On June 24, the eve of the July 1 enforcement date for the California Consumer Privacy Act (CCPA), the California Secretary of State certified the California Privacy Rights Act (CPRA), the latest brainchild of privacy activist (and CCPA spiritual father) Alastair Mactaggart, to appear on the November 2020 ballot after it gained the requisite number of signatures. Mactaggart’s organization Californians for Consumer Privacy, along with other prominent consumer privacy advocates, had repeatedly expressed frustration with the California legislature’s efforts to amend the CCPA in 2019 at the behest of the business community, and they responded with an even more robust comprehensive privacy law that will align California closely with the European Union’s General Data Protection Regulation (GDPR). Pre-pandemic polling has shown the CPRA to be overwhelmingly popular (with support ranging as high as 90 percent), and it is heavily favored to be approved by the voters this fall.
CPRA has a bit of a delayed fuse, with the most of the law going into effect on January 1, 2023 and applying (with the exception of the right of data access) only to data collected after January 1, 2022; enforcement would begin on July 1, 2023. Thus, companies that scrambled to implement compliance measures to meet CCPA’s effective date of January 1, 2020 will have sufficient time to prepare for CPRA, which significantly broadens and expands CCPA. However, assuming CPRA is voted into law, it will likely spark a bandwagon effect among the many other states considering broad privacy legislation and increase the clamor for a comprehensive federal privacy law to preempt the growing patchwork of inconsistent state laws. Indeed, the extended runway for CPRA compliance seems to have been designed with this very possibility in mind.
Since there is a lot to unpack in CPRA, this post briefly summarizes its major innovations and modifications of CCPA. (More in-depth and comprehensive analysis will follow in further posts and client alerts.)
- Where CCPA applies to for-profit businesses that process the personal information of 50,000 or more California consumers or households, CPRA raises this threshold to 100,000. (CCPA’s alternative tests for applicability – $25 million in annual revenues or realization of 50% or more of annual revenues from the sale of personal information – remain in place.)
- In addition to the right to know categories and specific pieces of personal information that a covered business has regarding a consumer, the right to have personal information deleted, and the right to opt-out of sales of personal information (all granted under CCPA), CPRA introduces a new right for data subjects to correct inaccurate personal data held by a business.
- CPRA defines a new category of “sensitive personal information,” which includes, among other things, government identifiers (such as Social Security number and driver’s license number), precise geolocation, racial and ethnic information and genetic data, and resembles the “special categories” of personal data for which the GDPR imposes more stringent limitations on collection and processing. CPRA allows consumers to limit the use and disclosure of sensitive personal information to essentially what is necessary to provide the goods or services requested by the consumer and other compatible purposes. A business would be required to clearly and conspicuously display a “Limit the Use of My Sensitive Information” link on its website unless it allows consumers to exercise this option via a preference signal (such as from a browser).
- CPRA expands CCPA’s right to know obligations to include “sharing” and disclosure of personal information by a covered business and also expands the sale opt-out to sharing. “Sharing” is defined as transferring information for “cross-context” behavioral advertising (i.e., targeted behavioral advertising that is based on a consumer’s activity across different businesses or Internet properties), regardless of whether or not the transfer occurs in exchange for valuable consideration. A business would be required to clearly and conspicuously display a “Do Not Sell or Share My Personal Information” link on its website unless it allows consumers to opt out from both via a preference signal (such as from a browser).
- CPRA extends a consumer’s right to know beyond the twelve-month lookback currently provided under CCPA.
- CPRA increases CCPA’s administrative fines to up to $7,500 for an intentional violation or a violation involving the personal information of someone who, to the actual knowledge of the party committing the violation, is under 16 years of age.
- CPRA expands CCPA’s private right of action for data breaches caused by a company’s failure to use reasonable security measures to additional types of personal information, specifically email address and either a password or a security question and answer that would permit access to an account
- Like GDPR CPRA imposes new requirements on data retention. It requires businesses to disclose in their privacy notices “the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible the criteria used to determine such period….” However, a business may not retain a consumer’s personal information or sensitive personal information for a disclosed purpose for which the information was collected “for longer than is reasonably necessary for that disclosed purpose.” Thus, companies will need to align their retention protocols with the purposes of collection disclosed to consumers (e.g., in a privacy policy) at or before the point of collection, as well as update their privacy policies to include the particularized retention disclosures required by the CPRA. This will be a formidable compliance hurdle for many companies.
- CPRA expands CCPA’s right to know and access the specific pieces of personal information a business has regarding a consumer to include a portability-type requirement reminiscent of GDPR. The business must provide the information in a format “easily understandable to an average consumer” and if technologically feasible in a “structured, commonly used, machine readable format.”
- CPRA creates a new category of “contractor” alongside CCPA’s “service provider” category. As with service providers, covered businesses must have written contracts with contractors containing certain mandatory provisions, for example, restricting their processing of personal information on behalf of the covered business. There are also expanded requirements for what must appear in service provider contracts. Finally, CPRA directly subjects service providers and contractors to auditing by the businesses for which they process personal information.
- CPRA will vest primary rulemaking, administrative and enforcement authority in a new agency to be established by the law, the California Privacy Protection Agency (CPPA), which will assume the authority currently held by the California Attorney-General under CCPA to issue regulations, bring enforcement proceedings and levy administrative fines. Under CPRA’s terms, substantial new regulations – well above and beyond those recently finalized by the California Attorney-General under CCPA – must be issued to further define and expand upon numerous areas of concern identified by the law’s drafters. Among the regulations to be issued would be ones (i) requiring companies deemed to be engaged in high-risk data processing to undergo annual audits as well as risk assessments, and (ii) providing for consumer access and opt-out rights with respect to automated profiling and decision-making (the GDPR provides similar rights to data subjects). The CPPA will be governed by a five-member board with expertise in privacy and technology and whose members will serve terms which may not exceed eight consecutive years.
- Because CPRA will be enacted through the approval of the voters rather than the California legislature, the legislature is constrained from passing amendments that degrade the level of privacy protection extended to consumers. As mentioned earlier, the passage of certain business-friendly amendments to CCPA was precisely the issue that led to Alastair Mactaggart’s group introducing CPRA in the first place. Any efforts by the legislature to narrow CPRA’s focus, create exemptions or push back the date of enforcement can expect to meet with vigorous court challenges.
If California voters approve CPRA this November, as expected, companies should immediately start the work of upgrading their compliance and revisiting their privacy policies, whether they are covered businesses which determine the business purposes of processing personal information or act as service providers or contractors to businesses that do. In addition, since CPRA will bring California much closer to GDPR and other states will also likely strengthen their privacy and data protection laws, a major gating question for corporate policymakers is whether it is desirable to simply extend CPRA protections to all U.S. residents. The advantages of such an approach are: (i) greater scalability of compliance efforts (as opposed to maintaining an increasing number of divergent privacy frameworks across multiple jurisdictions), (ii) lower regulatory and legal risk, since it may not always be possible to determine with certainty where a consumer or online user resides, and (iii) better optics for both consumers and regulators in states outside California, who might not like being accorded a lower level of privacy than Californians. In addition, while GDPR and CPRA are not entirely co-extensive, their proximity might also dictate in favor of a more standardized approach across national borders. Of course, since every company’s business model and risk profile are different, companies should carefully analyze and weigh the options available. However, with the near-certainty of stricter regulation on the horizon, companies should not postpone strategic decision-making in the privacy area.