California Prepares for Potential Overhaul of Privacy Laws; The California Privacy Rights Act Qualifies for the General Election Ballot
For the second time in two years, California may revolutionize its consumer privacy laws. On 25 June 2020, California Secretary of State Alex Padilla announced that the California Privacy Rights Act (CPRA) qualified for inclusion as a ballot initiative for the November 2020 general election. Californians for Consumer Privacy, the same group whose ballot initiative in 2018 prompted the California legislature to enact the California Consumer Privacy Act (CCPA), spearheaded the movement to include the CPRA as a ballot initiative for the November elections. The CPRA will appear as Proposition 24 on the ballot.
The CPRA, if approved by California voters, will enhance the consumer privacy protections set forth in the CCPA both by clarifying rights currently existing under the CCPA and by imposing additional obligations on businesses subject to the CPRA’s provisions. Californians for Consumer Privacy asserts that the “assault by giant corporations” on the CCPA weakened the CCPA and thereby prompted the organization’s efforts to propose this new privacy regime in California. The full 53-page text of the CPRA can be found here,1 but this alert will discuss several of the highlights from the CPRA. This alert also will clarify whether these key components of the CPRA constitute modifications of what currently exists in the CCPA or are entirely new proposals.
The CPRA will (eventually) replace the CCPA. The CPRA, if passed, will subsume the CCPA but will not do so immediately. Most provisions of the CPRA, if adopted, will become operative on 1 January 2023.2 The CPRA would also apply only to information collected on/after 1 January 2022.3 The governing privacy regime prior to these dates will remain the CCPA.4 The CPRA’s enactment would have some immediate effects, however. First, the CPRA would extend the CCPA’s exemptions for employee and business-to-business communications to 1 January 2023.5 Second, the CPRA’s provisions creating both the Consumer Privacy Fund and the California Privacy Protections Agency (CPPA) (further explained below) become operative on the CPRA’s effective date, which will be five days from the date when the Secretary of State files the statement of the vote for the election.6
New: The CPRA creates a category of “sensitive personal information.” The CPRA creates a new subcategory of personal information called “sensitive personal information”7 and provides consumers with additional authority to limit the use and disclosure of this type of personal information.8 Sensitive personal information includes, but is not limited to, government identification numbers (e.g., Social Security numbers, driver’s license numbers, and passport numbers); debit card and credit card numbers in combination with required security or access codes, passwords, or credentials; a consumer’s precise geolocation, religious beliefs, racial or ethnic origin, biometric information, sex life or sexual orientation information; and contents of a consumer’s mail, email, or text messages unless that business is the intended recipient.9
New: The CPRA encompasses precise geolocation data. Precise geolocation data appears to be an area of particular concern under the CPRA. It is included within the definition of “sensitive personal information”10 and is defined as “any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of one thousand, eight hundred and fifty (1,850) feet, except as prescribed by regulations.”11 The CPRA directs the Attorney General to promulgate regulations to provide further definitions for this term, specifically to address situations where this distance is “not sufficient” to protect consumers in “sparsely populated areas” and situations “when the personal information is used for normal operational purposes, such as billing.”12
New: The CPRA specifically targets cross-context behavioral advertising. Cross-contextual behavioral advertising is another specific focus of the CPRA. The CPRA defines “cross-context behavioral advertising” as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”13 The CPRA explicitly excludes “cross-context behavioral advertising” from the definition of “advertising and marketing services” that constitute a business purpose for the collection and use of personal information.14 This exclusion and the new definition of “sharing,”15 which includes communicating “a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration,” require businesses using “cross-context behavioral advertising” to provide consumers the opportunity to opt-out of such use.16
New: The CPRA grants consumers the right to correct inaccurate information. The CPRA creates a right for a consumer to request a business to correct inaccurate personal information the business possesses about the consumer.17 The CPRA directs any business who receives such a request to use “commercially reasonable efforts” to correct the inaccurate information.18
New: The CPRA imposes enhanced protections regarding the personal information of consumers younger than 16 years old. The CPRA contains special protections for the information of individuals younger than 16 years old (“under-16 consumers”). Californians for Consumer Privacy highlights this issue as one of the critical reasons for why Californians should pass the CPRA. There are two main protections the CPRA implements with respect to under-16 consumers’ information. First, the CPRA mandates that a business cannot sell or share the information of an under-16 consumer without first receiving affirmative consent from either the consumer (if the consumer is at least 13 years old) or from the consumer’s parent or guardian (if the consumer is younger than 13 years old).19 The CPRA also states that any business who “willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.”20 This provision is important for the second key protection the CPRA provides for under-16 consumers’ information: substantial penalties. The CPRA increases the penalties imposed upon a business, service provider, contractor, or other person that commits violations of the CPRA with respect to an under-16 consumer’s personal information when that business, service provider, contractor, or other penalties has actual knowledge that the consumer is under sixteen years of age.21 These penalties apply for both intentional and unintentional violations.22 Businesses that violate the CPRA with respect to under-16 consumers’ personal information can be subject to a $7,500 fine per violation—the same penalty imposed for an intentional violation against a regular consumer and triple the amount of an unintentional violation against a regular consumer.23
