California Voters Adopt the California Privacy Rights Act
The Situation: Less than one year after the California Consumer Privacy Act ("CCPA") became effective, California voters approved the California Privacy Rights Act ("CPRA"), a consumer privacy ballot initiative that amends and expands the CCPA.
The Issues: The CPRA affords California residents significantly more control over their personal information, imposes heightened compliance obligations on covered businesses, and establishes a new enforcement agency dedicated to consumer privacy.
Looking Ahead: The CPRA's substantive provisions become effective January 1, 2023, and new regulations are expected to be introduced by July 1, 2022. Covered businesses therefore should monitor regulatory developments and carefully review their privacy compliance programs to address the law's key changes.
On November 3, 2020, California voters approved the CPRA, a consumer privacy ballot initiative that introduces significant amendments to the landmark CCPA. The CPRA will become law as written and grants the Attorney General, and subsequently the newly established California Privacy Protection Agency ("CalPPA"), the authority to adopt regulations on a range of issues. Although the law's substantive provisions do not become effective until January 1, 2023, companies should begin assessing compliance obligations in light of the CPRA's newly introduced consumer rights and extensive changes to existing CCPA business requirements. Until then, the CCPA will remain in force.
Below we outline some of the CPRA's more impactful provisions.
Altered Scope of Covered "Businesses"
The CPRA modifies the threshold requirements for covered "businesses" that collect consumers' personal information. A for-profit entity doing business in California must meet one of the three amended thresholds to become a "business":
- Gross Revenue: clarifies that the $25 million annual gross revenue threshold should be measured as of January 1 of the calendar year for the preceding calendar year; notably, the CPRA does not address whether the annual gross revenue threshold is intended to cover a business' revenue in California only or overall revenue. Businesses with an overall revenue of $25 million—whether derived from California only or in connection with other states—should consider compliance with the CCPA and the CPRA.
- Quantity of Processing: increases the number of "consumers" or "households" from whom a for-profit entity annually buys, sells, or shares personal information from 50,000 to 100,000, though notably a "device" will no longer contribute to this calculation; and
- Revenue from Selling and Sharing: requires companies to include annual revenue derived from both "selling" and "sharing" (a newly defined term) personal information when assessing whether more than half of their annual revenue is derived from such disclosures of personal information.
The CPRA also alters the scope of other entities that must comply with the law:
- Commonly Controlled Entities: narrows coverage to entities that control or are controlled by a covered "business," share common branding with the business (such that an "average consumer" would understand that the two entities are commonly owned), and "with whom the business shares consumers' personal information";
- Joint Venture: extends obligations to a "joint venture or partnership composed of businesses in which each business has at least a 40 percent interest"; and
- Voluntary Application: applies to an entity doing business in California that voluntarily certifies to the CalPPA that it is in compliance with and agrees to be bound by the CPRA.
New Category of "Sensitive Personal Information"
The CPRA creates a new category of personal information called "sensitive personal information," which includes data elements including, among others, a consumer's identification numbers (e.g., Social Security number, driver's license number, etc.), financial information, account log-in credentials, precise geolocation, racial and ethnic information, personal communications, genetic data, biometric or health information, and information about one's sex life or sexual orientation.
New and Revised Consumer Rights
The CPRA grants consumers new rights:
- Right to Limit Use of Sensitive Information: The CPRA now directs a covered business to limit its use of "sensitive personal information" to that "which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services," among other limited uses. A covered business is required to implement either a "Limit the Use of My Sensitive Personal Information" to enable consumers to exercise these rights or a "single, clearly-labeled link … if such link easily allows a consumer to opt-out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information."
- Correct Information: The CPRA affords consumers a new right to correct inaccurate personal information. Covered businesses must disclose this new right to consumers and use "commercially reasonable efforts" to correct personal information upon receiving a verifiable consumer request.
The CPRA also modifies the obligations on businesses arising from existing CCPA consumer rights, including:
- Right to Opt-Out and Advertising: The CPRA expands the existing opt-out right to include both the sale and "sharing" of personal information, which is defined as the transfer or making available of a "consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration." Companies not currently providing opt-out rights for third-party behavioral advertising technologies must adjust processes to incorporate their use of such technologies into their opt-out procedures and implement a link called "Do Not Sell or Share My Personal Information."
- Right to Deletion: A business must notify its service providers, "contractors" (discussed below), and all third parties to whom the business has sold or shared personal information to delete personal information upon receipt of a verifiable consumer request. Service providers and contractors also must pass the deletion request downstream in certain circumstances.
- Right to Know and Access: For personal information collected on or after January 1, 2022, the CPRA allows a consumer to make a request to know beyond the CCPA's 12-month look-back period as long as doing so does not prove "impossible" or "involve a disproportionate effort." Critically, this expanded right does not require a business to keep personal information for any period of time.
