Businesses Should Begin Assessing Their Data Practices in Order to Meet The California Privacy Rights Act Requirements
In our previous blog, we featured the California Privacy Rights Act’s Enhanced Cybersecurity Safeguards. We now highlight significant privacy safeguards under the California Privacy Rights Act (“CPRA”) that will require advance planning in preparation for its January 1, 2023 effective date. These new requirements will impact the collection and use of personal information across each organization. In particular, businesses, at a minimum, will need to assess and plan for:
the effective implementation of data minimization policies, practices, and technologies;
providing “consumers” with notice and a right to opt out from cross-context behavioral advertising targeting surfing activity across websites;
meeting heightened requirements for the collection and use of sensitive personal information (e.g., government identifiers, geolocation data, racial or ethnic origin, biometrics, health data, sexual orientation or sex life), including providing consumers with notice of collection and the right to limit use of such information;
providing consumers with notice of how long the business intends to retain each category of personal information, including sensitive personal information;
the inclusion of statutorily mandated terms in contracts with “service providers” and “contractors” effectuating the deletion of personal information in the service provider’s or contractor’s possession at the business’ request and the right to audit their data privacy and cybersecurity practices;
providing notice to “third parties” to whom the business has sold or shared personal information to delete the personal information upon the business’ receipt of a consumer request; and
effectuating the new right by consumers to correct inaccurate personal information held by the business across its information systems and departments.
“Data Minimization” Is Required In The Collection And Use Of Personal Information: The CPRA mandates that personal information should be collected “only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used and shared.” CPRA §3B(3). The “collection, use, retention and sharing” of personal information shall be “reasonably necessary and proportionate” to achieve the business purpose for which the information was collected or processed, and not retained for longer than is reasonably necessary. CPRA §1798.100(c). Personal information shall not be processed in a manner that is “incompatible” with the originally disclosed purposes. CPRA §1798.100(c).
International organizations will quickly recognize the similarities here to GDPR principles relating to the processing of personal data. See GDPR Art. 5. To effectively satisfy these data minimization requirements, businesses should inventory all categories of personal information collected to ensure that collection and use is limited to only the information needed to accomplish the business purpose. The value of the information should be carefully assessed to determine whether certain information should not be collected because it is unnecessary or of low value to the business purpose. Identification of data flows across information systems and staff is a critical component to ensuring that information is used only in a manner that is consistent with the notice provided to the consumer. These “data minimization” requirements will significantly impact operations, including software engineering, product development, database management, workforce management, compliance and marketing.
Consumers Must Receive Advance Notice Of The “Sharing” Of Their Personal Information For Cross Context Behavioral Advertising And A Link To Opt Out: The use of third party cookies and tracking technologies for cross context behavioral advertising purposes is expressly addressed in the CPRA. The CPRA finds that advertising technologies that track individuals across the internet and are used to create detailed profiles of their individual interests by monitoring their preferences across websites is not well-disclosed or able to be managed by the consumer. CPRA §2(I). Consumers should have the tools to prevent the selling or sharing of their personal information with organizations with which they may be unfamiliar. CPRA §2(I). Businesses must, therefore, provide notice to the consumer at or before the point of collection when personal information is “shared” for cross-context behavioral advertising and the right to opt out. CPRA §1798.100(a)(1), 1798.120(b). Under the CPRA’s new definition, “sharing” means disclosure by the business to a third party for “cross‐context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross‐context behavioral advertising for the benefit of a business in which no money is exchanged.” CPRA §1798.140(ah)(1).
The CPRA goes beyond the California Consumer Privacy Act’s (“CCPA”) current requirement of a “Do Not Sell My Personal Information” link on the homepage, requiring a new “Do Not Sell or Share My Personal Information” link to permit consumers to opt out of sharing for cross context behavioral advertising. CPRA §1798.135(a)(1) (emphasis added). These new requirements will directly impact website policies, privacy notices and marketing practices and related contractual arrangements and terms of service.
Consumers Must Receive Advance Notice Of Collection Of Sensitive Personal Information And A Link To Limit Use: Businesses must provide notice to the consumer at or before the point of collection whether sensitive personal information is collected, the categories of sensitive personal information collected or used, and whether such information is “sold” or “shared.” CPRA §1798.100(a)(2); see also CPRA §1798.121(a). “‘Sensitive personal information’ means:
(1) Personal information that reveals: (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; [or] (F) a consumer’s genetic data; and
(2)(A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.” CPRA §1798.140(ae) (emphasis added).
Publicly available information or lawfully obtained, truthful information that is a matter of public concern does not constitute “sensitive personal information.” CPRA §1798.140(ae).
Consumers have a right to limit the “use” and “disclosure” of their sensitive personal information to that which would be reasonably expected to receive the goods or services requested. CPRA §1798.121(a). Businesses that use or disclose sensitive personal information beyond that necessary to perform the services or reasonably to be expected for the goods or services requested, or beyond certain enumerated purposes, such as to ensure security, to fulfill the order, for the business’ internal short term transient use, or to maintain the quality or safety of the product, must provide additional notice to the consumer (i) that the information may be used for additional disclosed purposes or disclosed to a service provider or contractor, and (ii) the consumer’s right to limit such use or disclosure. CPRA §1798.121(a), 1798.140(e)(2),(4),(5),(8). The overarching data minimization principles apply here specifically as to the particular categories of sensitive personal information collected. CPRA §1798.100(a)(2).
