The California Privacy Rights Act (CPRA) Has Been Enacted into Law
By Peter Hegel, Sundeep Kapur, and Claire Blakey
Even as companies are still bringing their practices into compliance with the California Consumer Privacy Act (the “CCPA”) and its associated regulations (which are currently under further amendment), Tuesday’s election results will require companies to revisit their data collection and privacy practices to an even greater degree.
On November 3, 2020, California voters approved “The California Privacy Rights Act of 2020” (the “CPRA”) through a ballot measure. The CPRA amends the CCPA, which the California legislature passed in 2018, significantly broadening the control that California residents (referred to in the CPRA as “consumers”) have over their personal information and imposing new obligations on businesses subject to the law.
When Does the CPRA Become Operative?
Most of the CPRA’s provisions will become operative on January 1, 2023, with enforcement beginning July 1, 2023 (for violations occurring on and after July 1). Once effective, the CPRA will apply only to information collected on or after January 1, 2022. The only provisions of the law that become operative immediately are:
The extension of the CCPA’s employee and B2B communications exemptions through January 1, 2023; and
Its provisions creating the Consumer Privacy Fund and the California Privacy Protection Agency (“CPPA”).
Unlike the CCPA, the CPRA cannot be repealed by the California legislature. However, the CPRA generally can be amended by a simple majority of the legislature, provided such amendments are “consistent with and further the purpose and intent” of the law.
Who Is Subject to the CPRA?
Similar to the CCPA, the CPRA generally applies to any for-profit “business” that collects the personal information of California residents and does business in the state of California. Altering the CCPA requirements slightly, under the new CPRA amendments, a “business” must meet at least one of the following three criteria to be subject to the law:
Have $25 million or more in annual revenue during the prior calendar year;
Buy, “sell,” or “share” the personal information of 100,000 or more consumers or households; or
Earn at least half of its annual revenue by “selling” or “sharing” consumers’ personal information.
Importantly, the annual revenue threshold reflects the total revenue of the company, not simply revenue attributable to California.
Service Providers and Contractors
The CPRA continues to apply to “service providers” and introduces a new category called “contractors.” While a “service provider” must process personal information “on behalf of a business,” a “contractor” receives personal information “made available” by a business. Though further clarity is needed, the “contractor” designation may be intended for disclosures to those individuals or entities that do not believe they are processing personal information “on behalf of” a business but still need to receive the information for some business purpose.
Before providing services, service providers and contractors must enter into a written agreement with the business that prohibits any use or disclosure of personal information for any purpose other than the business purposes specified in the contract (among other similar restrictions). Further, where “service providers” and “contractors” use other individuals or entities to perform the service, they must flow down these contractual restrictions to such individuals or entities.
Notably, service providers and contractors are prohibited from providing “cross-context behavioral advertising” (as defined below) in relation to a business. This is a significant departure from the CCPA, which permits businesses to use service providers for targeted advertising operations.
Notable Changes to the CCPA
The CPRA establishes the CPPA, a new agency tasked with implementing and enforcing the CCPA and, thereafter, the CPRA (when it becomes operative). As noted above, the CPPA is created immediately (or, more precisely, five days from the date that the Secretary of State certifies the election results).
Significantly, the CPRA also eliminates the CCPA’s cure provision, which allows companies to avoid CCPA liability by curing any alleged violation within thirty (30) days of notice of alleged noncompliance.
Private Right of Action
The CPRA preserves the CCPA’s private right of action (and associated statutory damages) for data breaches resulting from the business’s failure to implement and “maintain reasonable security procedures and practices.”
Under the CCPA, the definition of “personal information” within the scope of that data breach provision was narrower than California’s data breach notification law because it only referred to subsection (1) of the breach notification law’s definition of personal information (at Cal. Civ. Code § 1798.82(h)) – specifically, an individual’s name in combination with another listed “data element” (i.e., Social Security number, driver’s license or another identification number, account number or credit or debit card number with access code or password, etc.).
The CPRA expands this definition to include subsection (2) of the breach notification law’s definition of personal information, modified slightly: a consumer’s “email address in combination with a password or security question and answer that would permit access to the account.”
The CPRA also clarifies that the implementation and maintenance of reasonable security procedures following a breach does not “cure” the breach.
