On November 3, California voters passed the California Privacy Rights Act, a ballot initiative that substantially amplifies data privacy oversight for qualifying enterprises doing business in California. Although it builds upon many of the provisions of the 2018 California Consumer Privacy Act, the CPRA also borrows from the General Data Protection Regulation, adds unique new elements, and creates a special enforcement body. Though the CPRA protects only California residents, its effects will reach beyond California and may well have international ramifications.
Background on data protection and privacy legislation
Data protection and privacy laws have proliferated over the past decade. In 2016, the European Union adopted the General Data Protection Regulation, which has the goal of giving E.U. residents substantial control over their personal data. Though it was created by the European Union, the GDPR imposes obligations on companies worldwide who target or collect data about E.U. residents. Similarly, the CCPA gave California consumers new rights with regard to their personal information acquired by qualifying businesses. Now, with this new ballot initiative (colloquially referred to as “the CCPA 2.0”), which will take full effect on January 1, 2023, the data privacy landscape continues to grow more complex for companies.
GDPR influence and compliance ramifications
The European Union generally does not allow the exportation of personal data unless the receiving country provides an “adequate level” of data protection, as conferred by an “adequacy decision” from the European Commission. The United States has never received an adequacy decision, so U.S. companies have relied primarily on the E.U.-U.S. Privacy Shield or Standard Contractual Clauses to provide the “adequate level.” Unfortunately, in a decision issued earlier this year, the European Court of Justice (the E.U. equivalent of the U.S. Supreme Court) struck down the E.U.-U.S. Privacy Shield and also put into question the effectiveness of Standard Contractual Clauses. This has caused understandable consternation in the international business community. Accordingly, if the European Commission were to grant an adequacy decision to California based on the CPRA, it would provide California businesses a considerable advantage, and undoubtedly cause other states to adopt privacy legislation similar to the CPRA. (Any federal privacy legislation is a long way off.) However, it is not clear whether the CPRA will ultimately result in California's being the first state to receive an adequacy decision. As with every other state in the union, U.S. “spying” laws – such as Section 702 of the Foreign Intelligence Surveillance Act, Executive Order 12333, and Presidential Policy Directive 28 – continue to affect California.
Nevertheless, the CPRA introduces a number of GDPR-inspired provisions that could help. These include the following:
1. Broadened protection of “sensitive personal information”
The CCPA already featured one of the most comprehensive definitions of “personal information” of any privacy statute in the United States. However, the CPRA goes further and adds a GDPR-like concept of “sensitive personal information.” This category of information now encompasses race, religion, sexual orientation, financial account information, and government identifiers (such as Social Security numbers). Consumers can now choose to limit the use, sale, and sharing (as discussed further below) of such sensitive data.
2. Right to correction
The CCPA affords consumers the right to know what personal information a business collects about them and a right to request deletion of that information within certain parameters. The CPRA adds a right for Californians to correct inaccurate personal information. This concept is much like the GDPR’s right to rectification, which permits data subjects to “rectify” inaccurate personal data and to have incomplete personal data completed in some cases.
3. Creation of independent regulatory agency
Another new concept critical to GDPR principles is the creation of the California Privacy Protection Agency, which will be the first dedicated privacy agency of its kind in the United States. The GDPR requires each member state to have a “supervisory authority” to oversee the application of the statute there. The California agency would meet that requirement, and it will have a dedicated budget for privacy regulation, with funding of $5 million its first fiscal year and $10 million in each subsequent fiscal year. Additionally, the agency will take over many enforcement duties from the Attorney General’s office, including the administration of hefty fines that range from $2,500 to $7,500 per violation.
4. Purpose limitation, data minimization, and data retention requirements
The CPRA permits businesses to collect personal information only for “specific, explicit, and legitimate disclosed purposes” and “only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared.” Accordingly, as with the GDPR, businesses must collect only the minimum data necessary for their business purpose. Consistent with those requirements, California residents now have the right to direct businesses to limit the use of sensitive personal information. Additionally, the CPRA contains data retention limitations that, like the GDPR, require that businesses disclose to consumers “the length of time the business intends to retain each category of personal information or if that is not possible the criteria used to determine such period . . . .” Covered entities, beware! Implementing this concept will be considerably more difficult than it sounds.
5. Bolstered service provider/third-party contracting requirements
Similar to the GDPR’s mandates for controllers and processors, the CPRA specifies that businesses selling, sharing, or disclosing consumers’ personal information must enter into agreements with third parties, service providers, or contractors that (among other things) require these entities to comply with applicable obligations, provide adequate privacy protection under the CPRA, and permit the business to confirm the third party’s compliance. This obligation goes well beyond the existing CCPA-mandated restrictions on “retaining, using, disclosing” personal information. The CPRA further requires that contractors and service providers notify the business when they use a sub-contractor, and that the sub-contractor observe the same CPRA requirements as the service provider or contractor.