New: The CPRA allows law enforcement to request a 90-day hold for deletion. The CPRA permits law enforcement agencies to direct a business not to delete a consumer’s personal information for 90 days.27 If a business receives such a request from a law enforcement agency, it must not delete the information, even if it also receives a request to delete the personal information from the consumer.28 Upon receiving a request to delete from the consumer, however, the business may use the information only to retain it for law enforcement.29 The CPRA also permits a law enforcement agency to submit additional 90-day requests not to delete if the agency shows good cause and does so “only to the extent necessary for investigatory purposes.”30
New: The CPRA requires any future amendments and regulations to maximize “consumer privacy.” The CPRA limits the extent to which subsequent legislative and executive lawmaking can dilute its provisions. Consumer privacy advocates criticized the adoption of many amendments to the CCPA that they alleged weakened the protections set forth in the original version of the CCPA.31 For this reason, the CPRA explicitly states that any amendments to its text must be “consistent with and further the purpose of this Act.”32 The CPRA similarly directs the Attorney General in several portions of its text to promulgate regulations “with the goal of maximizing consumer privacy.”33
New: The CPRA creates a new administrative agency. The CPRA establishes a new agency, the CPPA, “to implement and enforce” the CCPA and the CPRA (when it becomes operative and thereby replaces the CCPA).34 The CPPA would become the first agency in the United States devoted exclusively to consumer data privacy issues. The CPPA will consist of a five-member board appointed by high-ranking members of California’s executive and legislative branches: The Governor will appoint the Chair of the board and one member, the California Attorney General will appoint one member, the California Senate Rules Committee will appoint one member, and the Speaker of the California State Assembly will appoint one member.35 Each member of the board can serve for a maximum of eight consecutive years, and each member serves at the pleasure of their respective appointing authority.36 The CPRA imposes several restrictions on board members following their tenure with the board.37 Most significantly, the CPRA outlines the responsibilities with which it tasks the CPPA.38 As one example, the CPRA instructs the CPPA to assume responsibility from the Attorney General for promulgating, revising, and implementing regulations interpreting the CCPA and CPRA by the later of 1 July 2021 or six months after the CPPA indicates it is ready to begin rulemaking.39 The CPRA also instills the CPPA with the authority to conduct its own hearings, subpoena witnesses and compel their testimony, take evidence, and impose fines upon any violators.40 Before the CPPA can conduct a hearing to determine whether any violations occurred, however, the CPRA requires it (1) to provide the alleged violator with thirty days’ notice that a private “proceeding held for the purpose of considering probable cause” will occur, (2) include in this notice the summary of the evidence and statements informing the purported violator of their rights both to appear in person and be represented by counsel, and (3) find probable cause of the violation at this proceeding.41
Modification: The CPRA covers both the sale and sharing of personal information. The CCPA defines a “sale” broadly: It includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party.”42 For these activities to constitute a sale, however, the action must be done “for monetary or valuable consideration.”43 The CPRA, by contrast, imposes obligations not just on businesses that “sell” personal information44 but also upon those that “share” information “to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”45
Modification: The CPRA revises which businesses are subject to its provisions. Although the CPRA expands the types of businesses whose activities would be governed by the CPRA from the CCPA, the CPRA narrows the scope of businesses subject to its provisions as compared to the CCPA. An entity is subject to the CCPA if it had annual gross revenues exceeding $25 million; bought, sold, or shared for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or derived 50 percent or more of its annual revenues from selling consumers’ personal information.46 An entity could also be subject if it controlled, or was controlled by, a business that met the statute’s requirements and shared common branding with that business (the “control+branding test”).47 The CPRA maintains most of these requirements, with a few adjustments. First, the CPRA clarifies the entity must have satisfied the $25 million annual gross revenue threshold in the previous calendar year to be a subject business.48 Second, it changes the “50,000 consumers, households, or devices” threshold to 100,000 or more consumers or households.49 