Expanded Notice at Collection Requirements
The CPRA expands upon businesses' notice obligations. Businesses must now inform consumers "at or before the point of collection" as to: whether personal information is sold or shared; information about the collection, processing, and disclosure of "sensitive personal information"; "the length of time the business intends to retain each category of personal information" or, if not possible, "the criteria used to determine such period," among other information.
Additional Third-Party Obligations for Service Providers, Third Parties, and Contractors
The CPRA introduces the term "contractors" defined as persons to whom a business makes available a consumer's personal information for a business purpose pursuant to a written contract with the business.
The CPRA imposes broader contracting requirements for businesses that sell, share, or disclose personal information to "service providers," "contractors," and "third parties." The agreement must, among other requirements: (i) specify that the information sold or disclosed by the business is "only for limited and specified purposes"; (ii) obligate the third party, service provider, or contractor to comply with the CPRA and "provide the same level of privacy protection as" required by the CPRA; (iii) require the third party, service provider, or contractor to notify the business if it can no longer meet its CPRA obligations; and (iv) allow the business to "take reasonable and appropriate steps to stop and remediate unauthorized use of personal information" and to ensure the receiving entity uses the personal information in a "manner consistent with the business's obligations" under the CPRA.
The newly created "contractor" designation also introduces contractual requirements, which, among other things, prohibit the contractor from sharing or selling personal information it receives; using or disclosing the personal information for any purpose other than those business purposes outlined in the contract; and combining the personal information with data received or collected through other means, subject to certain exceptions. Businesses should also review changes to the "service provider" contracting requirements to ensure existing agreements with such entities comply with the CPRA.
The CPRA also alters existing statutory exemptions, including:
- B2B and Employee Data: The CPRA extends the moratoria for certain personal information collected in the employment and business-to-business contexts to January 1, 2023. The passage of the CPRA supersedes the recent amendment signed into law that would have extended the moratoria to January 1, 2022.
- Publicly Available Information: The CPRA expands the exception for "publicly available" information—which does not constitute "personal information"—to cover information "that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media," as well as "information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience." This revision may reduce compliance burdens for companies that collect data from sources, such as online social media platforms where users have not restricted access to posted content.
Clear Reasonable Security Requirements
The CPRA introduces affirmative requirements for businesses to implement "reasonable security procedures and practices" for covered personal information. Notably, as discussed above, the CPRA provides that certain third parties, service providers, and contractors provide the "same level of privacy protection" as required of the covered business, potentially expanding the obligation to provide reasonable security to entities other than the covered business.
Enforcement and Liability
The CPRA makes important changes concerning enforcement and liability, including:
- New Administrative Enforcement Agency: The CPRA creates a new agency, the CalPPA, which maintains the administrative authority and jurisdiction to implement audit, and enforces the CCPA. Enforcement authority currently rests with the California Attorney General's Office.
- Expanded Private Right of Action: The CPRA expands the private right of action to apply to data breaches resulting in the compromise of a consumer's email address in combination with a password or security question and answer that would permit access to the consumer's account.
- Limited Ability to "Cure" Following a Breach: The CPRA limits the defense that businesses may have to private actions, providing that "the implementation and maintenance of reasonable security procedures and practices … following a breach does not constitute a cure with respect to that breach."
- Enhanced Liability for Children's Privacy: The CPRA seeks to enhance children's privacy rights by tripling the CCPA's fines for collecting and selling information of minors under 16 years of age. Businesses providing services to minors, therefore, may have heightened risk for fines and compliance obligations on top of those already provided under the federal Children's Online Privacy Protection Act.
Forthcoming Regulations and Enforcement
Businesses should monitor closely subsequent rulemakings under the CPRA as the law grants the Attorney General, and subsequently the newly created CalPPA, the authority to issue regulations on a wide range of topics, including: updating the definition of "deidentified," "unique identifiers," and "sensitive personal information"; identifying the circumstances under which service providers and contractors may combine personal information from multiple sources; and regulating businesses whose processing of personal information "presents significant risk to consumers' privacy or security" by requiring them to perform annual cybersecurity audit and regular risk assessments. The CPRA calls for final regulations to be adopted by July 1, 2022, one year before the CPRA becomes enforceable.
Three Key Takeaways
- Although the substantive provisions of the CPRA do not become operative until January 1, 2023, covered entities should begin a careful review of existing privacy compliance programs now to incorporate new obligations while monitoring subsequent rulemakings. Compliance with the CCPA or the General Data Protection Regulation alone will not be sufficient to meet the new requirements of the CPRA.
- Covered businesses should assess how changes to the definition of "business" may affect either their own obligations under the CPRA or the obligations of certain related and commonly controlled entities.
- While implementing any necessary changes to privacy and cybersecurity compliance programs required by the CPRA, companies must still fulfill their obligations under the CCPA.