March 4, 2021

Volume XI, Number 63

Advertisement

March 03, 2021

Subscribe to Latest Legal News and Analysis

March 02, 2021

Subscribe to Latest Legal News and Analysis

March 01, 2021

Subscribe to Latest Legal News and Analysis

CPRA Favored by California Voters – Practical Takeaways

With 72% of the vote in, 56.1% of Californians have voted in favor of Proposition 24, making it likely that the California Privacy Rights Act of 2020 (CPRA) will pass. The CPRA – a ballot initiative – will usher in material amendments to the existing California Consumer Privacy Act (CCPA). Proponents have argued that the CPRA could form the baseline for future federal U.S. privacy legislation, or even grounds for EU adequacy status for California.

The CCPA will remain in full force and effect until the CPRA becomes effective on Jan. 1, 2023. Like the CCPA, there will be a six-month delay between the CPRA’s effective date and enforcement of the Act, with enforcement actions commencing on July 1, 2023. With the exception of the right to access, the CPRA will only apply to personal information collected by a business on or after Jan. 1, 2022.

However, the following CPRA provisions have a Jan. 1, 2021 effective date:

  • Employee and Business-to-Business Exemptions. As amended in October 2019, the CCPA contains partial exemptions for the personal information (PI) of employees, job applicants, and contractors, as well as PI exchanged in business-to-business relationships. The CPRA extends the current Jan. 1, 2021 expiration date for these exemptions until Jan. 1, 2023.

  • CPPA. The California Privacy Protection Agency (CPPA), a dedicated, five-member privacy regulatory body with full administrative power and jurisdiction, will be established to enforce the Golden State’s consumer privacy laws and impose fines.

  • Rulemakings. The CPRA requires the CPPA to initiate rulemakings and develop regulations on 20+ topics relating to definitions, exemptions, technical specifications for opt-out preference signals, automated decision-making, cybersecurity audits and risk assessments, and monetary thresholds for “business” eligibility. Final regulations must be adopted by July 1, 2022.

The CPRA modifies the CCPA in potentially impactful ways for in-scope entities that do business in California, regardless of where such businesses are physically established, have employees, or embed company infrastructure.

Notable highlights of the CPRA include:

  • Cure Period Limited to Breaches. Whereas under the CCPA, a business may avoid enforcement generally if it remedies a curable violation within 30 days of being so notified, the CPRA removes this provision. Instead, it allows a 30-day cure period only in relation to preventing statutory damages (not pecuniary damages) as part of a data breach-related private right of action. The law also confirms that implementing reasonable security measures following a breach will not constitute a business’s cure with respect to that breach.

  • Expanded Private Right Action. Consumers have a broadened private right of action to sue a business if an email address in combination with a password or security question and answer is subjected to unauthorized access as a result of the business’s unreasonable security procedures.

  • Advertising. Consumers can opt out of sharing their PI – whether or not for monetary or other valuable consideration – for “cross context behavioral advertising,” which is explicitly excluded from the definition of “business purpose,” thereby likely creating further operational complications for site/app publishers and ad tech companies in relation to programmatic digital advertising activities.

  • Revised Scope to Exclude More SMEs. If a business does not meet the $25 million revenue threshold, it must either annually buy, sell, or share for cross-context behavioral advertising the PI of 100,000 or more consumers or households – up from 50,000 under the CCPA, or derive more than 50% of its revenue from selling or sharing for cross-context behavioral advertising PI.

  • Children’s PI. The maximum penalties for a business’s violations concerning consumers under age 16 is tripled to $7,500 per intentional violation.

  • Sensitive PI. Consumers can limit businesses’ use and/or disclosure of “sensitive personal information,” a new category and definition that includes precise geolocation (i.e., within a radius of 1,850 feet), private communications (e.g., mail, email, and text messages), ethnicity, religion, genetic data, sexual orientation, and specified health information. This includes heightened notice requirements for businesses and new site and app opt-out links that must be displayed to consumers.

  • Retention Periods & Storage Limitation. Taking a cue from the EU’s General Data Protection Regulation (GDPR), the CPRA prohibits businesses from retaining PI for longer than necessary for the purpose of the collection. Businesses must also inform consumers of the length of time they retain each category of PI.

  • Additional Consumer Rights. In addition to the rights noted above ‒ to restrict a business’s use of sensitive PI and to know the length of data retention ‒ consumers also have the right to correct inaccurate PI. The CPRA also extends the right to access to beyond the 12-month period (unless doing so would be impossible) and requires businesses to inform their service providers and the third parties with whom they shared a consumer’s PI of a consumer’s deletion request.

  • Contractual Requirements. The CPRA requires businesses that share PI with services providers, newly defined “contractors,” and third parties to enter into contracts extending the CPRA requirements to these entities’ handling of such PI, and requires service providers to have similar contracts in place with any sub-service providers. 

  • Difficulty of Amendment. Of note to lobbyists and industry groups hoping to lessen some of the law’s more burdensome provisions, the CPRA, by its text, is difficult to weaken, as any legislative amendment to it “shall be null and void” unless it is “consistent with and furthers the purpose and intent” of the CPRA.

    Advertisement
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 309
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Gretchen A. Ramos, Lawyer, Greenberg Traurig, Data, Privacy & Cybersecurity,The Cloud,Artificial Intelligence, Big Data
Shareholder

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of...

415.655.1319
Darren Abernethy Data Privacy Attorney Greenberg Traurig San Francisco
Of Counsel

Darren J. Abernethy is a data privacy attorney with more than a decade of experience, including in private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to advertising technology, privacy and data governance, and FTC best practices.

Darren focuses on the California Consumer Privacy Act (CCPA), the European Union General Data Protection Regulation (GDPR)/ePrivacy, digital advertising, direct marketing, and product counseling.

415-655-1261
Advertisement
Advertisement