Third, the business can qualify if it derives 50 percent or more of its revenue from selling or sharing consumers’ personal information.50 Fourth, an entity not otherwise required to be subject to the CPRA must satisfy the control+branding test and have personal information shared with it by the CPRA-subject business in order for the entity to become subject to the CPRA.51 Fifth, the CPRA expands on the definition of “common branding” to mean not just “a shared name, servicemark, or trademark,” but “a shared name, servicemark, or trademark, such that the average consumer would understand that two or more entities are commonly owned.”52 Sixth, the CPRA applies to a joint venture or partnership composed of “businesses in which each business has at least a 40 percent interest.”53 There is no requirement for common branding in this scenario: The joint venture or partnership and each business that comprises the joint venture or partnership shall separately be considered a single business, and there are limitations to the sharing of personal information in this arrangement.54 Seventh, the CPRA includes the ability for businesses that don’t meet the threshold requirements of a “business” to voluntarily certify that they are compliant with the CPRA.55
Modification: The CPRA expands the definition of “publicly available” information. The CPRA applies a broader standard than the CCPA regarding what information is “publicly available” and therefore does not constitute personal information. The CPRA clarifies that publicly available information includes not only information that is “lawfully made available from federal, state, or local government records,” but it also includes information “that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media” and “information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.”56 Therefore, the CPRA states that personal information does not include publicly available information or “lawfully obtained, truthful information that is a matter of public concern.”57
Modification: The CPRA expands businesses’ obligations regarding notices of collection. The CPRA requires a business to provide greater disclosures in their notices of collection than what currently exists in the CCPA. The CCPA requires a business to inform consumers about the categories of personal information it would be collecting and the purposes for which it would use the personal information.58 It also prohibits a business from collecting additional categories of information or using collected personal information without providing new notice to the consumer.59 As under the CCPA, the CPRA requires the business to provide notices of collection both to their consumers and to consumers who are otherwise exempt from the statute’s provisions because they are engaged in employment-related relationships with the business: employees, job applicants, owners, directors, officers, medical staff members, and independent contractors.60 The CPRA, however, expands on the CCPA’s requirements in two respects. First, the CPRA requires the business to also disclose to the consumer whether the individual’s personal information is sold or shared and the length of time it intends to retain each category of personal information or the criteria it will use to determine how long it will retain the information.61 Second, the CPRA instructs a business to apply these requirements both to personal information and to sensitive personal information specifically.62 The CPRA does narrow a business’s obligations with the notice of collection in one respect: The requirement for a business to give new notice to a consumer to use the personal information or sensitive personal information it has collected for additional purposes now applies only in situations when the additional purposes “are incompatible with the disclosed purposes for which the personal information was collected.”63
Modification: The CPRA imposes stricter requirements for contracts with contractors and service providers. The CPRA expands on the requirements set forth in the CCPA regarding required provisions that should be included in contracts with service providers. The CCPA required only a provision that prohibited retaining, using, or disclosing a consumer’s personal information other than for the specific purposes of performing the services or as otherwise permitted under the CCPA.64 The CPRA, by contrast, requires contracts with service providers to prohibit (1) the selling or sharing of personal information; (2) retaining, using, or disclosing the information outside the purposes specified in the contract or as otherwise permitted under the CPRA; (3) retaining, using, or disclosing outside the direct business relationship with the business; and (4) combining data it receives from the business from information it collects from another person, including the consumer.65 Additionally, these contracts must specify that (1) the personal information sold or disclosed to the service provider is “only for limited and specified purposes”; (2) the service provider is subject to the CPRA and must provide the privacy protections specified therein; (3) the business retains the rights to take “reasonable and appropriate steps” to ensure the service provider uses the transferred or disclosed personal information in accordance with the CPRA; (4) the service provider must notify the business if it cannot meet its obligations under the CPRA; and (5) the business possesses the right, should the service provider be unable to fulfill its obligations under the CPRA, to “take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.”66 Furthermore, unlike with the CCPA, the CPRA also applies these requirements to any contracts the business enters into with contractors.67
1 All section references, unless otherwise stated, refer to the corresponding sections in the Ballot Initiative located in the hyperlinked text.
