For the past two years, businesses have been scrambling to comply with the California Consumer Privacy Act (“CCPA”)—the first comprehensive data privacy law in the United States with broad extraterritorial reach. This was a difficult task for most businesses because of high compliance costs, the COVID-19 outbreak and resulting government shutdowns, and uncertainty regarding the scope and applicability of the law due to the CCPA’s constant state of flux.
With the November 3, 2020 general elections fast approaching, businesses may have to go through this cycle again if Californians approve Proposition 24, a ballot measure that will implement the California Privacy Rights Act (“CPRA”). If the CPRA becomes law, it will significantly amend the CCPA and make it as comprehensive as the European Union’s General Data Protection Regulation (“GDPR”). Fortunately, even if it passes, the CPRA will not be enforceable until January 1, 2023. This gives businesses two years to address any compliance gaps. Further, because the CPRA amends the CCPA, businesses can build on their existing procedures and protocols to ensure compliance with the new law. However, businesses should not delay compliance because, if approved, the CPRA would apply to personal information collected as of January 1, 2022.
Below is a summary of twelve key provisions of the CPRA.
1. Definition of “Business”
Under the CCPA, for-profit businesses are subject to the act if they collect and make decisions regarding Californians’ personal information, conduct business in California, and meet one of the following three criteria: (1) have annual gross revenues over $25 million; (2) buy, receive, sell, or share the personal information of 50,000 or more Californians, households or devices; or (3) derive 50 percent or more of their annual revenues from selling Californians’ personal information. Further, if an entity does not meet this definition, it will still be subject to the CCPA if it controls or is controlled by a business that meets this standard and shares common branding with the business.
The CPRA would largely keep this definition intact, but modify it in some ways. For the second prong above, the CPRA has increased the number of Californians from 50,000 to 100,000. For the third prong above, the CPRA would encompass businesses that derive 50 percent or more of their annual revenue from selling or sharing Californians’ personal information. The distinction between selling and sharing is discussed further below. Moreover, joint ventures and partnerships that are composed of businesses would be subject to the CPRA if each business has at least a 40 percent interest in the venture or partnership. Finally, entities could voluntarily agree to be bound by the CPRA if they certify with the new enforcement authority that they are in compliance with and agree to be bound by the CPRA. Of course, businesses can voluntarily choose to comply with the CCPA as well, but the CPRA provides an express provision for doing so.
2. New Rights with Respect to “Sensitive Personal Information”
The CCPA applies to the collection, use, and disclosure of “personal information.” Personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The CCPA also provides examples of different categories of personal information in the definition.
The CPRA defines personal information the same way, but would now include a separate definition for “sensitive personal information” (similar to the GDPR, which calls it “special category of personal data”). Sensitive personal information is defined as personal information that reveals the following:
- a consumer’s social security number, driver’s license, state identification card, or passport number;
- a consumer’s account log-in, financial account, debit card, or credit card number, in combination with any required security or access code, password, or credentials allowing access to an account;
- a consumer’s precise geolocation;
- a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;
- the contents of a consumer’s mail, email, and text messages, unless the business is the intended recipient of the communication; and
- a consumer’s genetic data.
Under the CPRA, if a business collects sensitive personal information, it would have to provide notice that it collects sensitive personal information (in addition to the notice required for personal information), the categories of sensitive personal information it collects, the purpose of the collection or use, and if it sells or shares sensitive personal information.
In addition, Californians would now have the right to opt-out of the business disclosing their sensitive personal information and limit the use of sensitive personal information so that it may only be used for the business to perform services or provide goods to the consumer. In contrast, the CCPA permits essentially unrestricted use of personal information as long as a business provides appropriate notice and gives a consumer the opportunity to opt-out of the sale of the personal information (or opt-in for minors), assuming the business is a seller of personal information.
Further, businesses would now have to include a link on their internet homepage, titled “Limit the Use of My Sensitive Personal Information,” which enables Californians, or persons authorized to act on their behalf, to limit the use of their sensitive personal information. Alternatively, a business may instead allow consumers the option to limit the use of sensitive personal information through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism to the business.
3. Notice Requirement for Retention Periods
Unlike the CCPA, the CPRA would require businesses to notify consumers regarding the length of time they intend to retain each category of personal and sensitive personal information. Alternatively, if a business cannot provide the length of time it intends to retain the data, it must describe the criteria used to determine the retention period, provided that the business cannot retain the personal or sensitive personal information longer than reasonably necessary to fulfill the purpose of the collection. Although this is a new obligation under the CPRA, businesses already include such a description in their privacy policy as a data privacy best practice.
4. Proportionality Requirement for Data Collection, Use, Retention, and Disclosure
The CPRA adopts the common data privacy best practice of proportionality. That is, a business’s collection, use, retention, and sharing of Californians’ personal information would have to be reasonably necessary and proportionate to achieve the purposes for which it was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected. A business could not further process personal information in a manner that is incompatible with the disclosed purposes.
5. Consumers’ Right to Correct Inaccurate Personal Information
Like the GDPR, the CPRA would now provide Californians the right to request correction of inaccurate personal information that a business maintains, taking into account the nature of the personal information and the purpose of the processing of the personal information. Businesses would have to notify consumers of this new right and use commercially reasonable efforts to correct the inaccurate information upon receiving a verifiable consumer request for correction.
