The California Privacy Rights Act (CPRA) passed by ballot measure in November 2020. While it does not repeal the California Consumer Privacy Act (CCPA), which became effective in January 2020, it does change and augment CCPA in several important ways. The following alert outlines five short- and long-term action items to prepare your business for CPRA.
1. Don't panic or hyperventilate
First, there is some good news:
- Timing - Not Effective Until 2023. CPRA doesn't take effect until January 1, 2023, giving companies more than two years to prepare for compliance.
- Threshold Raised to Favor Small-Medium Businesses. While CCPA applies to businesses with records of more than 50,000 California individuals, CPRA applies to businesses with records of more than 100,000 California individuals, so fewer small businesses and startups will need to worry about CPRA in the near term.
- Extended Time for Employee and Business-to-Business Information. CPRA extends CCPA's exemptions for employee and B2B information until January 1, 2023 (previously they would have sunset on January 1, 2022). Note that these categories of information could be addressed in separate legislation before 2023.
- Still No Private Right of Action for Violations (Other than for Breach). Despite fears from the business community, the CPRA still limits its private right of action for claims related to data breaches only, leaving enforcement for other violations in the hands of the California Privacy Protection Agency (CPPA), described in more detail below.
2. Reassess your organization's data sharing and marketing strategies in light of CPRA's changed definitions regarding data "sales" and "sharing"
CCPA famously required businesses who "sell" information to allow consumers to opt out of data "sales." CCPA's broad (and vague) definition of "sale"--any exchange of personal information for valuable consideration--led to uncertainty about whether targeted or behavioral advertising was included, and, if so, to what extent the CCPA's opt-out right applied.
CPRA clearly defines a right for users to opt out of data sale and sharing, regardless of whether valuable consideration is exchanged, and explicitly brings "cross-context behavioral advertising" fully into the fold of CPRA's opt-out requirement.
Businesses who are engaging in targeted or behavioral advertising will need to honor individuals' opt-out requests when CPRA comes into effect in 2023 and offer a "Do Not Sell or Share My Personal Information" link on their websites. However, the CPRA leaves open the possibility that a business may not need to include such a link if it honors opt-out preferences sent from an approved automated privacy technology or mechanism. This could lead to a return of browser-based opt out solutions, similar to "Do Not Track" mechanisms. Facebook, Google and other advertising and/or analytics partners may develop tools to help their customers navigate these requirements.
3. Inventory and rationalize "sensitive personal information" collected by your organization to meet new standards
CPRA adopts a definition of "sensitive personal information" that is broader and more aligned with a GDPR standard. Notably, "sensitive personal information" includes:
- Demographic information such as a consumer's racial or ethnic origin, religious or philosophical beliefs, union membership or sexual orientation
- The contents of consumers' communications
- Genetic and biometric data
- Precise geolocation
- Information about a consumer's sex life
Consumers will have separate, additional rights to opt out of the use of their sensitive personal information (see below). Businesses that collect any of the above information should consider ways to eliminate, de-identify or inventory these elements in their systems now so that the data is easily identifiable to enable compliance by 2023. It is important to strategically consider the impact on your business as soon as possible, as companies that rely on sensitive data may face challenges once CPRA is effective.
4. Prepare for additional and expanded data subject rights
While CCPA provided several data subject rights, including access, deletion and the right to opt out of sales, CPRA expands some of these rights and adds several new rights. Note that some of the below rights overlap with GDPR (as indicated with an asterisk* below), so many companies will already have programs in place to address them.
- Right to Opt Out of Sale (Modified): In addition to existing rights regarding "sale" under CCPA, consumers may now opt out of sharing (without valuable consideration) of their personal information.
- Right to Limit Use and Disclosure of Sensitive Personal Information (New): Consumers may direct the business to limit the use and disclosure of their sensitive personal information to uses necessary to perform the services or provide the goods requested. Subject to certain exceptions, businesses must provide a link at the bottom of their website titled "Limit the Use of My Sensitive Personal Information" where individuals can opt out. This is an important development for companies that rely on precise location, genetic information or that engage in ethnic and lifestyle-based marketing.
- Right to Know/Access* (Modified): A consumer may request information collected beyond the initial CCPA 12-month lookback period (applicable for information collected after January 1, 2022).
- Right to Correct/Rectify* (New): Consumers may correct inaccurate personal information.
- Data Portability* (Modified): CPRA provides clarification on the data portability right, indicating that data should be provided in a format easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format. Additionally, if the customer requests it, the business must transfer the information to another entity directly.
- Right to Delete/Right to be Forgotten* (Modified): Businesses must notify downstream third parties who received or purchased personal information to delete personal information relating to a consumer's data deletion request.
- Opt-In Requirement for Minors (Modified): Under CCPA, minors aged 13-16 must opt in to information "sale." As noted in tip 2 above, CPRA expands this requirement to include "sharing" of personal information (not just "sale"), such as in the case of targeted advertising.
- Waiting Requirement to Re-Ask for Certain Opt-Ins (New): Where an opt-in is required and a consumer declines (e.g., a minor declining to opt in to information sale/sharing or a consumer declining to opt in to financial incentives), a business must wait for 12 months before re-asking for consent.
5. Prepare for a "new sheriff in town" and a different regulatory landscape
With California's Attorney General and key CCPA advocate Xavier Becerra heading to Washington to lead the U.S. Department of Health and Human Services as part of the Biden administration, businesses should expect changes to enforcement in both the short and long term. CPRA creates a brand new agency to carry on Becerra's mission and focus exclusively on privacy. The California Privacy Protection Agency (CPPA), will consist of five members appointed by the Governor, Attorney General, State Senate and Speaker of the Assembly, and will lead investigation, enforcement and rulemaking on California privacy issues. Although Becerra had been active in enforcing CCPA, it is anticipated the CPPA will be even more active in investigations and enforcements, as this will be its primary task. However, this speculation will depend significantly on appointees of the CPPA.
Additionally, and importantly, CPRA removes the 30-day cure period for violations, meaning companies could face immediate inquiry from the CPPA, rather than the initial 30-day warning letters that the Attorney General has issued in recent CCPA enforcements (see our alert: "California AG Comes Out of the Gate Charging - 3 Steps Companies Should Take Now for CCPA"). While the CCPA is still relatively new, and to date there have not been any high-profile enforcements, this could certainly change with the CPRA. As a result, companies should start preparing now by thinking through the steps above to formulate their business as well as compliance strategy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.