By ballot initiative, California residents recently approved Proposition 24, or the California Privacy Rights Act (CPRA), sometimes called “CCPA 2.0,” with approximately 56 percent voting in favor. The CPRA significantly amends the CCPA by expanding individual rights, introducing new GDPR-style governance measures, and establishing a new enforcement agency. [1] The CPRA does not replace or repeal the CCPA, but rather augments it. Further, no private right of action will be added by the CPRA. The substantive provisions of the CPRA do not take effect until January 1, 2023, but certain provisions (such as those creating a Consumer Privacy Fund and establishing a California Privacy Protection Agency), become effective on the fifth day after certification, per Article II, section 10(a) of the California Constitution.[2]
Notable Changes Under the CPRA and Their Impacts
1. Deidentification
Like the CCPA, the CPRA excludes “deidentified” information from the definition of “personal information.” However, in order for information to be considered “deidentified,” businesses must now publicly commit to maintaining and using the information only in non-identified form and must contractually obligate any recipients of the information to do the same.[3]
Impact: By requiring businesses to publicly commit to deidentification practices, the CPRA creates heightened risks for claims of deceptive or unfair trade practices by businesses relying on the deidentified information exception.
2. Sensitive Personal Information
The CPRA also regulates the use of “sensitive personal information.” The concept of “sensitive personal information” is a new legal definition created by the CPRA and differs from the definition under GDPR.[4] Race and ethnic origin, health information outside of the scope of HIPAA, religious beliefs, sexual orientation, social security number, biometric information, genetic information, and personal message contents all fall under this definition.[5]
Under the CCPA, consumers’ opt-out rights were limited to the sale and sharing of their personal information. Under the CPRA, consumers may limit the use and disclosure of sensitive personal information to uses that are “necessary to perform the services or to provide the goods reasonably expected by an average consumer who requests such goods or services…”[6] This means consumers may restrict the use of their sensitive personal information for “secondary” purposes, including prohibiting businesses from disclosing sensitive personal information to third parties, but not for purposes that are necessary for performing the services requested by the consumer. Businesses must include a website link titled “Limit the Use of My Sensitive Personal Information” where consumers may exercise their rights regarding their sensitive personal information.[7]
Impact: Businesses must be able to identify what “sensitive personal information” they hold, how they use it, and why they collect it. Most importantly, they must be able to honor consumer requests to opt out of the use of that information unless it falls under the CPRA’s narrow exceptions.
3. Other New and Expanded Consumer Rights
Under the CPRA, consumers will have a number of new rights, which businesses must prepare for by implementing procedures and updating their privacy notices. These new consumer rights include: the right to correct inaccurate personal information the business holds about them;[8] the right to opt-out of and access information about automated decision making, including “profiling” in connection with evaluations or decisions about a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;[9] and the right to have a business transmit specific pieces of personal information to another entity in a structured, commonly used, and machine-readable format.[10]
The rights to opt-out and opt-in (for minors) now include “sharing” of PI for cross-context behavioral advertising, “whether or not for monetary or other valuable consideration.”[11] Under the CPRA, a business that engages in interest-based advertising would be required to post a new link titled “Do Not Sell or Share My Personal Information”, by which consumers can opt-out of the sharing of their personal information with advertising partners for cross-context behavioral advertising purposes.[12]
Impact: Businesses must be prepared to honor these new consumer rights by implementing procedures for reviewing and processing requests. Businesses who use automated decision-making must be prepared to publicly disclose “meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to an individual consumer.”[13] Companies who engage in interest-based advertising must be prepared to stop doing so when a consumer submits a verified request to opt-out of such sharing.
4. Service Providers and Contractors
The CPRA adds new requirements to qualify as a “service provider” and introduces the parallel category of “contractor.” While a service provider receives personal information from or on behalf of a business and processes the information on behalf of that business, a business “makes available” personal information to a contractor.[14] The CPRA imposes the same contractual and direct obligations on contractors that it otherwise imposes on service providers, and also requires contractors to certify that they understand and will comply with such contractual obligations.[15] Both service providers and contractors must keep separate any data they obtain about a consumer in the course of assisting a business with advertising and marketing from other data they obtain about the consumer from other sources and must notify businesses of any engagement with a sub-service provider or subcontractor and to bind those parties to the same written terms as between businesses and service providers.[16] Notably, the CPRA now places obligations directly on service providers and contractors. It mandates that they cooperate with and assist businesses in providing requested personal information in response to verifiable consumer requests as well as correcting or deleting information or limiting the use of sensitive personal information in response to such requests, each with some exceptions.
Impact: Those acting as service providers or contractors must be prepared to cooperate with businesses in honoring consumer requests, even if their agreement with the business excludes such terms. Furthermore, businesses must review and update their existing vendor agreements to ensure that they bind vendors to the same obligations that the business has and that they permit the business to audit and monitor the recipient’s compliance with the terms of the agreement.
5. Expanded Breach Liability
In addition to the existing private right of action for breaches of nonencrypted, nonredacted personal information under the CCPA, the CPRA adds a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security.[17] Penalties would be tripled for violations regarding minors under the age of 16.[18]
Impact: Given how frequently breaches involving usernames and passwords occur, this expanded private right of action could subject many more businesses to liability under the statute.
6. Storage Limitation
Businesses must disclose, at the time of collection, their retention periods for each category of personal information (or if that is not possible, the criteria used to determine such period). Businesses are further prohibited from retaining personal information for longer than is “reasonably necessary” for each disclosed purpose.[19]
Impact: Businesses must evaluate whether they are retaining data for longer than “reasonably necessary,” and should establish transparent company policies with firm data deletion deadlines in order to ensure compliance with this provision.
Hal Lenox and Harry Lightsey, principals with Hawksbill Advisors, contributed to this article.
[1] Consumer Privacy Rights Act
[2] See Cal. Civ. Code § 1798.160 (the creation of a “Consumer Privacy Fund”); 1798.185 (the direction for the Attorney General to adopt regulations and the mechanism to transfer regulatory authority to the new privacy agency); and 1798.199.10-40 (the establishment of the California Privacy Protection Agency, the new privacy agency vested with full administrative power, authority and jurisdiction to implement and enforce the CCPA, as amended by the CPRA).
[3] See Section 14 of CPRA, amending Cal. Civ. Code § 1798.140.
[4] “Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer, is not subject to [the right to limit use and disclosure of sensitive personal information] […] and shall be treated as personal information for purposes of all other sections of this Act, including section 1798.100 [regarding the notice at collection].” See Section 6 of CPRA, amending Cal. Civ. Code § 1798.106.
[5] See Section 14 of CPRA, amending Cal. Civ. Code § 1798.140.
[6] See Section 10 of CPRA, amending Cal. Civ. Code § 1798.121.
[7] See Section 13 of CPRA, amending Cal. Civ. Code § 1798.135.
[8] See Section 6 of CPRA, amending Cal. Civ. Code § 1798.106.
[9] See Section 21 of CPRA, amending Cal. Civ. Code § 1798.185.
[10] See Section 12 of CPRA, amending Cal. Civ. Code § 1798.130.
[11] See Section 13 of CPRA, amending Cal. Civ. Code § 1798.135.
[12] Id.
[13] Id.
[14] See Section 14 of CPRA, amending Cal. Civ. Code § 1798.140.
[15] Id.
[16] Id.
[17] See Section 16 of CPRA, amending Cal. Civ. Code § 1798.150.
[18] Id.
[19] Id.