On November 3, 2020, Californians voted to pass Proposition 24, which modifies and expands the California Consumer Privacy Act (“CCPA”), which came into force on January 1 of this year. The new California Privacy Rights Act (“CPRA”), will supersede the CCPA effective January 1, 2023. Until that time the CCPA remains in effect.
As an initial matter, the CPRA changes the thresholds for businesses to be subject to the new law. To be a covered business under CPRA, one of the following must be present:
- The business derives at least 50% of annual revenue from sharing or selling the personal information of California consumers. This is a change, in that this threshold now includes the “sharing” of personal information, thereby expanding business that come under the coverage of the CPRA and in particular impacting businesses in the ad tech sector.
- The business has gross revenue over $25 million. This provision is the same as under the CCPA.
- The business buys, sells or shares the PI of more than 100,000 California consumers/households. This provision changes the threshold from 50,000 under the CCPA to 100,000 under the CPRA. The heightened threshold means that more small business will be outside the scope of the CPRA.
Other Key Changes
The 50+ page CPRA is an extensive and detailed piece of legislation. Changes to CCPA range from minor revisions and clarification, to expanding its coverage, creating a new oversight agency, introducing new concepts and enhancing individual private causes of actions.
The main changes to CCPA are:
- Expansion of private right of action for security breaches impacting personal information. The CPRA expands the private right of action for consumers to bring claims against a business for the unauthorized access or disclosure of an email address and password or security question that would permit access to an account, along with access to a consumer’s non-encrypted and non-redacted personal information. Additionally, the CPRA creates triple damages for violations relating to consumers who are minors under the age of 16.
- Creation of Privacy Protection Agency. The CPRA creates the California Privacy Protection Agency (“CPPA”), which will replace the Attorney General’s office as the statute’s enforcer. The new agency will take up the Attorney General’s rulemaking authority on the later of July 1, 2021, or six months after it notifies the Attorney General that it is prepared to begin rulemaking. The CPPA has been given an initial budget of $10 million to fund its investigation and enforcement activities.
- Limits on “Sharing” Personal Information. The CPRA expands the CCPA’s limitations on the “sharing” of personal information to include “cross-context behavioral advertising,” whether or not for monetary or other valuable consideration. This change again looks to place further regulation around the use of personal information for behavioral / targeted advertising purposes.
- Creation of “sensitive personal information” Subcategory of Personal Information. The CPRA adds a new category of “sensitive personal information.” Sensitive personal information includes, among other categories, precise location, race, religion, sexual orientation, social security information, specified health information. The CPRA creates additional limitations on the use of sensitive personal information.
- Limitation on Retention Period. The CPRA sets limits on the collection and retention of personal information, requiring a business to retain only that which is reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed. Further, the CPRA requires businesses to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information, or the criteria used to determine that period.
- Limitation of the 30-Day Cure Period. Under the CPRA, businesses no longer have a 30-day window to cure alleged noncompliance before being subject to administrative enforcement. However, the CPPA will retain discretion to allow business to cure alleged violations, but the exclusion of a guaranteed right-to-cure makes early monitoring and compliance a much more critical area of focus for CPRA compliance. Additionally, the CPRA provides for a cure period that will halt statutory damages with respect to private actions, if the violation is remedied.
- Extension of Exemption for Employee and Business-to-Business Data. The current exemptions under the CCPA for handling of employee or business-to-business data were set to expire on January 1, 2021. CPRA immediately extends the CCPA’s existing partial exemptions for information relating to businesses’ employees and job applicants, as well as information collected from consumers in a “business to business” context, until at least January 1, 2023.
- Automated Processing Limitations. The CPRA creates new rules governing opt-out rights connected with use of “profiling” or “automated decision making technology.” That includes consumer/employee profiling tied to work performance, economic circumstances, health, location and other factors. The consumer also has a right to access “meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.” The CPPA is required to develop regulations addressing access and opt-out rights relating to profiling technology.
- Right to Correct Inaccurate Data. The CPRA adds the right to correct consumer data to the existing rights of notice and deletion.
- New Requirements and Obligations for Service Providers, Contractors, and Third Parties. The CPRA places new contractual and direct obligations on service providers, contractors and third parties. Specifically, it requires businesses that send personal information to third parties to enter into an agreement binding the recipient to the same level of privacy protection as provided by the CPRA, granting the business rights to take reasonable and appropriate steps to remediate unauthorized use, and requiring the recipient to notify the business if it can no longer comply.
When Does CPRA Come Into Force? The CCPA remains in effect until January 1, 2023, at which time the CPRA (and its regulations) will take over. Businesses that are subject to the CCPA now should be looking ahead and taking all the necessary precautionary measures, such as compiling a data inventory, reviewing consumer rights policies and procedures, data retention practices and vendor and third party agreements, to be well positioned for CPRA compliance.
The Polsinelli Data Privacy Group has worked with companies throughout the world to assist in compliance with privacy and data security requirements. For more information regarding your CCPA and CPRA compliance obligations, please contact Liz Harding.