On Election Day, November 3, 2020, Californians voted to approve Proposition 24, also known as the California Privacy Rights Act (CPRA). The CPRA will expand California's current consumer privacy law, the California Consumer Privacy Act (CCPA) passed in 2018. After nearly two years of implementation guidance, including three rounds of edits to the proposed regulations, and thousands of pages of comments and responses, the CCPA went into effect in January 2020 and the California Attorney General began enforcement in July 2020.

Just as businesses are getting comfortable with their CCPA implementation efforts, the CPRA will require covered businesses to decipher new rules and develop new compliance measures.  Further underscoring California's commitment to consumer privacy, the CPRA also establishes a new agency for enforcing its privacy protections and issuing regulations, with an annual budget of $10 million.

While businesses will have time to prepare—the CPRA provisions that directly impact business compliance do not go into effect until January 1, 2023—the CPRA makes some major changes to operations going forward.  This article explores certain major changes made by the law that will impact business' compliance efforts, as well as tips regarding how to start your CPRA preparations now.

1.  Contractors, service providers, and their subs

The CCPA applies to three types of entities: businesses that collect personal information from consumers; vendors and other independent contractors that process such information on behalf of a business but do not use the personal information for their own commercial purposes (called "service providers"); and so-called "third parties" that collect personal information by or on behalf of a business and are not prohibited from using it for their own commercial purposes. 

The CPRA will extend certain obligations to "contractors" that receive personal information but do not process it on behalf of the business (e.g., by running analytics, aggregating or manipulating that information, or otherwise working with it to produce a requested result for the business), such as data hosting services and physical storage sites.  "Contractors" are defined broadly as any "person to whom the business makes available a consumer's personal information for a business purpose pursuant to a written contract with the business...."  Among other things, these contractors will be obligated by law to assist businesses that collect personal information with fulfilling their obligations under the CPRA.

Additionally, the CPRA adds new requirements regarding a business's relationships with service providers and generally applies them to contractors as well, including:

  • Requiring service providers and contractors to notify the business of any engagement with a sub-service provider or subcontractor.
  • Requiring service providers and contractors to bind their sub-service providers and subcontractors to the same CPRA privacy protections to which the service providers and contractors must agree.
  • Requiring service providers and contractors to cooperate and assist businesses responding to a consumer's privacy rights requests.
  • Requiring businesses to contractually prohibit service providers and contractors from combining any personal information received from the business with personal information from other sources or collected on its own behalf (subject to exceptions).

Businesses should prepare to evaluate existing service provider agreements and potentially enter into new or amended agreements with their "contractors." 

2.  Sharing personal information

The CPRA amends the CCPA to govern not only the sale of personal information, but also the sharing of personal information. While "selling" refers to the exchange of personal information "for monetary or other valuable consideration," "sharing" refers to disclosing a consumer's personal information to a third party for purposes of "cross-context behavioral advertising" (a term defined in the CPRA). The CPRA also will apply to any business that derives at least 50% of its annual revenue from sharing personal information, not just selling it.

This new requirement eliminates an ambiguity (some would say loophole) in the CCPA by making it clear that exchange or use of personal information for targeted online advertising and joint marketing arrangements needs to be disclosed, even if the participants would argue that no monetary or other valuable consideration is involved.    

3.  Sensitive personal information

The CPRA establishes a new subset of personal information, termed "sensitive personal information," subject to new protections under the law. Sensitive personal information includes government identifiers (such as Social Security numbers, driver's licenses, or passport numbers); financial account and login information (such as credit or debit card number combined with login credentials); precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications (such as mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information.  For this new class of personal information, the CPRA imposes:

  • Disclosure Requirements: Businesses must separately disclose what categories of sensitive personal information are collected, the purposes for which sensitive personal information is collected, and whether such information is sold or shared.
  • Usage Restrictions: Businesses must not collect, use, or share sensitive personal information in a manner that is "incompatible" with the specific business purposes disclosed to the consumers.
  • Data Minimization Requirements: Businesses must separately disclose the length of time that they retain sensitive personal information and will be prohibited from retaining such sensitive information longer than "reasonably necessary" to perform the disclosed purposes.
  • Greater Control for Consumer: The consumer may request that the business limit its use of their sensitive personal information for the sole purpose of providing services or goods specifically to that consumer.
  • Ability to Opt Out: Subject to certain exemptions, the business's internet homepage must include a link titled "Limit the Use of My Sensitive Personal Information," that enables consumers to limit the use and disclosure of their sensitive personal information. Such link may be combined with the business's "Opt-Out Request" link, if applicable.

