Already at the cutting edge of U.S. privacy law, California jumped even further ahead of the pack with the recent approval by State voters of the California Privacy Rights Act (“CPRA”). The CPRA, which builds upon the already extensive framework of privacy rights and obligations established in the California Consumer Privacy Act (“CCPA”), is likely to be met with weariness by many subject organizations, which have, over the past couple years, invested significant effort and resources to come into compliance with the CCPA.
Through this post, and those that follow in our CPRA Series, we will attempt to lessen that burden by identifying and discussing key features of the CPRA and how those features impact organizations’ existing CCPA compliance programs.
Notice At Collection
One important step subject organizations will need to take in response to the CPRA is to update their CCPA notices at collection. Under the CCPA, an organization is required to provide to consumers – a category which includes employees, applicants, and contractors – a notice that discloses the categories of personal information the organization collects and the purposes for which it uses that information.
When the CPRA takes effect in January 2023, organizations will be required to augment their notices to include three additional categories of disclosure. Specifically, they will need to:
- disclose whether they sell or share personal information;
- make disclosures related to their collection, processing, and disclosure of “sensitive personal information,” a new category of information created by the CPRA, which we further discuss below; and
- disclose the length of time they intend to retain each category of personal information, or, if that would not be feasible, the criteria they will use to determine that retention period.
Privacy Policy
The passage of the CPRA will also require subject organizations to revisit their privacy policies. The CCPA requires organizations to develop and post online a privacy policy that informs consumers about the existence of, and provides guidance on how to exercise, their CCPA rights. For instance, their right to know what personal information about them organizations collect, disclose, or sell; their right to request the deletion of that information; and their right to opt-out of its sale.
The CPRA modifies certain of the rights provided for in the CCPA, while also adding several that are novel. Specifically, the CPRA:
- enlarges the CCPA’s 12-month look-back period for requests to “know” (while affording organizations an opportunity to deny expanded requests if compliance would be “impossible” or “involve a disproportionate effort”);
- adds to the CCPA-established right to opt-out of the sale of personal information a new right to opt-out of the sharing of that information;
- requires organizations, in the event they receive a deletion request, to direct any service providers, third parties, and/or “contractors” (a new category created by the CPRA) to whom they sold the personal information at issue, or with whom they shared it, to delete that information;
- creates a new category of personal information – “sensitive personal information” – and empowers consumers to direct organizations to limit their use of such information; and
- grants consumers the new right to request that organizations correct inaccuracies in their personal information.
Prior to the effective date of the CPRA, organizations will need to update their notices at collection and privacy policies to address the new and modified rights it grants consumers.