California Privacy Rights Act (CPRA)
Effective as of January 1, 2023
The cutting edge of data privacy is EVER CHANGING,
Which means that procedures are ALWAYS EVOLVING!
What is the California Privacy Rights Act (CPRA)?
On November 3, 2020, California voters approved Proposition 24, a ballot initiative which enacted the California Privacy Rights Act (“CPRA”). The CPRA amends the California Consumer Privacy Act (“CCPA”), the most sweeping consumer data protection law in the U.S. This client alert highlights the differences between the CCPA and CPRA, the newly created agency charged with enforcing the CPRA, and steps businesses can take to begin their compliance efforts. The CPRA has an effective date of January 1, 2023; however, many of its provisions will retroactively apply to personal information collected from January 1, 2022. CPRA enforcement will only begin on July 1, 2023, with a look-back to January 2022.
CPRA Background
In 2018, California lawmakers expeditiously passed the CCPA, a consumer protection statute intended to enhance the privacy rights of California residents. Since the law passed, the CCPA’s regulations have been criticized in some quarters as vague and difficult to comply with. The CPRA is expected to address some of these issues by enhancing the CCPA with modifications including expansion of individual rights, introduction of new EU GDPR-style governance measures, and establishment of a new enforcement agency, among other things.
WHAT HAS CHANGED?
New Enforcement Agency
Arguably one of the biggest changes in the CPRA is the creation of the California Privacy Protection Agency (“Privacy Agency”). The Privacy Agency will have the full administrative power, authority, and jurisdiction to implement and enforce the CPRA. The agency is empowered to impose a fine of $2,500 for each violation of the CPRA or $7,500 for each intentional violation or each violation involving a minor. Prior to this act, the CCPA was being enforced by the California Office of the Attorney General.
The CPRA eliminates the CCPA’s 30-day notice and cure provision, but the Privacy Agency has discretion to provide a business with a time period in which to cure the alleged violation—taking into consideration a lack of intent to violate the CPRA and voluntary efforts to cure the alleged violation prior to being notified of a complaint.
Covered Businesses
The CPRA modifies the CCPA’s definition of “business,” changing which entities are covered. On the one hand, the CPRA increases the CCPA collection threshold from 50,000 consumers or households to 100,000, and it removes devices from this count. This change will provide relief for small businesses. On the other hand, the CPRA expands coverage to include entities that derive 50% or more of their annual revenues from selling or sharing consumers’ personal information are now covered. While the act of sharing consumer personal information has been added, the 50% threshold remains unchanged.
Finally, in addition to the categories of “third-party vendors” and “service providers” under the CCPA, the CPRA adds “contractor” as a distinct class of regulated entities. A contractor is a third party to whom the business makes consumer personal information available to for business purposes. As with service providers, contractors must now enter into a written contract and agree to take appropriate steps to protect covered electronic data.
Who is covered?
CPRA applies to for-profit organizations that do business in the state of California and meet one or more of the following criteria:
*CPRA has exemptions. To find out more, contact e360 Privacy Office at privacy@e360.com
Sensitive Personal Information
One of the most significant changes from the CCPA is the creation of a new classification of personal information—sensitive personal information. This is a subcategory of Personal Information (PI) that includes:
- Social Security, driver’s license, state ID, or passport numbers
- Financial account information
- Precise geolocation
- Racial or ethnic origin
- Sex life or sexual orientation
- Religious or philosophical beliefs
- Union membership
- Nonpublic communication
- Genetic, biometric, and health data
Collection of sensitive personal information requires additional disclosure, opt-out, and use requirements. The distinct treatment includes granting consumers the right to limit disclosure and use of sensitive personal information except as necessary to perform the services. Companies must provide a link on their website titled “Limit the Use of My Sensitive Personal Information” in addition to the CCPA’s required opt-out link so that consumers may exercise this right.
New & Expanded Privacy Rights
The CCPA extended rights to California residents that went far beyond existing consumer privacy rights in the US: the right to know, the right to access, the right to delete, and a private right of action with statutory damages. The CPRA expands some of these rights and adds new ones.
- Expanded Right to Know/Right to Access. The CPRA expands this right beyond the CCPA’s normal 12-month look-back period as long as doing so is not “impossible” or does not involve a “disproportionate” effort. The CPRA expands the CCPA’s requirement to provide the categories of third parties to whom it discloses personal information to include the categories of service providers and contractors to whom it discloses information.
