Summary of CPRA
Section 1: Title: The California Privacy Rights Act of 2020
This section mentions the term by which the law is to be cited.
Section 2: Findings and Declarations
Section 2 is a preamble to the necessity of establishing a law that puts consumers on equal footing with businesses with regards to controlling how the latter collects, stores, shares, or sells consumers' personal information. This section has twelve sub-sections (A to L) that give us a sketch of the concept of privacy rights, its inclusion in the California Constitution in 1972, the proposition and enactment of various privacy laws including the CPPA, the need to have bolstered consumers' rights, the need to have parental or guardian approval in case of a minor's consent, data security and business accountability, and the need to have an independent agency that ensures full enforcement of the law.
Section 3: Purpose and Intent
Section 3 is one of the critical sections of the act as it covers the essence that guides the implementation of the act. The section is further broken down into three subsections:
- Section A, Consumer Rights - defines and establishes the varying rights that consumers have over the protection and privacy of their data, and how they can execute those rights.
- Section B, The Responsibilities of Businesses - cites mostly limitations around consumers' privacy and data protection, and accountability when it comes to violations.
- Section C, Implementation of the Law - is critical to the successful implementation of the law as it limits the Legislature from introducing any amendments that compromise or weaken consumer privacy.
Section 4: General Duties of Businesses That Collect Personal Information
Section 4 of the CPRA establishes the general responsibilities or principles that CPRA-applicable businesses must follow when dealing with consumers' personal information. Specifically, this section highlights the following important obligations:
- Businesses that control the collection of consumers' personal information need to inform them about the following prior to collection:
- the categories and purposes of personal information and sensitive personal information to be collected or used and whether such information is sold or shared;
- duration the business intends to retain each category of such information, the criteria used to determine such period, to ensure that the business does not retain a consumer's personal information or sensitive personal information for longer than is reasonably necessary other than for the disclosed purpose.
- Businesses must ensure that their collection, use, retention, and sharing of consumers' personal information is reasonably necessary and proportionate to their stated intent.
- For the sale, sharing, or disclosure of Personal Information to third parties, service providers, or contractors, businesses are required to enter into agreements, which outline:
- the limited and specified purposes of personal information being sold or disclosed by the business;
- obligations that the third party, service provider, or contractor has to comply with to provide the adequate privacy protections;
- reasonable and appropriate steps to ensure that the third party, service provider, or contractor uses the personal information in line with the business's obligations;
- how a third party, service provider, or contractor can notify a business when it is unable to meet its obligations; and subsequently the rights of the business to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information in such a case.
Businesses must implement reasonable security procedures to protect personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.
Section 5 to Section 11 discusses the rights of consumers under the CPRA.
Section 5: Consumers' Right to Delete Personal Information
Section 5 empowers consumers to exercise their right to delete personal information collected by businesses or any third parties and in such cases:
- Any business that receives a verifiable consumer request should comply with it and also notify all third parties to whom they have sold, or shared such personal information to delete it;
- A confidential record of deletion requests should be maintained by the business.
However, the right to deletion comes with a certain set of limitations. For instance, businesses may not comply with the request if the information is reasonably necessary:
- To complete transactions for which the personal information was collected;
- To fulfill the terms of a written warranty or product recall conducted in line with Federal Law;
- To provide a good or service as requested by the consumer as well as internal use of the business which is compatible with the context in which the consumer provided the information;
- For the performance of a contract between the business and the consumer;
- To exercise free speech or any other rights provided by the law;
- To comply with the California Electronic Communications Privacy Act;
- For public, peer-reviewed scientific or historical research that conforms with all privacy laws.
Section 6: Consumers' Right to Correct Inaccurate Personal Information
Section 6 enables consumers with the right to request a business to update and correct inaccurate personal information a business may have about them and obliges the business to carry out the update or rectification. It is important to highlight that businesses are obliged to use "commercially reasonable efforts" to correct personal information.
Section 7: Consumers' Right to Know What Personal Information is Being Collected. Right to Access Personal Information
Often cited as the right to access, Section 7 provides consumers with the right to request businesses to disclose information relating to the:
- Personal Information collected from consumers;
- The source from where it was collected;
- The business or commercial purpose for collection; and
- The category of third parties with whom the information is shared or sold.
Businesses are also obliged to disclose this information to their consumers in a general manner in their privacy notice.
Section 8: Consumers' Right to Know What Personal Information is Sold or Shared and to Whom
Section 8 is a continuation of the aforementioned right to access, Section 8 allows consumers to request businesses to disclose information relating to the:
- Categories of personal information sold or shared and categories of third parties to whom it was sold/shared;
- Categories of personal information disclosed for a business purpose and categories of persons to whom it was disclosed.