2 See Section 31(a).
3 See Section 31(a).
4 See Section 31(c).
5 See Sections 3.A.8; see also Section 15 (adding Civ. Code §§ 1798.145(m)(4) (employees) and 1798.145(n)(4) (business-to-business communications).
6 See Section 31(a)–(b).
7 See Section 14 (adding Civ. Code § 1798.140(v)(1)(L)).
8 See, e.g., Section 10 (adding Civ. Code § 1798.121); Section 13 (adding Civ. Code § 1798.135).
9 See Section 14 (adding Civ. Code § 1798.140(ae)).
11 Section 14 (adding Civ. Code § 1798.140(w)).
21 Section 21 (adding Civ. Code § 1798.185(a)(13)).
13 Section 14 (adding Civ. Code § 1798.140(k)).
14 Section 14 (adding Civ. Code § 1798.140(e)(6)).
15 The complete definition of “share” is “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” Section 14 (adding Civ. Code § 1798.140(ah)(1)).
16 Section 21 (adding Civ. Code § 1798.185(a)(19)(A)).
17 Section 6 (adding Civ. Code § 1798.106).
18 Section 6 (adding Civ. Code § 1798.106(c)).
19 Section 9 (adding Civ. Code § 1798.120(c)).
21 See Section 17 (amending Civ. Code § 1798.155(a)).
24 Section 14 (adding Civ. Code § 1798.140(h)).
25 The CPRA defines a “dark pattern” as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice” and clarifies that it should be “further defined by regulation.” Section 14 (adding Civ. Code § 1798.140(l)).
26 Section 14 (adding Civ. Code § 1798.140(h)).
27 See Section 15 (amending Civ. Code § 1798.145(a)(2)).
31 See, e.g., Section 2.D.
32 Section 25(a).
33 Section 21 (adding Civ. Code § 1798.185(a)(11)–(12)).
34 Section 24 (adding Civ. Code § 1798.199.10(a)).
36 Section 24 (adding Civ. Code § 1798.199.20).
37 Section 24 (adding Civ. Code § 1798.199.15(f)–(g)).
38 See generally Section 24 (adding, among other provisions, Civ. Code § 1798.199.40).
39 See Section 24 (adding Civ. Code § 1798.199.40(b)).
40 See Section 21 (adding Civ. Code §§ 1798.199.55, 1798.199.65).
41 See Section 24 (adding Civ. Code § 1798.199.50).
42 Civ. Code § 1798.185(t).
44 See Section 14 (adding Civ. Code § 1798.140(ad)).
45 See Section 14 (adding Civ. Code § 1798.140(ah)).
46 Civ. Code § 1798.140(c)(1).
47 Civ. Code § 1798.140(c)(2).
48 See Section 14 (amending Civ. Code § 1798.140(d)(1)(A)).
49 See Section 14 (amending Civ. Code § 1798.140(d)(1)(B)).
50 See Section 14 (amending Civ. Code § 1798.140(d)(1)(C)).
51 See Section 14 (amending Civ. Code § 1798.140(d)(2)).
53 See Section 14 (adding Civ. Code § 1798.140(d)(3)).
55 See Section 14 (adding Civ. Code § 1798.140(d)(4)).
56 See Section 14 (amending Civ. Code § 1798.140(v)(2)).
58 Civ. Code § 1798.100(b).
60 Compare Civ. Code § 1798.145(g)(3) with Section 15 (adding Civ. Code § 1798.145(m)(3)).
61 See Section 4 (adding Civ. Code § 1798.100(a)(3)).
62 See Section 4 (adding Civ. Code § 1798.100(a)(2)).
63 See Section 4 (adding Civ. Code § 1798.100(a)(3))
64 See Civ. Code § 1798.140(v).
65 See Section 14 (adding Civ. Code § 1798.140(ag)(1)).
66 See Section 4 (adding Civ. Code § 1798.100(d)).
67 See Sections 4 (adding Civ. Code § 1798.100(d)) and 14 (adding Civ. Code § 1798.140(j)(1)).