4.  Limiting data retention

Under the CPRA, businesses must inform consumers about the length of time the business intends to retain each category of all personal information. If that is not possible, the business will have to disclose the criteria used to determine such period.  Under the CPRA, businesses will not be permitted to retain personal information longer than "reasonably necessary" to fulfill the disclosed purpose for collecting the personal information. The new requirement mirrors a similar requirement in the European General Data Protection Regulation and is intended to further both transparency to the consumer and data minimization (not collecting or retaining personal information in excess of legitimate business purposes).

How long is "too long" to retain personal information is not specified, but businesses should consider – and document how they determined – the reasonably necessary retention period for a specific type of personal information, and should update their record retention procedures and Privacy Policies accordingly.  

5.  Reasonable security policies

The CCPA established a duty to implement and maintain reasonable security procedures and practices; but that applied only to the categories of personal information expressly covered under the California breach notification law. The CPRA appears to extend that requirement to all categories of personal information by requiring a business "to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure." Note, however, that the private right of action for failure to reasonably secure data continues to be limited to the categories of personal information enumerated in the data breach notification law.

6.  Request to Correct and expanded Request to Know

The CPRA provides consumers with new rights to correct inaccurate personal information and to limit use and disclosure of sensitive personal information, adding to the CCPA's right to deletion, right to know, right to opt-out and right to nondiscrimination.

The CPRA also fundamentally changes the length of time businesses will be required to cover in their responses to Requests to Know.  Under the CCPA, businesses are required to respond to Requests to Know with information related to the 12-month period prior to the request.  The CPRA will eliminate the 12-month lookback and require disclosure about personal information collected at any time after January 1, 2022, unless doing that would be "impossible or would involve disproportionate effort."

In other words, as of January 1, 2022, a business must be ready to disclose its collection, sale, sharing, other practices, as well as any information collected about the consumer after that date.  By extending the disclosure time frame, the CPRA may motivate businesses to more aggressively implement records retention programs, including keeping records of historical privacy policies and other documentation that addresses the business's covered practices.

7.  New opt-out requirements

The current CCPA required businesses to include a link on their internet homepage titled "Do Not Sell My Personal Information", permitting customers to opt out of the sale of their personal information. Under the CPRA, the link or links must permit consumers to opt out of the selling or sharing of personal information.  Businesses may combine these opt outs in a single, clearly-labeled link on their homepage that would easily allow consumers to out opt of the sale and sharing of personal information and/or to limit the use or disclosure of their sensitive personal information.

Finally, the CPRA contemplates issuing regulations to enable consumers to issue a device-level "opt out" preference signal, such as a broad signal issued by the consumer's iOS, Android, or Windows device.  Such a signal was originally proposed in the CCPA draft regulations, but ultimately stricken. It would likely be similar to the "Do Not Track" setting in device operating systems, with specifications to be adopted by regulation under the CPRA.

Beginning CPRA preparations now

The implementation of the CPRA is just beginning, but as businesses learned when implementing the CCPA, it pays to get ahead. Here are some initial proactive steps to consider as you start planning to prepare for CPRA implementation:

  1. Update (or undertake) data mapping activities to determine your points of collection, storage, access, and sharing/selling of personal information generally and "sensitive" personal information in particular.
  2. Determine whether the business engages in any "sharing" of personal information and be prepared to comply with the sharing requirements (i.e., posting an "Opt Out" link).
  3. Take advantage of the CPRA's "invitation" to update your record retention policies and practices and take more aggressive action to identify – and securely destroy—personal information when no longer needed for business purposes.
  4. Evaluate the business's procedures to address necessary updates regarding responding to Requests to Know, enabling Opt-Out Requests, establishing a process to respond to Requests to Correct.
  5. Engage with your information security team to assess whether your information security policies and practices should be updated to cover the expanded types of data enumerated under the CPRA definition of "sensitive personal information."

To learn more about how you can proactively prepare now to be CPRA compliant, please contact our Cybersecurity and Data Privacy Team. Our team is recognized on BTI Law Firms Best at Cybersecurity List honor roll, which highlights firms that stand out for their cybersecurity practices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.