Voters Approve California Privacy Rights Act
On November 3, 2020, a majority of Californians voted to approve a new ballot initiative – Proposition 24, or the “California Privacy Rights Act of 2020” (“CPRA”). We previously issued alerts on the road to certification of this ballot initiative here. Below, we highlight the main points that businesses facing compliance with this new privacy law should bear in mind. We will provide further updates in the days and months to come, drilling down in detail on the provisions of CPRA and the new regulations when they are released for public comment.
When Will the CPRA Go Into Effect?
The effective date of the CPRA is January 1, 2023. However, as a general rule, the provisions apply to personal information collected by a business on or after January 1, 2022.
The CPRA provides that the CCPA “shall remain in full force and effect and shall be enforceable until the same provisions of this Act become operative and enforceable.”
While it will be roughly two years before the main provisions of the CPRA take effect, the CPRA immediately extends the CCPA’s business-to-business and personnel carve-outs until January 1, 2023. However, those carve-outs will expire on January 1, 2023, when the CPRA takes effect.
The CPRA will introduce a host of new consumer rights and related business requirements. We highlight some of the key changes below:
- Changes to the Threshold for Applicability:
- Number of records – The CPRA doubles the threshold for the number of consumers or households about which a business is buying, selling or sharing personal information (increasing to 100,000 from the current 50,000) and devices are now eliminated from this calculation. As a consequence, smaller organizations (under $25M annual gross revenue) currently deemed “businesses” under CCPA likely will find themselves exempted from the CPRA if they do not “sell” or “share” (as defined in the CPRA) the personal information of more than 100,000 consumers or households annually and their overall revenue from “selling” or “sharing” such personal information represents less than 50% of their total revenue.
- Commonly-controlled organizations- A commonly-controlled business that shares branding with a business subject to the CPRA will only fall under the scope of the CPRA if the business subject to the CPRA shares consumers’ personal information with the commonly-controlled entity. This change could have a significant impact for corporate groups that operate separate databases of personal information, or that could shift to this model.
- New Principles:
- Data Minimization/Purpose Limitation – The CPRA requires the collection, use, retention, and sharing of personal information to be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed…” While data minimization is generally considered best practice in the United States, this concept has not been broadly codified prior to the CPRA. The CPRA also reinforces that personal information cannot be used in a manner that is “incompatible with the disclosed purpose for which the personal information was collected” without providing the consumer with notice.
- Storage Limitation – Also, whereas the CCPA was silent on retention, the CPRA prohibits storing personal information for longer than is “reasonably necessary” for the disclosed purpose.
- New “Sensitive Personal Information” Category: The CPRA creates a new category of “sensitive personal information,” which is subject to specific additional restrictions. Sensitive personal information is broadly defined to include, among other things, some government-issued IDs; certain financial, genetic, biometric and health information; precise geolocation; race and ethnicity; religion; union membership; content of certain communications; and information about sex life or sexual orientation.
- New Rights:
- Restrict the Use and Disclosure of Sensitive Personal Information – The CPRA provides consumers with the right, at any time, to direct a business to limit its use and disclosure of the data to that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services….” In order to allow consumers to exercise this right, businesses will be required to display a link on their internet homepage(s).
- Ability to Correct Personal Information – The CPRA grants consumers a new right to correct inaccurate personal information.
- Opt-Out of “Sharing” – The CCPA definition of “sale” is widely debated, with many arguing it already includes various aspects of sharing related to online advertising. The CPRA settles the debate in the affirmative and requires businesses to provide consumers with a right to opt out of sharing in relation to cross-context behavioral advertising. The CPRA defines “sharing” as the transferring or making available of “a consumer’s personal information by the business to a third party for cross-context behavioral advertising.”
- Automated decision making – The CPRA requires the adoption of new regulations “governing access and opt-out rights with respect to a business’s use of automated decision-making technology, including profiling….”
- Expanded Right to Access – The right of access is expanded by modifying the 12-month look-back provision with regard to both the obligation to provide access to specific pieces of personal information, and the obligation to disclose the categories of information shared or sold. In practice, under the CPRA, businesses will have to provide access to any information “collected” (as defined in the CPRA) on or after January 1, 2022, unless providing such access proves “impossible or would involve a disproportionate effort” (a threshold that will be defined by regulation).
- New Obligations
- Contracting with Vendors – The CPRA imposes new obligations on “service providers” and “contractors.” Among other things, a written contract is needed that requires the data to be used for business purposes and prohibits the “selling” or “sharing” of the personal information. The contract must also (1) limit the contractor’s ability to combine the personal information with other information, (2) require notification to the business when engaging subcontractors, and (3) mandate that obligations be flowed down to any engaged subcontractors.
- Reasonable Security – The CPRA requires business to “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosures.” This express obligation does not exist under the CCPA but has already been codified under California law ( Civ. Code Sec. 1798.81.5(a)) for certain types of personal information.
- Privacy Impact Assessments and Cybersecurity Audit Requirements for High-Risk Activities – The CPRA requires the issuance of regulations regarding mandatory risk assessments and cybersecurity audits for high risk activities. The risk assessments will have to be submitted to the new California Privacy Protection Agency (“CalPPA”) on a “regular basis.” The concept of a “regular basis” is not defined in the CPRA and is likely to be expanded upon in the implementing regulations.
- Regulatory Audits – CalPPA will have the right to audit entities for compliance with the CPRA. This ability is very loosely addressed in the CPRA text, and we expect that the regulations will provide details around these practices.
Who Will Be Responsible for Rulemaking and Enforcement of the CPRA?
Perhaps one of the most significant changes effected by the CPRA is the creation of a new California state agency, CalPPA, to implement and enforce the CPRA. This agency will be the first enforcement agency in the United States dedicated solely to privacy.
There is a complex set of provisions governing the transition period that grants the California Attorney General expanded powers at the outset (such as commencing new regulation drafting), which then will be transitioned to CalPPA.
Will New Regulations Be Issued?
Yes, new regulations will be issued. The deadline for the adoption of such regulations is July 1, 2022.
We expect that the current regulations will be the starting point for the new regulations. We will provide updates on the developments in future postings.
When is the CPRA Enforceable?
Similar to the CCPA, the CPRA will go into effect on January 1, 2023, but will not be enforceable until July 1, 2023. Different from the CCPA, the CPRA explicitly states that violations will only be subject to enforcement action if they occurred on or after July 1, 2023. This appears to create a safe harbor time-frame where perhaps issues can be ironed out as needed, and allows greater time for the regulations to be implemented. As noted above, the CCPA will remain in effect until the CPRA is both in effect and enforceable, so until July 1, 2023 the CCPA will still be enforceable.
Does Enforcement Change?
The CPRA triples the fines for violations related to data of minors (which will be set at $7,500 per violation) and eliminates the 30-day notice and cure period that exists under the CCPA. While the CPRA does not significantly change the existing private right of action for data breaches, it expands the scope slightly by specifically including unauthorized access to or disclosure of an “email address in combination with a password or security question and answer that would permit access to the account….”
What Will Happen Next?
The appointment of the commissioners that will lead CalPPA is expected to take place in the near future. CalPPA will be led by a five-member board. The Governor will appoint the Chair and one member of the board, and the Attorney General, Senate Rules Committee, and Speaker of the Assembly will each appoint one other member.