Businesses are also obliged to disclose this information to their consumers in a general manner in their privacy notice.
Third parties to whom a consumer's personal information is sold or shared are restricted from further selling or sharing consumers' PI unless the consumer first receives an explicit notice and has been given an opportunity to exercise their right to opt-out, which is defined under Section 9.
Section 9: Consumers' Right to Opt-Out of Sale or Sharing of Personal Information
Section 9 establishes the right of a consumer to opt out of the sale or sharing of their personal information by a business. Furthermore, guardians of a minor (under 13) must provide opt-in consent for the sale and sharing of their Personal Information, and in the case of consumers from ages 13 to 16, a business needs to get the opt-in consent of the minor.
Section 10: Consumers' Right to Limit Use and Disclosure of Sensitive Personal Information
Section 10 details the consumers' right to limit the use or disclosure of their sensitive personal information including:
- Right to limit the business to collect sensitive personal information to only that usage which is reasonably necessary to perform the services or provide the goods to an average consumer;
- Right to notification by a business who has used or disclosed the consumer's sensitive personal information for other than the specified purpose;
- Right to give consent for the use or disclosure of sensitive personal information for additional purposes;
- Moreover, a service provider or contractor to whom the consumer's personal information is disclosed is required to limit its use of sensitive personal information if the consumer requests the business and it is communicated to the service provider/contractor.
Section 11: Consumers' Right of No Retaliation Following Opt-Out or Exercise of Other Rights
Section 11 prohibits businesses from discriminating against the consumer when it comes to product offerings, pricing, or the quality of good that is being offered and from retaliation against an employee, an applicant for employment, or an independent contractor if they exercise any of their rights under this law.
Moreover, if a consumer refuses to provide opt-In consent, then the business has to wait for at least 12 months before requesting the consumer provide opt-in consent.
Also, a business can offer financial incentives including payments as compensation to the consumer for the collection, sale, or sharing of their personal information. However, these incentives should not be unjust, unreasonable, coercive, or usurious in nature.
Section 12: Notice, Disclosure, Correction, and Deletion Requirements
Section 12 gives details regarding fulfillment of Data Subject Rights (DSR), including but not limited to:
- Designating at least two methods through which customers can submit requests including a telephone number, and an email address (in case the business operates online), or an internet website where requests can be submitted;
- All DSR requests need to be verified and responded to within 45 days of receipt. This can be extended by additional 45 days when reasonably necessary and the requesting consumer is provided notice of the extension;
- A DSR request to access can deal with disclosures of the required information covering the 12-month period preceding the business's receipt of the request. However, if the request requires information beyond this period the business is obligated to only provide information that is collected on or after January 1, 2022;
- Service providers or contractors are obligated to provide assistance to a business with which it has a contractual relationship to help fulfill a verifiable consumer request;
Section 13: Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information
Section 13 discusses the methods through which customers can exercise their right to limit the sale or sharing of their personal or sensitive personal information. Section 13 instructs businesses to provide consumers with 2 "clear and conspicuous" buttons on their homepage that must be titled:
- "Do Not Sell or Share My Personal Information."
- "Limit the Use of My Sensitive Personal Information."
Moreover, the business can also use a single, clearly-labeled link on the business's internet homepage allowing a consumer to opt out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information and must also build capabilities to receive and recognize a global opt-out preference signal.
Section 14: Definitions
Section 14 provides the definitions for the varying terms which are used throughout the act, including but not limited to business, advertising and marketing, biometric information, business purpose, commercial purpose, consent, consumer, and cross-context behavioral advertising, to name a few.
Two of the most significant terms added by the CPRA are:
- ‘Share' means the non-monetary exchange of personal information between a business and a third party for the purposes of cross-contextual advertising.
- ‘Sensitive personal information' which SPI includes highly sensitive data, such as Social Security Number, Driver's license, State identification card, Passport Number, Financial account information and log-in credentials, Debit Card or Credit Card number along with access codes, Precise geolocation data, Religious or philosophical beliefs, Ethnic origin, Contents of communication, Genetic data, Biometric information for the purposes of identification, Health information and Information about sex or sexual orientation.
Section 15: Exemptions
Section 15 is one of the extensive sections in the CPRA that outlines that the obligations imposed on businesses do not prohibit a business's ability to
- Comply with federal, state, or local laws or court requirements;
- Comply with requirements of law enforcement agencies;
- Cooperate with government agency requests for emergency access in cases of risk, the danger of death to a person;
- Exercise or defend legal claims;
- Collect, use, retain, share or disclose de-identified or aggregate consumer information;
- Collect, share, or sell consumer personal information if the commercial conduct in question takes place outside of California.