6. Modified Right to No Retaliation or Discrimination
Both the CCPA and CPRA preclude a business from discriminating against Californians for exercising their data privacy rights. The CPRA clarifies that this provision also prevents a business from retaliating against employees, job applicants, and contractors if they exercise their privacy rights as well. However, a business may offer loyalty, rewards, premium features, discounts, or club card programs without violating the right to non-discrimination.
7. Right to Opt-Out of Automated Decision-Making and Profiling
Similar to the GDPR, the CPRA would require regulations governing access and opt-out rights relating to a business’s use of automated decision-making technology, which includes profiling of consumers. Profiling is the automated processing of personal information for the purpose of analyzing or predicting a person’s job performance, finances, health, personal preferences, interests, reliability, behavior, location, or movements.
Under this new right, businesses would be required to provide consumers meaningful information about the logic involved in automated decision-making processes, as well as a description of the likely outcome of the process used with respect to the consumer.
8. Right to Opt-Out of “Sharing” of Personal Information Related to Cross-Context Advertising
The CPRA expressly regulates the digital advertising industry by modifying the CCPA’s right to opt-out of the sale of personal information to now include a separate right to opt-out of the “sharing” of personal information with third parties for “cross-context behavioral advertising.” Cross-context behavioral advertising means targeted advertisements to consumers based on their activities across several websites, applications, or services from different businesses. However, a business does not “share” personal information to be subject to this requirement if it provides “non-personalized advertising,” which means advertising and marketing that is based solely on the consumer’s personal information derived from the consumer’s current interaction with the business, with the exception of the consumer’s precise geolocation data. Although called “non-personalized advertising,” this form of advertising is still based on the consumer’s personal information, but does not involve creating a profile about the consumer based on their interactions with multiple businesses.
If a business sells or shares personal information, it would have to include a “Do Not Sell or Share My Personal Information” link on its website, which permits consumers, or persons authorized to act on their behalf, to opt-out of selling or sharing of their personal information. Alternatively, such a business could allow consumers to opt-out of the sale or sharing of personal information through an opt-out preference signal sent to the business with the consumer’s consent through a platform, technology, or mechanism.
9. “Contractors” Subject to the CPRA
The CPRA introduces “contractors” as another category of persons that it regulates. A contractor is defined similar to a “service provider”—a person to whom the business makes available Californians’ personal information for a business purpose pursuant to a written contract. Under this definition, the contractor would have to agree to the following restrictions in the contract: (1) it cannot sell or share the personal information; (2) it cannot retain, use, or disclose the personal information for any purpose other than the business purpose in the contract; (3) it cannot retain, use, or disclose the information outside of the direct business relationship between the contractor and the business; and (4) it cannot combine the personal information received from the business with other personal information (with some exceptions). The contractor must also certify that it understands these restrictions and permit the business to monitor its compliance. Further, the contractor may retain a subcontractor to assist in performing the business purpose if the contractor notifies the business and ensures that the subcontractor is contractually subject to these same restrictions.
The CPRA would also amend the definition of service provider used in the CCPA consistent with the definition of contractor above, and require contractors and service providers to cooperate and work with businesses in addressing consumers’ data privacy requests under the CPRA. Further, the CPRA would streamline the definition of “third party” as a person that is neither a contractor nor service provider.
Lastly, if a business discloses Californians’ personal information to a third party, service provider, or contractor, it must enter into an agreement with these parties: (1) specifying that the personal information is disclosed to them only for limited and specified purposes; (2) obligating them to comply with all applicable provisions of the CPRA and provide the same level of protection required under the CPRA; (3) granting the business the right to take reasonable and appropriate steps to help ensure that the parties receiving the data use the personal information in a manner consistent with the business’s obligations under the CPRA; (4) requiring the parties to notify the business if they determine that they can no longer meet their obligations under the CPRA; and (5) granting the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information. Thus, with these additional requirements, third parties, service providers, and contractors will be subject to the CPRA even if they do not otherwise meet the definition of a business.
10. Requirement to Adopt Reasonable Safeguards to Protect Personal Information
Although the CCPA does not expressly require a business to implement reasonable safeguards to protect personal information, it provides for a private cause of action if there is a data breach and the business did not implement reasonable safeguards. The CPRA would go a step further and specifically require a business to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure. Practically speaking, however, this does not modify businesses’ existing obligations to protect personal information.
11. Exemptions for Business-to-Business and Human Resources Data
As reported here, the Legislature has extended the CCPA business-to-business and human resources data exemptions to the end of 2021. The CPRA would further extend these limited exemptions until the end of 2022. Critically, the Legislature may not be able to make these exemptions permanent because the CPRA precludes amendments that are not “consistent with and further the purpose and intent of this Act. . . .”
12. Establishment of the California Privacy Protection Agency
The CPRA would establish the California Privacy Protection Agency (the “Agency”) and empower it to implement and enforce the CPRA. The Agency would be governed by a five-member board, including the Chair. The Governor would appoint the Chair and one member of the board, while the Attorney General, Senate Rules Committee, and Speaker of the Assembly each appoint one board member for the remaining three members of the board.
Editor: Arsen Kourinian