Limitations on the Use and Disclosure of Sensitive Personal Information
The CPRA introduces the new category of “sensitive personal information,” defined as personal information that 1) reveals a consumer’s government-issued identification number, financial account information and account login credentials, precise geolocation information, the contents of emails or text messages, genetic data, racial or ethnic origin, religious beliefs, biometrics, health data, and data concerning sex life or sexual orientation and 2) is used for the purpose of inferring characteristics about a consumer. To clarify, where the above-listed personal information is not used to infer characteristics about a consumer, it is treated as regular “personal information” and not “sensitive personal information.”
Under the CPRA, consumers have a separate right to limit the use and disclosure of their sensitive personal information to that which is necessary to provide the good or service requested or to perform certain enumerated “business purposes” (e.g., ensuring security, “short-term transient uses” such as for contextual advertising, customer service-related uses, maintaining quality and safety, and as otherwise permitted by regulation).
Specifically, each business that uses or discloses sensitive personal information for purposes other than those mentioned above must include a clear and conspicuous link on its homepage titled “Limit the Use of My Sensitive Personal Information” or a “single clearly-labeled link” on the homepage to cover both this opt-out right and the right to opt-out of selling/sharing personal information, the latter of which is described immediately below.
Alternatively, a business does not need to post these opt-out links if it instead responds to opt-out signals sent by or on behalf of a consumer (such as via a platform, technology, or mechanism). However, this option is subject to further clarification by the California Attorney General or CPPA.
“Sharing” Personal Information
Aimed at what is commonly known as “targeted advertising,” the CPRA introduces a new concept – “sharing” personal information – which refers to a business’s disclosure of personal information to a third party for “cross-context behavioral advertising,” regardless of whether the disclosure is also a “sale.”
“Cross-context behavioral advertising” is defined as the “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
In essence, this definition intends to capture the collection of a consumer’s personal information across third-party digital properties for the purposes of targeted advertising.
Under the CPRA, consumers have a separate right to opt-out of “sharing” personal information.
A business must advise consumers of this new right through a clear and conspicuous link on the business’s homepage titled “Do Not Sell or Share My Personal Information.” This link replaces the current “Do Not Sell My Personal Information” link required by the CCPA.
As already noted, a business may avoid the need for separate hyperlinks by having a “single clearly-labeled link” on the homepage that would encompass both this opt-out right and the right to opt-out of selling/sharing personal information described above. Further, it may avoid the links altogether if it responds to opt-out signals sent by or on behalf of a consumer. Again, that last option requires further clarification by the California Attorney General or CPPA.
Other New and Expanded Consumer Rights
New Right of Correction. The CPRA now provides consumers with the right to request that a business correct any inaccurate personal information about the consumer.
Expanded Access Right. Businesses are explicitly required to disclose the personal information they have collected about a consumer directly or indirectly, including any personal information collected by a service provider or contractor on the business’s behalf.
Expanded Deletion Right. Upon receipt of a valid request for deletion, businesses must now also notify all service providers, contractors, and (if “selling” or “sharing” personal information) third parties, in each case, to delete the consumer’s personal information, subject to certain limited exceptions.
In its “notice at collection” to consumers, the CPRA requires businesses to disclose their retention periods for each category of personal information they collect or, if not possible, the criteria used to determine that period.
The CPPA will assume responsibility from the California Attorney General for promulgating, revising, and implementing regulations interpreting the CCPA and CPRA by either July 1, 2021, or six months after the CPPA indicates it is ready to begin rulemaking (whichever is later). The CPRA also requires adopting final regulations under the new law by July 1, 2022. These must include, but are not limited to, regulations:
clarifying certain definitions under the CPRA;
requiring businesses with high-risk processing to be audited by and periodically submit risk assessments to the California Attorney General/CPPA;
creating new access and opt-out rights related to automated-decision making, including profiling; and
defining “the requirements and technical specifications for an opt-out preference signal” that would indicate a consumer’s intent to opt-out of the “sale” or “sharing” of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.
Given the length of time until the majority of the CPRA’s provisions become operative, the California law’s passage may increase momentum for federal legislation that could preempt some of the CPRA’s more far-reaching provisions.
One thing is for certain: California voters have vastly increased the data privacy requirements for U.S. companies, and this will have significant effects. How U.S. businesses, other states, and the federal government react will be worth watching in the months ahead.