The section also outlines how this act does not apply to including but not limited to:
- Medical or protected health information pursuant to the HIPAA 1996 and the Health Information Technology for Economic and Clinical Health Act;
- Activities of consumer reporting agencies;
- Personal information subject to regulation under the Fair Credit Reporting Act;
- Personal information collected, processed, or sold subject to the Gramm-Leach-Bliley Act;
- Personal information collected, processed, sold, or disclosed pursuant to the Driver's Privacy Protection Act, etc.
Section 16: Personal Information Security Breaches
Section 16 highlights the right of consumers to institute a civil action to recover damages when their personal information is breached due to the businesses' neglect in not providing adequate security and protection. Damages can range from $100 to $750 per consumer per incident or actual damages (whichever are higher), consumers can also request any injunctive or declaratory relief.
However, prior to initiating such an action in the case of a breach, a consumer is to provide a business a written notice of thirty days identifying the specific violations under the law and the business has 30 days to cure the violation. However, the CPRA has clarified that businesses cannot cure the violation by beginning to provide adequate security to the personal information after a breach event has occurred.
Section 17: Administrative Enforcement
Section 17 introduces us to administrative fines in the event of a violation. For every individual violation, a business may be fined in an administrative enforcement action by the California Consumer Protection Agency (CPPA) ranging from $2,500 for each violation, or $7,500 for an intentional violation or a violation involving the personal information of consumers below 16 years of age. It is important to note that the CPRA has also removed the 30-day cure period for violations of the law by businesses, service providers, contractors, and third parties.
Section 18: Consumer Privacy Fund
A special fund, named "Consumer Privacy Fund," is created under Section 18 CPRA. The funds, received from fines, will firstly be used to offset any cost incurred due to CPRA enforcement. The section further breaks down the percentage of the fund that is either to be kept in the State Treasury or used for privacy awareness programs.
Section 19: Conflicting Provisions
Section 19 discusses the purpose of the law and how it is intended to supplement other laws that ensure consumers' privacy and data protection. The section states that the provisions of this law are not limited to information collected electronically or over the internet, but apply to the collection and sale of all personal information collected by a business from consumers.
Moreover, in the case of conflict between other laws and the provisions of CPRA, precedence will be given to the law that provides the greatest protection for the right of privacy for consumers.
Section 20: Preemption
Section 20 establishes that CPRA preempts other local laws.
Section 21: Regulations
Section 21 provides a decent list of obligations and responsibilities for the Attorney General, which are later passed on to the newly created agency under CPRA: California Privacy Protection Agency (CPPA). Amongst the highlighted regulations include establishing rules and procedures for an annual cybersecurity audit, regular risk assessments, opt-out scope definition, and specifications for defining what constitutes a minor.
Section 22: Anti-Avoidance
Section 22 outlines provisions empowering courts or the California Protection Agency to disregard intermediate steps or transactions conducted by a business or otherwise with the intention of avoiding the requirements of the CPRA. This provision signifies that businesses if subject to the CPRA should implement the necessary protocols to be in full compliance with its requirements.
Section 23: Waiver
Section 23 deems any agreement or contract void or unenforceable that waives or limits rights under CPRA, as it's contrary to public policy.
Section 24: Establishment of California Privacy Protection Agency
Under Section 24, the CPRA establishes a new enforcement agency, CPPA, that will be enforcing and implementing the act instead of the Attorney General. Section 24 further details the timeline of the appointment of the agency, and its members.
Section 25: Amendment
Section 25 restricts the Legislature from amending the act unless the amendments are intended for the purpose of enhancing privacy protection.
Section 26: Severability
Section 26 defines the severability of the act, such as if any part of the act is deemed invalid for any reason, the remaining provisions will not be affected and will remain in full force and effect.
Section 27: Conflicting Initiatives
Section 28: Standing
Section 28 cites that if the State or its officials fail to defend the constitutionality of the act, any other government agency of the State shall have the authority to intervene in any court action to defend its constitutionality.
Section 29: Construction
The act shall be construed liberally to give full effect in implementing the statute's requirements.
Section 30: Savings Clause
Section 30 strictly cites that the act shall supplement other federal or state laws but shall not apply where it conflicts with federal or state laws, or the California Constitution.
Section 31: Effective and Operative Dates
Section 31 states the effective date of the CPRA which will be January 1, 2023, with the exemption that the right to access personal information may not apply for PI collected by a business on or before January 1, 2022.