- Expanded Right to Delete. The CCPA allows California residents the right to request that a business delete their personal information if it is no longer needed to fulfill one of the statutory purposes. The CPRA expands this right, requiring businesses to send the request to delete to third parties that have bought or received the consumer’s personal information, so that all parties must comply with the request.
- Right to Opt-Out of Having Your Data Sold. The CCPA allows consumers the right to opt-out of businesses selling their data to third parties. The CPRA expands this right to include the sharing of personal information, in addition to selling. Businesses now must provide notice to consumers when their information will be shared and also notify them of their right to opt-out.
- Opt-in Rights for Minors. The CCPA requires businesses to obtain opt-in consent to sell the personal information of a California minor under the age of 16. The CPRA expands this right, mandating that businesses wait 12 months before asking a minor for consent in selling or sharing their personal information after the minor has declined
In addition to expanding several CCPA rights, the CPRA also introduces several new consumer privacy rights:
- Right to Correct Information. California consumers now have the right to request that a business correct any inaccurate personal information.
- Right to Limit Use and Disclosure of Sensitive PI. California consumers now have the right to limit the use and disclosure of sensitive personal information to uses necessary to perform services or provide goods reasonably expected by an average consumer. Service providers and third parties are also required to adhere to this limitation.
- Right to Access Information About Automatic Decision Making. Like the GDPR (General Data Protection Regulation), consumers now have the right to access information about how companies use automated decision-making technology. The CPRA allows consumers the right to opt-out of any automated decision-making processes.
- Right to Data Portability. California consumers now have the right to request that businesses transfer personal information to another entity, to the extent it is technically feasible.
Adoption of Certain European Union General Data Protection Regulation (EU GDPR) Principles
The CPRA has codified the following GDPR-inspired provisions:
Data Minimization. The CPRA restricts personal information collected by businesses to that which is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected.” This section also prevents companies from avoiding CPRA obligations by sending personal information out of state or through third parties, contractors, or service providers. When a business collects personal information and passes it on to another entity for a business purpose, the CPRA also requires an agreement to be entered into that specifies the limited purposes of the given personal information. The receiving parties also must comply with the CPRA obligations and provide the same level of privacy while the information-sharing business is allowed to take reasonable steps to help ensure that the information is transferred appropriately.
Purpose Limitation. The CPRA allows businesses to collect personal information only for “specific, explicit, and legitimate disclosed purposes” that are disclosed in advance to consumers.
Data Retention Limitation. The CPRA contains data retention limitations that, like the GDPR, require that businesses disclose to consumers “the length of time the business intends to retain each category of personal information or if that is not possible the criteria used to determine such period.”
Reasonable Security. The CPRA expressly addresses security and security breaches, which is another GDPR-inspired provision. If a business violates its duty to implement and maintain proper security procedures and practices than consumers may have a civil action to recover damages, injunctive or declaratory relief, or any other relief the court deems proper.
Private Right of Action
The CPRA’s expansion of the private right of action is arguably one of the most important provisions for businesses, given the recent rise in data breaches. The CCPA gives California consumers the private right to take legal action if their non-encrypted or non-redacted personal information becomes exposed because a business failed to implement reasonable security measures. The CPRA expands that private right of action to include unauthorized access to email addresses and passwords or security questions.
Looking Ahead
These are just a few of the changes the CPRA is making to the world of data and privacy compliance. Although all aspects of the CPRA does not take full effect until January 1, 2023, the CPRA requests that companies that do business in California should start laying the internal groundwork for CPRA compliance throughout the course of 2021 and 2022. To prepare for the CPRA, organizations can take proactive steps such as:
- If you are a CCPA covered business, then ensure your CCPA program is fully up and running.
- Determine if you are Subject to the CPRA. Some businesses that were not subject to the CCPA will be impacted by the CPRA, and vice versa.
Contact the e360 Privacy Office
It is important to remember that CCPA is still in effect and will remain so until 2023. In the meantime, e360 are ready to help companies ensure compliance with CCPA and CPRA as well as other Global, Federal, and State based privacy regulatory requirements. Please reach out to e360 Privacy Office at privacy@e360.com.
