The California Privacy Rights Act (CPRA) is on the ballot this November. It is expected to change the legal landscape of data privacy regulation by bringing significant changes to the California Consumer Privacy Act (CCPA) and imposing stricter obligations on businesses. Some of the key changes that will be introduced by the CPRA are as follows:
Application and Scope
The CCPA currently applies to businesses who operate in California which:
- Have $25 million in gross annual revenue;
- Obtain or share personal information of at least 50,000 California residents, households, and/or devices per year;
- Generate at least 50% of their annual revenue from selling California residents’ personal information.
The CPRA will only apply to businesses who operate in California, which:
- Have $25 million in gross annual revenue;
- Obtain or share personal information of at least 100,000 California residents, and households;
- Generate at least 50% of their annual revenue from selling California residents’ personal information.
New timeline for enforcement
November 2002: Ballot results are certified and CPRA is enacted if voted in
January 2021: CPRA becomes operative
February 2021: California Privacy Protection Agency gets established
July 2021: Rulemaking process commences
January 2022: 12-month lookback period for collected data commences
July 2022: Deadline for CPPA to adopt final regulations
January 2023: CPRA becomes fully operative and enforceable; employment and B2B exemptions expire, and those datasets become fully integrated by the CPRA
The California Privacy Protection Agency
One of the strongest criticisms of the CCPA was that it failed to create an independent entity for the enforcement of the highly specialized data protection law. The CPRA however addresses this by creating a new dedicated enforcement authority, the California Privacy Protection Agency (CPPA).
The CPRA creates a new sub-set of personal information, sensitive personal information. Businesses cannot use sensitive personal information for purposes other than it was collected unless they provide notice to the concerned consumer along with an opportunity to stop further processing.
New Consumer Rights under the CPRA
The CPRA gives consumers new rights and modifies the already existing rights under the CCPA. Below is a consolidated list of rights under the CPRA:
CPRA modified rights
- Right to Delete: Businesses are now required to notify third parties to delete any consumer PI bought or received, subject to some exceptions.
- Right to Opt-Out: The CCPA already grants consumers the right to opt-out of the sale of their PI to third parties, which implicitly includes sensitive PI; however, the opt-out right now covers “sharing” of PI for cross-context behavioral advertising.
- Opt-In Rights for Minors: Extends the opt-in right to explicitly include the sharing of PI for behavioral advertising purposes. As with the opt-out right, businesses must wait 12 months before asking a minor for consent to sell or share his or her PI after the minor has declined to provide it.
- Right to Data Portability: Consumers may request that the business transmit specific pieces of PI to another entity, to the extent it is technically feasible for the business to provide the PI in a structured, commonly used and machine-readable format.
CPRA new rights
- Right to Correction: Consumers may request any correction of their PI held by a business if that information is inaccurate.
- Right to Opt-Out of Automated Decision-Making Technology: The CPRA authorizes regulations allowing consumers to opt-out of the use of automated decision-making technology, including “profiling,”
- Right to Access Information About Automated Decision-Making: The CPRA authorizes regulations allowing consumers to make access requests seeking meaningful information about the logic involved in the decision-making processes and a description of the likely outcome based on that process.
- Right to Restrict Sensitive PI: Consumers may limit the use and disclosure of sensitive PI for certain “secondary” purposes, including prohibiting businesses from disclosing sensitive PI to third parties subject to certain exemptions.
New data breach liability
The CPRA has expanded the types of covered personal information to include emails and passwords, two of the most common types of information leaked in data breach events. The CPRA also clarifies that any implementation of reasonable security measures after the occurrence of a data breach does not cure the violation.
Profiling and Automated Decision-Making
Under the CPRA, businesses are required to honor opt-out and access requests received for the processing of personal information by automated decision-making including profiling. For the purposes of an individual’s right to object to profiling, businesses must provide meaningful information about the logic involved and a description of the likely outcomes of such decision-making processes.
The CPRA has introduced stricter penalties against failure to protect personal information belonging to minors. Any violation of an opt-in sale and share of personal information rule in relation to a minor can result in a $7500 administrative fine, which is three times the minimum amount of $2500. Moreover, the CPRA requires businesses to respect global opt-out preference signals identifying consumers as minors.
Notification obligations
The CPRA introduces the following new notification obligations on businesses that were not explicitly part of the CCPA:
- Data Collection: The CPRA requires businesses to notify consumers of all categories of personal information they collect, use, share and sell including sensitive personal information. Businesses also cannot collect any additional categories of personal information or use the consumer information already collected in a manner inconsistent with the originally disclosed purpose without notifying the consumer.
- Data Retention: A business must notify the consumer of the length of time it intends to retain each category of personal information it has collected, including sensitive personal information, or - if that is not possible - the criteria used to make that determination. No personal information should be retained longer than it is reasonably necessary to fulfill the disclosed purpose it was collected for.
- Data Minimization: The consumer shall be notified by the business how the collection, use, sale, sharing and retention of their personal information is reasonable, proportionate and necessary to achieve the purpose it was collected, used, sold, shared and retained for and it will not be used for any other purpose.
- Reasonable Security Measure: Every business shall take reasonable security measures and practices appropriate to the nature of the personal information to protect it from data breaches.
Business Entities
The CPRA classifies three distinct categories of entities a business is likely to interact with in relation to the processing of personal information of consumers and requires businesses to have written contracts to engage with them. These categories are contractor, service provider and third-party. Businesses must take reasonable steps to ensure that the entities they are engaging with protect personal information as per the requirements of the CPRA.
Frequently Asked Questions (FAQs)