6. Automated decision-making limitations
Like the GDPR, the CPRA creates new rules governing opt-out rights connected with use of “profiling” or “automated decision making technology.” That includes consumer/employee profiling tied to work performance, economic circumstances, health, location, and other factors. The consumer now also has a right to access “meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”
7. Formal risk assessments
Just as the GDPR requires data protection impact assessments in some cases, the CPRA will require certain businesses that process personal information to determine whether the benefits resulting from the processing outweigh the risks to the consumer. These businesses will also be required to present a formal report to the new privacy agency about it. This will be a regular and ongoing obligation, and it goes substantially beyond the data mapping and risk analysis necessary to implement the “reasonable security procedures” required by the CCPA. Silicon Valley giants, financial technology, and other big players could find themselves subject to annual cybersecurity audits as a result.
Some CPRA elements go beyond the GDPR
The CPRA also includes some unique attributes that set it apart from any privacy statute in the world, including the GDPR, creating greater exposure for companies.
1. No right to cure
The CCPA included a 30-day “cure period” following notice of non-compliance during which a business has the opportunity to cure the alleged non-compliance without penalty. That window gave businesses the leeway to confer with the accuser and remedy any poor data practices before punitive action could be taken. Once the CPRA takes effect, companies will no longer have the advantage of this period, heightening the legal risk and exposure around compliance. Thus, an action could be initiated without any warning.
2. Expanded private right of action
In addition to the categories of personal information previously specified, the CPRA private right of action will now be available to individuals whose email addresses (in combination with a password or security question that would permit access to the account) are compromised.
3. Opt-out of data sharing, not just data sales
The CPRA adds a definition of “share” to expressly address confusion over “sales” of personal information under the CCPA – and to ward off further arguments that sharing personal information for behavioral advertising online is not a “sale” under the CCPA. “Sharing” would include any provision or transfer to a third party for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” Consumers would have rights to opt out of having their information shared or sold. This can be accomplished by separate “Do Not Sell” and “Do Not Share” buttons, or by a combined button, depending on the business’s preference.
4. Extension of employee and “B2B” data rights
The current exemptions under the CCPA for handling of employee or business-to-business data were set to expire on January 1, 2021. They were extended this year by AB 1281 to January 1, 2022, which would have controlled had the CPRA not passed. Now, however, the exemptions are extended to January 1, 2023, the date the CPRA goes fully into effect. (The CPRA will, however, cover data collection practices beginning on January 1, 2022.)
5. Mandatory updating of regulations
Both the CPRA and GDPR contemplate technological advancement and the need to create and amend regulations in light of ongoing developments. However, the CPRA goes beyond the GDPR in this respect. The CPRA mandates that regulations be updated to reflect changes in technology. Among the required updates will be the definitions of “deidentified,” “unique identifier,” and “sensitive personal information” as advancements are made. The CPRA even identifies specific technological developments it expects to see through fruition, such as an “opt-out preference signal,” indicating a consumer’s intent to opt out of a business’s sale or sharing of personal information or to limit the use or disclosure of sensitive personal information. The Attorney General is directed to adopt regulations defining the requirements and technical specifications for an opt-out preference signal and other opt-out mechanisms. This should encourage technology vendors to work with businesses to build global privacy controls that can be customized for websites or businesses.
6. Enhanced fines for violations of minors’ privacy
The CPRA creates a new requirement to obtain opt-in consent to sell or share data from consumers under the age of 16 and potentially triples the CCPA fines for violations of the CCPA’s opt-in to sale right. Businesses providing services to minors thus have more compliance obligations and a heightened risk for fines in addition to those in the federal Children's Online Privacy Protection Act.
Conclusion
Of course, there is more to the CPRA. Businesses that are currently subject to the CCPA should begin now to implement all the necessary measures, such as compiling a data inventory, and reviewing consumer rights policies and procedures, data retention practices, and vendor and third-party agreements. As companies think through the implications of this new law, they would be well-advised to turn to GDPR resources for guidance as California’s privacy laws move closer to – and in some respects become even more protective of privacy rights than – their European equivalent. Companies should also monitor the implementing regulations as they are issued by the state Attorney General and the privacy agency. Whether California will become the first state to receive an adequacy decision from the European Commission remains to be seen, but it is undeniable that the United States is entering a new era of privacy protection. Consult your privacy counsel!