The business’ website will need to provide a “Limit The Use Of My Sensitive Personal Information” link to afford consumers the right to limit the use or disclosure of sensitive personal information beyond that reasonably to be expected by the consumer. CPRA §1798.135(a)(2); see also §1798.121(a). The CPRA provides for these enhanced notice and opt out requirements, because the unauthorized use or disclosure of sensitive personal information “creates a heightened risk of harm to the consumer.” CPRA §3(A)(2). The data inventory and assessment becomes particularly important here in identifying the collection and use by entities and individuals outside the business of this sensitive information. Organizations should conduct a risk assessment of their collection and use of sensitive personal information.
Businesses Will Need To Notify Consumers For How Long They Will Retain Their Personal Information: Businesses shall, at or before the point of collection, inform consumers as to the length of time the business intends to retain each category of personal information, including sensitive personal information. CPRA §1798.100(a)(3). If specification of the retention period is “not possible,” then the criteria used to determine the retention period shall be provided in the notice. Data minimization principles apply as a business shall not retain personal information or sensitive personal information “for each disclosed purpose for which the personal information was collected for longer than reasonably necessary for that disclosed purpose.” CPRA §1798.100(a)(3). Businesses will need to align their data retention practices and policies with their consumer facing notifications.
Service Providers and Contractors Will Have Contractual and Statutory Obligations To Delete Personal Information At The Direction Of The Business: Service providers and contractors are required to cooperate with the business in responding to a consumer deletion request, and “at the direction of the business” shall delete personal information about the consumer. CPRA §1798.105(c)(3). Service providers and contractors will also have downstream obligations – i.e., they must notify any of their service providers, contractors or third parties who may have accessed such personal information through the service provider or contractor (unless the information was accessed at the direction of the business) to delete the consumer’s personal information unless this proves impossible or involves disproportionate effect. CPRA §1798.105(c)(3). The contracts with the service provider or contractor must include terms to comply with applicable CPRA obligations, including to provide the same level of privacy protections as required under the CPRA. CPRA §1798.100(d).
Contracts with service providers and contractors shall also include clauses permitting the business to monitor compliance, including through ongoing manual reviews and automated scans, and regular assessments, audits, or other technical or operational testing at least once every twelve (12) months. CPRA §1798.140(j)(1)(C),(ag)(1). Agreements with service providers and contractors will need to be reviewed to ensure that they contain these provisions mandated under the CPRA as of the effective date.
Notice Of Deletion Requests To Be Provided To Third Parties: Businesses must provide notice to third parties to whom the business has sold or shared personal information of a consumer’s request to delete personal information, except where “this [notice] proves impossible or involves disproportionate effort.” CPRA §1798.105(c)(1). Again, it will be difficult for a business to comply with this provision, unless the organization inventories and tracks personal information transmitted to third parties through “sale” or “sharing” and has negotiated relevant contractual provisions to effectuate the business’ notice obligations.
Consumers Have A New Right To Correct Inaccurate Personal Information: Businesses must provide notice to consumers that they have the right to correct personal information. CPRA §1798.106(a)(b). Businesses shall use “commercially reasonable efforts to correct inaccurate personal information, as directed by the consumer.” CPRA §1798.106(c), 1798.130. The CPRA provides for adoption of future regulations concerning exceptions for requests to correct that would be impossible or involve disproportionate impact. CPRA §1798.185(8). The ability of the business to comply with the consumer’s right to correction will depend at a minimum on knowing where personal information is stored in its information systems and adoption of technology/designs/procedures that permits the correction.
Planning now for compliance with the CPRA’s new requirements will help alleviate the rush of significant operational changes required in advance of the effective date of January 1, 2023. Organizations should begin the assessment process now, including a review of their data collection practices and vendor relationships. In the meantime, we will await the numerous clarifying regulations expected under CPRA §1798.185. Any questions regarding the CPRA or CCPA may be directed to Brian G. Cesaratto, Deanna Ballesteros or another member of EBG’s Privacy, Cybersecurity, and Data Asset Management Group.
 The CPRA becomes effective on January 1, 2023, except for requests by consumers to access their data, which will “look back” to data collected by the business on or after an earlier January 1, 2022 effective date. CPRA §1798.130(a)(2)(B).
 Although the CPRA extends the moratorium on applicability of certain CCPA provisions to employee/applicant data and business to business (B2B) communications from January 1, 2022 (AB1281) to January 1, 2023, the moratorium will become inoperative on January 1, 2023. CPRA §1798.145(m1),(n1).
 “Consumer” means any natural person who is a California resident. CPRA §1798.14(i).
 The CPRA enhancements apply to “for profit” companies and other organizations: (a) with more than $25 million in gross revenues in the preceding calendar year, or (b) that annually buy, sell or share the personal information of 100,000 or more consumers or households, or (c) that derive at least 50 percent of their annual revenue from selling or sharing consumer personal information (“businesses”). There are certain exemptions to coverage that may apply and will need to be closely analyzed based on the nature of the organization, the types of information collected and the organization’s collection and use practices. CPRA §1798.145.
 “Processing” means any operation or set of operations that are performed on personal information or on sets of personal information, whether or not be automated means. CPRA §1798.140(y).
 “Cross context behavioral advertising” is the “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.” CPRA §1798.140(k) (emphasis added).