On November 3, 2020, California voters passed the California Privacy Rights Act (CPRA) ballot initiative with slightly under 60% of votes to approve the measure (as of publication). The ballot initiative, which was submitted by the architects of the California Consumer Privacy Act of 2018 (CCPA), had earlier garnered 900,000 signatures—far more than the roughly 625,000 necessary for certification on the 2020 ballot.
The CPRA amends the CCPA, adds new consumer rights, clarifies definitions and creates comprehensive privacy and data security obligations for processing and protecting personal information. These material changes will require businesses to—again—reevaluate their privacy and data security programs to comply with the law.
Effective date and timeline for enforcement
The CPRA amendments become operative on January 1, 2023, and will apply to personal information collected by businesses on or after January 1, 2022 (except with respect to a consumer’s right to access their personal information). Enforcement of the CPRA amendments will not begin until July 1, 2023.
The CCPA’s existing exemptions for business contacts, employees, job applicants, owners, directors, officers, medical staff members and independent contractors will remain in effect until December 31, 2022.
The newly created California Privacy Protection Agency (“Agency”) will be required to adopt final regulations by July 1, 2022. For more information about the Agency and its role in enforcing the amended CCPA, see our previous article.
The passage of the CPRA does not affect the enforceability of the CCPA as currently implemented.
New rights under the CPRA
In addition to the CCPA’s rights to know, to delete, and to opt out of the sale of personal information, the CPRA creates the following new rights for California consumers:
-
The right to correct personal information
-
The right to limit the use of sensitive personal information
-
The right to opt out of the “sharing” of personal information
These rights are explained in greater detail in our previous article.
New compliance obligations for businesses subject to the CPRA?
The CPRA creates new obligations that are similar to the data processing principles found in the European Union’s General Data Protection Regulation (GDPR). Such responsibilities include:
-
Transparency: Businesses must specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice;
-
Purpose limitation: Businesses may only collect consumer’s personal information for specific, explicit and legitimate disclosed purposes and may not further collect, use or disclose consumers’ personal information for reasons incompatible with those purposes;
-
Data minimization: Businesses may collect consumers’ personal information only to the extent that it is relevant and necessary to the purposes for which it is being collected, used and shared;
-
Consumer rights: Businesses must provide consumers with easily accessible means to obtain their personal information, delete it or correct it, and to opt out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive information; and
-
Security: Businesses are required to take reasonable precautions to protect consumers’ personal information from a security breach.
The Agency’s rulemaking will also contain a number of new requirements, including:
-
A requirement that businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to: (i) perform a cybersecurity audit on an annual basis; and (ii) submit to the Agency on a regular basis a risk assessment with respect to their processing of personal information;
-
A requirement that businesses provide access and opt-out rights with respect to their use of automated decision-making technology, including profiling, and requiring a business’ response to access requests to include meaningful information about the logic involved in that decision-making process; and
-
Expanded the requirements and technical specifications for an opt-out preferences signal to indicate a consumer’s intent to opt out of the sale or sharing of personal information or to limit the use or disclosure of the consumer’s sensitive personal information.
Additional obligations are described in more detail in our previous article.
Do businesses need to scrap their CCPA compliance programs and start over with a new CPRA compliance program?
Absolutely not. An existing CCPA compliance program will be an important and necessary foundation for CPRA compliance. Businesses subject to CPRA will, however, need to expand their existing compliance programs to include, for example, updates to privacy notices (including their privacy policy and notice at collection), procedures for additional consumer rights, updates to service provider and contractor agreements, new record-keeping requirements and cybersecurity assessments.
What should businesses be doing now?
Although the CPRA’s amendments will not be enforceable until 2023, we recommend that businesses:
-
Review the revised definition of “business” to determine whether the amended CCPA will still apply to their operations. The proposed amendments: (i) increase the threshold related to buying, selling or sharing personal information from 50,000 consumers or households to 100,000 consumers or households; (ii) narrow the “common branding” applicability test to bring into scope only commonly branded related entities with whom a business shares consumers’ personal information; (iii) bring into scope joint ventures or partnerships where the businesses involved have at least a 40% interest; and (iv) bring into scope any business that voluntarily certifies to the Agency that it is in compliance with and agrees to be bound by the law.
-
Consider how the business will document and map its uses of sensitive personal information for purposes of complying with consumer requests right to limit the use of their sensitive personal information.
-
Determine whether the new obligations and requirements can be implemented only for California consumers, or whether it would be easier for the business to implement these obligations and requirements for all of its consumers, whether or not they reside in California.
-
Consider and plan for the budget and resources you may need to bring your current CCPA program into compliance with the CPRA amendments.
Are more changes to California privacy law expected?
Because the CPRA is subject to amendment by the California legislature through the normal legislative process, we recommend continuing to monitor the developments and modify preparations accordingly.