In the privacy world, there is no rest for the weary.  In California, while most companies were just getting their programs running to address the California Consumer Privacy Act (“CCPA“), including some last minute changes to address the final version of the regulations issued in late fall 2020, the California Privacy Rights Act (“CPRA”) was officially certified on December 16, 2020 following voter approval in another privacy referendum in the November 2020 elections. CPRA sharpens and expands many of the already strict requirements in CCPA. The full impact of CPRA has not yet come into clear focus, particularly given the complexity of certain CPRA requirements, the rapidly changing technologies that are driving business transformations across all industry verticals, and the anticipated regulatory clarifications and interpretations expected in the coming months. For reference, we outline below several core changes introduced by the CPRA vs. the CCPA, most of which are not to become operative until January 1, 2023, but all of which companies should begin to familiarize themselves with now:

  • Applicability: Modifies the applicability of the CCPA to include organizations that do business in the state of California and:
    • Have a gross annual revenue of over $25 million;
    • Buy, sell, or share the personal information of 100,000 or more California residents or households; or
    • Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.
  • B2B and HR limited exemptions: Extends the existing and limited B2B and HR exemptions to January 1, 2023. Note, however, that all parts of the CCPA that currently apply to B2B and HR contacts continue to apply. Additionally, one point of the CPRA could be interpreted to mean that the expanded employee notice requirements under CPRA (i.e., those under §1798.100(a)) should apply with immediate effect the date on which the CPRA was certified (December 16, 2020).  We consider such an interpretation would give rise to an irrational result (i.e., accelerating application of enhanced notice requirements to HR data immediately and well ahead of compliance deadlines for consumer data) and would conflict with the CPRA’s stated purpose and intent (see Section 3(8)) to extend the exemptions for employee and business to business communications until Jan. 1, 2023.  It also remains to be seen how the Attorney General and/or the California Privacy Protection Agency will interpret this issue.
  • Sensitive personal information: Introduces the concept of sensitive personal information, which includes information such as SSN, driver’s license number, precise geolocation, and biometric information, and new rights for consumers to limit the use and disclosure of such information.
  • Sharing of information: Introduces the concept of sharing of personal information, defined as the sharing of personal information by a business with a third party for behavioral advertising, for the benefit of the business, where no money is exchanged.
  • Necessity and Proportionality: Includes new obligations that the collection, use, retention, and sharing of a consumer’s personal information must be reasonably necessary and proportionate to achieve the purposes. 
  • New consumer rights: In addition to the existing CCPA rights (right to know/access, right to delete, right to opt-out of sale), the CPRA introduces the right to correct inaccurate personal information, right to opt-out of the sharing of one’s personal information, and the right to limit the use and disclosure of one’s sensitive personal information.
  • Limit the Use of My Sensitive Personal Information’: Requirement to provide a link on the business’ internet homepage (akin to the ‘Do Not Sell My Personal Information’ link) that enables a consumer to limit the use or disclosure of a consumer’s sensitive personal information.
  • New notice requirements: Expands notice requirements to include additional information regarding the sharing of personal information, processing of sensitive personal information, and retention of all categories personal information, among others.
  • Expanded private right of action: Expands the private right of action to breaches of email and password/security question that would allow access to the account.
  • Automatic fine for violations involving the personal information of minors. Introduces an automatic $7,500 fine for violations involving the personal information of minors.
  • New cybersecurity audit and risk assessment requirements. Introduces a new annual cybersecurity audit requirement, as well as periodic risk assessment requirement for businesses whose processing presents a significant risk to consumer privacy and security.
  • Enforcement. Creates the California Privacy Protection Agency and eliminates the 30-day cure period for CCPA violations.

If you have any questions about this or any other privacy or data security law development, please do not hesitate to reach out to Brian HengesbaughMichael Egan, or Harry Valetk.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Michael advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer.

Author

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Author

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.

Author

Helen practices international commercial law with a focus on assisting and advising technology companies with cross-border transactions, drafting and negotiating commercial agreements, and advising on global data privacy law compliance. Helena also advises software developers, e-commerce companies, and global mobile and web gaming developers on regulatory restrictions, intellectual property, contracting and data privacy.

Write A Comment