March 1, 2021

Volume XI, Number 60

Advertisement

March 01, 2021

Subscribe to Latest Legal News and Analysis

CPRA: Six Key Impacts on Businesses

The California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act (CCPA). While most of the provisions in the CPRA do not go into effect until Jan 1, 2023, the changes do cover personal information collected as of Jan. 1, 2022. For this reason, it’s important for businesses to look at how the CPRA may impact the personal information they collect and begin understanding these obligations prior 2023.

The following are six ways the CPRA may impact your business:

1. B2B AND EMPLOYEE INFORMATION EXEMPTIONS ARE EXTENDED

The CPRA extends the business-to-business and employee information exemptions in the CCPA to Jan. 1, 2023. After that time, this data will be covered by the CCPA and businesses should be prepared to treat it the same as other personal information.

2. CPRA REDEFINES BUSINESSES COVERED UNDER THE CCPA

The CPRA limits the number of small- and mid-size enterprises that are impacted. If a business does not meet the $25 million revenue threshold, it must either:

  1. Annually buy, sell or share for cross-context behavioral advertising the personal information of 100,000 or more consumers or households; or

  2. Derive more than 50 percent of its revenue from selling or sharing for cross-context behavioral advertising personal information

This is a change from the CCPA that covered an entity that “buys or sells, OR receives or shares for business’s commercial purpose, personal information of 50,000+ consumers, households or devices.”

Companies in the digital advertising space need to pay close attention to this newly introduced concept of cross-context behavioral advertising, which is defined as ad targeting based on information obtained about a consumer across different businesses, apps, websites or services. Among other regulations related to cross-context behavioral advertising, the CPRA grants consumers a new right to opt out of sharing of personal information for this purpose.

3. ADDITIONAL DATA RIGHTS GRANTED

The CPRA grants additional data rights related to sharing of sensitive personal information, automated data processing and profiling, correcting inaccurate information, deletion of information, and the timeframe for right to access information.

4. ADDITION OF “CONTRACTOR”

The CPRA adds the concept of a “contractor,” in addition to the already existing “service provider,” which will require companies to review and update their vendor contracts to ensure alignment with the law. A contractor is a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract provided requirements are met. If your business engages a “contractor” to process personal information, the business will have additional obligations to meet in that vendor contract.

5. NEW AFFIRMATIVE SECURITY OBLIGATIONS

The CPRA adds affirmative security obligations, including requiring yearly annual auditing in certain situations, and makes clear that an enforcement action for failure to implement reasonable security procedures is possible even when there has not been a breach.

6. ELIMINATION OF 30-DAY CURE PERIOD AND NEW ENFORCEMENT AGENCY

The CPRA removes the existing 30-day cure period for enforcement actions under the CCPA and creates a new agency that will take over enforcement from the California Attorney General’s office in 2023. The elimination of this cure period is significant for businesses still trying to understand their CCPA obligations.

STEPS BUSINESSES SHOULD TAKE NOW

Looking ahead to the implementation of the changes in the CPRA, entities should review their privacy policies and vendor contracts, ensure their internal mechanisms are prepared to address expanded consumer rights and company obligations, and make sure their information security programs will meet the new requirements.

Advertisement
Copyright © 2020 Godfrey & Kahn S.C.National Law Review, Volume XI, Number 27
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Katharine Campbell Cybersecurity Lawyer Godfrey Kahn Law Firm
Associate

Kate Campbell is a member of the Data Privacy & Cybersecurity and Technology & Digital Business practice groups. She holds the Certified Information Privacy Professional/US (CIPP/US) and Certified Information Privacy Manager (CIPM) certifications from the International Association of Privacy Professionals (IAPP).

Kate’s practice focuses on advising clients in a wide array of matters related to cybersecurity and data privacy. She counsels clients on compliance with state, federal and international privacy laws, including the General Data Protection Regulation 2016/679 (EU) (...

414.287.9529
Advertisement
Advertisement