Based on preliminary election results, Californians voted to enact the California Privacy Rights Act (“CPRA“), expanding and revising the California Consumer Privacy Act of 2018 (“CCPA“) effective January 1, 2023 with a one-year look-back to January 1, 2022 for some provisions. Companies around the world with business ties to California should start updating vendor contracts and prepare for new requirements under the statute and revised regulations to be issued by a new California Privacy Protection Agency, the first of its kind in the United States.
Who and What Data is Protected? Who Must Comply?
CPRA does not materially change the broad range of applicability of CCPA. California residents will remain protected with respect to “personal information,” defined broadly as “any information that … relates to … a particular [California resident] or household.” Excluded from the definition of “personal information” are narrowly defined categories “aggregate”, “deidentified” and “publicly available” information, as well as lawfully obtained, truthful information that is a matter of public concern. The CCPA section establishing statutory damages for security breaches uses a narrower definition of “personal information” that only encompasses a prescribed list of relatively sensitive categories of information.
CPRA retains most, and modifies some, of the complex and narrowly framed exemptions and exceptions to the CCPA contained in Cal. Civ. Code § 1798.145. CPRA also states that it “shall prevail over any conflicting legislation enacted after January 1, 2020” and that any conflicting legislation “shall be null and void … regardless of the code in which it appears,” thus possibly invalidating health-information related exemptions that the California Legislature added in Cal. Civ. Code § 1798.146 in September 2020.
A business anywhere around the world has to comply with CCPA, as amended by CPRA, if it does business in California, operates for profit, determines the purposes and means of data processing, and exceeds one of three revenue/information processing thresholds, or if it is a parent or subsidiary of an entity that meets those requirements and the two use a common brand. The first threshold is triggered if the business has annual gross revenues of $25 million or more, and the third threshold is triggered if the business derives 50% or more of its annual revenue from selling or “sharing” California residents’ personal information (“sharing” is defined to mean disclosing personal information for cross-context behavioral advertising). The second threshold is triggered by the buying, selling or sharing of the personal information of California residents or households, with the CPRA amending the definition of a “business” to remove “devices” and references to “commercial purposes”, and increasing the threshold number of consumers or households from 50,000 to 100,000 or more; this amendment may remove a few smaller businesses from the scope of CCPA.
How To Comply?
Companies have to comply with various new or changed requirements as businesses, service providers and third parties under CPRA and should begin addressing key requirements:
- Revise vendor contracts and inter-company agreements. The amended CCPA requires or incentivizes using particular clauses and terminology in agreements with contractors,
subcontractors and third parties, including restrictions on “selling” and “sharing” of personal information about California residents, terms that are counter-intuitively defined. “Selling” remains defined broadly as disclosing personal information “for monetary or other valuable consideration” while the new term “sharing” is defined to mean disclosing personal information “for cross‐context behavioral advertising.”
- Consider making strategic changes to business activities to reduce compliance obligations. For example, because the amended CCPA strictly governs selling and sharing personal information and using sensitive personal information, companies may benefit from concerted efforts to avoid engaging in these activities. As another example, companies may wish to adopt deidentification protocols and policies so as to convert personal information into “deidentified” information as defined under CPRA, in which case fewer affirmative obligations under the statute would apply.
- Develop internal protocols for personal information “selling” and “sharing.” Businesses are subject to special disclosure, opt-out and data processing requirements depending on whether they engage in certain data sharing arrangements. For example, businesses that sell and share personal information must enable California residents to opt out of such disclosures via a link posted on every webpage with the prescribed words “Do Not Sell or Share My Personal Information.”
- Prepare for data minimization and deletion requirements. Under CPRA, the “collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected,” requiring businesses to update their data collection, retention and deletion protocols.
- Enable and process consumer requests regarding “sensitive personal information.” Businesses have to adhere to “direction from a consumer not to use or disclose the consumer’s sensitive personal information” except for certain permissible purposes, and “provide a clear and conspicuous link … titled “Limit the Use of My Sensitive Personal Information.” CPRA defines “sensitive personal information” to include certain prescribed categories of information, such as government identifiers, precise geolocation data, information on racial or ethnic origin, religious or philosophical beliefs, and the contents of a California resident’s mail, email and text messages addressed to someone other than the business.
- Update data subject request protocols and procedures. CPRA establishes new data subject rights and changes existing rights. New rights include the right to correct inaccurate information and limit the use of sensitive personal information. Changes to existing rights include expanding the right of access to cover information collected from any period of time after January 1, 2022, not just the preceding 12 months, and no longer permitting a business that receives a deletion request to continue to use the personal information at issue for internal purposes, even if compatible with the context in which the California resident provided the information. Businesses should train responsible personnel on their obligations under the amended CCPA upon receipt of a
- Comply with requirements regarding processing minors’ personal information. Selling and sharing the personal information of minors is subject to special requirements, such as requiring opt-in consent from either the minor if between 13-15 or the parent/guardian if 12 or under. Penalties under the amended CCPA are tripled for violations regarding minors under the age of 16.
- Upgrade and document security measures. CPRA requires businesses to implement reasonable security procedures and practices to be further prescribed in detail by a newly established California Privacy Protection Agency in regulations.
- Keep up-to-date. The California Privacy Protection Agency is required to adopt regulations implementing CPRA by July 1, 2022, and is tasked with providing guidance to California residents and businesses regarding the substance of the amended CCPA. Companies should keep abreast of developments relating to how the agency plans to interpret and enforce the law while also following CCPA regulations issued and changed by the California Attorney General (most recently in October 2020) as well as legislative changes to CCPA (most recently enacted in September 2020).
Sanctions and Remedies
The California Privacy Protection Agency may investigate possible violations of the amended CCPA and hold hearings to determine if a violation has occurred. The agency gives 30-day notice of violations to companies, and may also issue cease-and-desist orders and order entities to pay an administrative fine of up to $2,500 for each violation or up to $7,500 for each intentional violation and each violation involving the personal information of minors. Penalties paid by businesses are to be deposited in a Consumer Privacy Fund earmarked to offset government enforcement costs. Non-profit organizations receive 3% of proceeds from such penalties to promote and protect consumer privacy. CPRA maintains the private right of action relating to data breaches originally found in CCPA, but does not expressly establish new private rights of action.