California Voters Approve California Privacy Rights Act: What You Need To Know
While most Americans were focused on the results of the November 3, 2020 U.S. presidential election, an important piece of data privacy legislation passed in California. Californians voted to pass Proposition 24, a ballot initiative that creates the California Privacy Rights Act (“CPRA”). The CPRA amends the California Consumer Privacy Act (“CCPA”), which itself just went into effect on January 1, 2020. In a nutshell, many key areas of the CCPA are impacted, including scope and applicability, consumer rights, and operational requirements on businesses. Notably, the CPRA takes regulation and enforcement away from the California Attorney General and puts it in the hands of a newly-created independent agency. While the CPRA includes a number of helpful updates, businesses already dealing with CCPA should be prepared for another major push for CPRA compliance.
The CPRA will not go into effect until January 1, 2023; however, it will apply to personal information collected on or after January 1, 2022. Therefore, businesses should start analyzing what changes need to be made to their current compliance plans in 2021 and be ready to implement them in 2022.
Below is an overview of the changes in each area, including a quick comparison between CCPA and CPRA.
Triggers for CPRA
One aspect of the CPRA which is more favorable to businesses is the provision that narrows the number of businesses subject to the law. The CPRA changes the definition of a covered business currently subject to the CCPA by doubling the threshold number of consumers or households from 50,000 (under CCPA) to 100,000, which means many small and midsize businesses will need to re-analyze how the law may continue to apply to them, if at all. The second threshold change is to include businesses that generate at least 50% of their revenue from “selling or sharing” personal information, as opposed to just “selling” personal information. Given that the selling or sharing must still generate revenue for the business, it remains unclear how this change will impact the scope of the law. The third threshold for application of the law, company-wide revenues in excess of $25,000,000, remains the same.
Employee and B2B Exemptions
Another benefit of the CPRA is that, absent any intervening action from the California legislature, the CPRA extends the expiration date for the employee and B2B exemptions until January 1, 2023. This extension provides businesses with additional time to prepare for disclosures of consumer rights under the law to all types of California residents, whether acting in a business capacity or personal capacity.
New Category of Sensitive Personal Information
Finally, the CPRA creates a new category for “sensitive personal information,” which is similar to the GDPR’s designation of “special category data,” and requires special treatment under the law. Notably, the definition of “sensitive personal information” includes certain data elements that are not overly sensitive in nature in terms of treatment under other data privacy laws. “Sensitive personal information” includes government identifiers (such as Social Security and driver's license numbers); financial account and login information (such as credit or debit card numbers together with login credentials); precise geolocation; race, ethnicity, religious or philosophical beliefs; union membership; content of nonpublic communications (mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information.
Operational Requirements on Businesses
Special treatment includes more notices with respect to collection and use, “opt-ins” prior to the sale of sensitive data, as opposed to the current “opt-out” structure, and the additional consumer rights referenced below. Businesses collecting, using, and sharing these data elements will need to consider obligations under the California law coupled with obligations under other state and federal privacy laws.
In addition to keeping the existing consumer rights under the CCPA, the CPRA added several additional rights. Notably, the CPRA allows consumers to: (1) opt out of the use of automated decision making technology, including profiling, in connection with decisions related to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements, and (2) seek access to information about the logic involved in the automated decision-making process along with a description of the likely impact of that automated decision-making on the consumer.
Consumers will be able to limit the use and disclosure of sensitive personal information for certain purposes, including prohibiting businesses from disclosing sensitive personal information to third parties, subject to certain exemptions. Another key change is that the CPRA will require businesses to provide consumers with the right to opt out of sharing personal information for the purposes of cross-context behavioral advertising, which allows consumers to opt out of this kind of transfer even where it is not in exchange for valuable consideration.
Data Minimization and Retention Requirements
Under the CPRA’s new data minimization requirement, a business’s collection, use, retention and sharing of personal information must be minimized to what is reasonably necessary and proportionate to achieve the purpose of collection or processing or for another disclosed purpose that is compatible within the context of collection. Businesses must also disclose, at the time of collection, their retention periods for each category of personal information and are prohibited from retaining personal information for longer than is reasonably necessary for each disclosed purpose.
Risk Assessments and Audits
Subject to the CPRA final regulations being issued, businesses "whose processing of consumers' personal information presents a significant risk to consumers' privacy or security" must perform cybersecurity audits annually and submit risk assessments to the PPA (defined below) on a regular basis. The CPRA does not define processing that may result in a significant risk to the consumer, but it requires businesses to consider their size and complexity as well as the nature and scope of processing. Businesses will be required to weigh the benefits of the processing activities against the potential risks to consumers' rights associated with such processing. The goal of these assessments is to restrict or prohibit certain processing activities where the risks of those processing activities outweigh the benefits to the business or consumers.
Enforcement under the CPRA is likely to look different from what we would have typically expected from Attorney General enforcement efforts. One of the significant results of the CPRA is the establishment of a new independent enforcement agency, the California Privacy Protection Agency (“PPA”), getting an initial $5,000,000 in funding as of 2021, with a full $10,000,000 in funding for 2021-2022. With enforcement as the top priority for this agency, we would anticipate a significant rise in the number of enforcement efforts.
This focus on enforcement is combined with the elimination of any cure period. Under the CCPA, businesses were given 30 days to cure alleged violations before any enforcement by the California Attorney General could take place. However, the CPRA eliminates that 30-day cure period. The combination of this development and the new enforcement agency is likely to result in a significant uptick in enforcement generally.
Regulations Will Evolve but Time to Prepare is Now
There will need to be a new round of implementing regulations for the new components, but for now the CCPA remains in effect and in enforcement. The goal for businesses over the next year will be to lay the groundwork for the expanded rights and processes in advance of the anticipated effective date in 2023.
For more information on how the CPRA may apply to or impact your business and its current CCPA compliance plan, contact your local Quarles & Brady attorney or reach out to these members of our Data Privacy & Security Team: