPRA creates a new category of Sensitive personal information (“sensitive PI”) that is subject to disclosure and purpose limitation requirements. Sensitive PI includes a consumer’s government identification; financial account information; precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of mail, email and text message; genetic data; biometric or health data; and sex life or sexual orientation information. Under the CPRA, consumers can request that businesses limit the sale, sharing, and use of their sensitive PI. Businesses in turn must provide an opt-out mechanism for sensitive PI.
- New Limits on Sharing Personal Information for Targeted Advertising
The CPRA expands the CCPA’s limitations on the “sharing” of PI to include “cross-context behavioral advertising,” whether or not for monetary or other valuable consideration. Notably, consumers have an expanded right to opt-out of data that is shared with third parties, including PI collected for cross-context behavioral advertising.
- New and Expanded Consumer Rights
The CPRA provides new consumer rights including the (a) right to correction; (b) right to opt out of automated decision making technology; (c) right to access information about automated decision making; and (d) right to restrict sensitive PI for certain “secondary” purposes. Additionally, the CPRA expands upon several rights already established in the CCPA. For example, a consumer’s right to delete has been modified so that businesses must notify third parties to delete consumer information bought or received.
- GDPR-Like Data Minimization and Retention Provisions
The CPRA highlights two new data principles similar to the GDPR: data minimization and retention limitation. Under the CPRA, businesses must only collect, use, and share PI if “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed…,” so businesses are unable to use collected PI for undisclosed purposes without proper notice to the consumer. Although the CCPA did not address data retention, the CPRA maintains that data may not be retained for longer than is “reasonably necessary” for the disclosed purpose.
- Updated Vendor Contract Requirements
The CPRA adds a new term, “contractors,” which includes recipients of PI for processing made available to them by businesses according to a written contract. Additionally, the CPRA imposes new requirements on both contractors and service providers: (a) to notify businesses of engagement with sub-service providers or subcontractors and to bind those parties to the same written contract that is agreed to between the businesses and service providers; (b) to assist businesses in responding to privacy requests; and (c) to clarify that businesses must contractually prohibit service providers and contractors from combining PI with PI from other sources.
Additionally, businesses that sell, share, or disclose consumers’ PI to a third party, a service provider, or a contractor for a business purpose must include the following in their contracts:
- Specifications that the PI is sold or disclosed by the business only for limited and specified purposes;
- Obligations for third parties, service providers, or contractors to comply with all applicable CPRA obligations, including privacy protections as outlined within the CPRA;
- Provisions that grant the business a right to take reasonable and appropriate steps to help to ensure that third parties, service providers, or contractors process consumers’ PI in a manner consistent with the business’s obligations under the CPRA;
- Notification requirements for third parties, service providers, or contractors to notify the business if it determines that it can no longer meet its obligations under the CPRA; and,
- A provision setting forth the right for the business, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of PI.
- New Security Standards
Unlike the CCPA, the CPRA sets forth specific security standards for covered businesses, which must “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosures.” Additional, required compliance measures include conducting privacy impact assessments and cybersecurity audits for high risk activities, and submitting them on a regular basis to the newly established California Privacy Protection Agency (“CalPPA”).
- Clarified Consent Obligations
- Defined Financial Incentives
Unlike the CCPA, the CPRA clearly outlines what constitutes a financial incentive for businesses which gather PI from consumers. Under the CPRA, a consumer must clearly “opt-in,” for financial incentives that are “reasonably related to the value provided to the business by the consumer’s data.” For instance, under the CPRA, financial incentives include incentive programs based on a rewards or club-type system.
- No Opportunity to Cure for Administrative Enforcement Actions
Under the CCPA, enforcement included a 30-day “cure period,” following notice of non-compliance by the California Attorney General. This period allowed a business the chance to cure the non-compliance without penalty. The CPRA removes the 30-day cure period for administrative enforcement actions. Although the CPRA retains the 30-day cure period for private data breach claims, businesses will no longer have an opportunity to cure for such claims by implementing new security measures.
- New Enforcement Agency and Higher Penalties
Under the CPRA, the newly established CalPPA will act as an enforcement agency and promulgator of regulations. CalPPA will receive an initial $10 million budget to fund its investigation and enforcement activities, which will include subpoena and audit powers. CalPPA will, however, retain discretion to allow businesses to cure alleged violations. The CPRA triples penalties that were imposed by the CCPA for violations related to children’s PI. Penalties are increased to $7,500 for “violations involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge is under 16 years of age.”
- Expanded Private Right of Action
The CPRA expands the private right of action to apply to data breaches in which a consumer’s email address in combination with a password or security question and answer that would permit access to the consumer’s account if the business failed to maintain reasonable security. This modification increases breach liability of nonencrypted, nonredacted PI established by the CCPA.
III. Practical Steps Toward CPRA Compliance
- Review Data Maps
Businesses should evaluate what sensitive PI they collect and determine whether such collection and processing of the data are necessary.
- Update Privacy Policies
Businesses should update their privacy policies to reflect the new California consumer rights to correct inaccurate information, to data minimization, and to address the new category of sensitive PI and its associated rights.
- Update Certain Operational Systems
With the inclusion of the data minimization principle, businesses must create systems that allow for the proper maintenance of data so that it is properly deleted or disposed of when it is no longer necessary. Because the CPRA adds the word “sharing,” to cover situations in which businesses collect data for cross-context behavioral advertising, a business must allow for an opt-out of sharing information for this purpose. Businesses should evaluate whether they collect data for this purpose and provide the necessary mechanisms for consumers to opt-out. Businesses should also provide a mechanism for consumers to opt-out of their collection of sensitive PI that is not necessary.
- Review and Update Contracts with Third Parties
Businesses should review and update contracts with third parties, service providers, and contractors (collectively, “Third Parties”) to help ensure compliance with the CPRA. Businesses should include provisions that obligate Third Parties to comply with the CPRA and provide that if a Third Party does not comply with the CPRA that the business will be authorized to take the necessary steps to prevent unauthorized use of PI.
IV. More Changes Expected
Finally, although California voters successfully passed the CPRA, there is still room for greater clarification and review. Businesses should keep an eye out for updates as implementing regulations are issued and the CPRA approaches its January 1, 2023 effective date.
Fey LLC will continue to closely monitor CPRA developments. To ensure you don’t miss out on any articles and alerts we prepare on this or other significant data protection laws and developments, you can follow our LinkedIn page here.
Mary Colleen Fowler, a 2020 graduate of the University of Kansas School of Law, and Will Davis, a law student at the University of Florida-Levin College of Law contributed to this post. Ms. Fowler and Mr. Davis are both law clerks with Fey LLC.