California Privacy Rights Act – What Does This Mean for the CCPA? Print PDF
On November 3, 2020, California residents voted to approve the creation of the California Privacy Rights Act (CPRA). The CPRA amends and expands the California Consumer Privacy Act (CCPA), which only went into effect on January 1, 2020.
While the CPRA’s substantive provisions do not take effect until January 1, 2023, with enforcement beginning July 1, 2023, businesses should begin to assess what additional modifications are necessary to their privacy policies and procedures as a result (even while many businesses are still working to ensure compliance with CCPA).
Further, under the CPRA, the calendar year of 2022 is treated as a lookback period, meaning that data collected during 2022 is subject to the terms of the CPRA starting in 2023. And, in the meantime, the CCPA remains in full force and effect.
This article highlights certain of the substantive amendments and additions the CPRA makes to the CCPA.
Who Is Subject to the CPRA?
The CPRA applies to any for-profit business that does business in California, collects personal information of California residents, and satisfies one or more of the following thresholds:
- Has $25 million or more in annual revenue during the prior calendar year (the same threshold as the CCPA);
- Buys, sells or shares personal information of 100,000 or more consumers or households (this has been increased from 50,000 under the CCPA, and will likely result in less applicability to smaller businesses); or
- Derives at least 50% of annual revenue from selling or sharing consumer personal information (the CPRA added the concept of “sharing” which is further discussed below).
Further, while the CPRA continues to apply to “service providers” (as in the CCPA), it also applies to the newly created category of “contractors.” The essential difference between the two terms is that a service provider is a person that “processes” personal information on behalf of a business and a contractor is a person to whom a business “makes available” a consumer’s personal information. While the CPRA does not provide additional clarification on the difference, the definition of “contractor” appears broader.
The inclusion of the act of “sharing” personal information (and not just selling it) will expand the applicability of the CPRA to those businesses that do not receive monetary or other consideration for selling such personal information.
The definition of sharing is extremely broad, and includes “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information for cross-context behavioral advertising,” regardless of whether there was a “sale” of the information. Cross-context behavioral advertising is defined as the “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded homepages, applications, or services, other than the business, distinctly-branded homepage, application, or service with which the consumer intentionally interacts.” The clear intent is to bring under the reach of the CPRA the collection of a consumer’s personal information through third-party digital advertising.
Sensitive Personal Information
The CPRA creates a new category of “sensitive personal information” that is separately regulated in a stronger manner than personal information. Sensitive personal information includes the following personal information that is used for the purpose of inferring characteristics about a consumer:
- Government-issued ID numbers (e.g. social security number, driver’s license, passport number);
- Financial account, debit card, or credit card information and account login credentials;
- Racial or ethnic data;
- Religious or philosophical beliefs;
- Data on sex life or sexual orientation;
- Geolocation information;
- Contents of emails or text messages (unless the business is the intended recipient of the communication); and
- Genetic, biometric and health data.
New and Expanded Privacy Rights
The CPRA creates several new rights and modifies certain existing rights under the CCPA.
- Right to correction of personal information – Consumers can request that a business correct any inaccurate personal information that the business maintains.
- Right to information about, and to opt-out of, automated decision making – Automated decision making technology profiles consumers based on a consumer’s “performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements”. Consumers can request detailed information about how automated decision making technologies work (including the logic used in the decision making process and their likely outcomes with respect to the consumer), as well as also opt-out of the use of automated decision making technology.
- Right to limit sensitive personal information – Consumers can limit the use and disclosure of sensitive personal information to that which is necessary to provide the goods or services requested or to perform certain listed “business purposes” (such as for ensuring security or for short-term, transient use). Consumers can also prohibit businesses from disclosing such information to third parties (subject to certain exemptions). A business must include a clear and conspicuous link on its homepage titled “Limit the Use of My Sensitive Personal Information” or a “single clearly-labeled link” on the homepage to cover both this opt-out right and the right to opt-out of selling/sharing personal information (as set forth below).
- Right to opt-out – The opt-out right now includes both the sale and “sharing” of personal information. As outlined above, the definition of “sharing” is extremely broad and includes cross-context behavioral advertising (which will give consumers the ability to prevent business from using technologies like cookies to track them across other websites and apps). Further, the current link required on a business’ homepage titled “Do Not Sell My Personal Information” must now be replaced with the link “Do Not Sell or Share My Personal Information”.
- Right to deletion – Upon receipt of a valid request for deletion, a business must notify its service providers, contractors, and all third parties to whom the business has sold or shared personal information to delete personal information (unless it is impossible or would involve disproportionate effort, and subject to certain exceptions).
- Right to know - For personal information collected on or after January 1, 2022, any “right to know” response must include personal information collected beyond the CCPA’s current 12-month lookback period (unless it is impossible or would involve a disproportionate effort). However, the Act makes clear that this requirement does not include a requirement that a business keep personal information for any length of time (although other laws may include such requirements).
- Opt-in rights for minors – The opt-in right for minors is extended to include the sharing of personal information for behavioral advertising purposes.
- Data transfers – The specific pieces of personal information obtained from the consumer must be provided to the consumer in a format that is easily understandable (and to the extent technically feasible, in a structured, commonly used, machine-readable format). Consumers can also request that such specific pieces of personal information be transferred to other entities.
- Consent Requirements – The CCPA consent requirements have been expanded to require consent in additional circumstances, including selling or sharing personal information (or the secondary use, selling or sharing of sensitive personal information) after a consumer has already opted out, consent for research exemptions, and opt-in consent for financial incentive programs.
Additional Obligations for Service Providers and Contractors
A business must enter into an agreement with any third party, service provider or subcontractor to which it sells, shares or discloses personal information. Such agreement must:
- Specify that the personal information sold, disclosed or shared is “only for limited and specified purposes;”
- Obligate the service provider, contractor or third party to comply with the CPRA and to notify the business if it cannot do so;
- Grant the business the right upon notice to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information;
- Include an obligation to notify the business if the third party, service provider or subcontractor engages a subcontractor, and to bind subcontractors to the same written obligations as between the business and it;
- Prohibit service providers, contractors and other third parties from combining any personal information received from the business with personal information from other sources or collected on behalf of them.
Service providers and contractors are also required to cooperate with the business in responding to a verifiable consumer request and, at the direction of the business, delete or enable the business to delete the applicable information.
Data Minimization, Purpose and Storage Limitations
The CPRA has adopted the following additional requirements similar to those found in the European Union’s GDPR (General Data Protection Regulation):
- Data Minimization – Businesses can only collect, use and share personal information in accordance with what is reasonably necessary and proportionate to achieve the collection purpose;
- Purpose Limitation – Businesses cannot collect, use or share personal information for a purpose incompatible with the initially disclosed purpose without first providing notice to the consumer (and cannot collect or share such information for no stated purpose); and
- Storage Limitation – Businesses are required to notify (at the point of collection) consumers about the period of time that they will retain each category of personal information (or if that is not possible, the criteria to determine such period). Businesses cannot retain personal information for longer than is reasonably necessary.
Regulation and Enforcement
The CPRA makes the following regulation and enforcement changes:
- It immediately establishes the California Privacy Protection Agency (CPPA), which will implement and enforce the CCPA and CPRA;
- It eliminates the CCPA’s 30-day cure provision;
- It expands the private right of action regarding data breaches resulting from a failure to implement and maintain reasonable security procedures and practices to include breaches related to a consumer's email address in combination with a password or security question and answer that would permit access to the consumer's account. It also limits a business’ defense to private actions by providing that implementing and maintaining reasonable security procedures and practices after a breach does not constitute a cure with respect to the breach; and
- It triples the maximum fines for violations relating to minors under 16 years old to $7,500.
Interestingly, the CPRA differs from the CCPA in that any amendments to the law must be consistent with its purpose and intent, making it extremely difficult to amend the law in a limiting way. Essentially, the only ways to limit the act are through a subsequent ballot measure, or if it is preempted by federal law or declared unconstitutional. However, the CCPA has the authority to, and will likely issue, regulations on various portions of the CPRA, including providing more clarity on definitions, exemptions and mandatory risk assessments and cybersecurity audits for certain high-risk activities. Final regulations are required to be adopted by July 1, 2022.
In the meantime, businesses should continue to review and update their privacy policies and procedures to comply with CPRA, including ensuring that their homepage is available to consumers to submit requests for information or requests for deletion or correction.
The foregoing information is provided only for general reference. It does not constitute legal advice. Legal advice may be provided based only on specific facts. Please consult Parker Ibrahim & Berg before relying on any general information stated herein. We are happy to discuss any questions you may have regarding legal issues related to direct marketing.