The California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act (CCPA). While most of the provisions in the CPRA do not go into effect until Jan 1, 2023, the changes do cover personal information collected as of Jan. 1, 2022. For this reason, it’s important for businesses to look at how the CPRA may impact the personal information they collect and begin understanding these obligations prior 2023.
The following are six ways the CPRA may impact your business:
1. B2B AND EMPLOYEE INFORMATION EXEMPTIONS ARE EXTENDED
The CPRA extends the business-to-business and employee information exemptions in the CCPA to Jan. 1, 2023. After that time, this data will be covered by the CCPA and businesses should be prepared to treat it the same as other personal information.
2. CPRA REDEFINES BUSINESSES COVERED UNDER THE CCPA
The CPRA limits the number of small- and mid-size enterprises that are impacted. If a business does not meet the $25 million revenue threshold, it must either:
-
Annually buy, sell or share for cross-context behavioral advertising the personal information of 100,000 or more consumers or households; or
-
Derive more than 50 percent of its revenue from selling or sharing for cross-context behavioral advertising personal information
This is a change from the CCPA that covered an entity that “buys or sells, OR receives or shares for business’s commercial purpose, personal information of 50,000+ consumers, households or devices.”
Companies in the digital advertising space need to pay close attention to this newly introduced concept of cross-context behavioral advertising, which is defined as ad targeting based on information obtained about a consumer across different businesses, apps, websites or services. Among other regulations related to cross-context behavioral advertising, the CPRA grants consumers a new right to opt out of sharing of personal information for this purpose.
3. ADDITIONAL DATA RIGHTS GRANTED
The CPRA grants additional data rights related to sharing of sensitive personal information, automated data processing and profiling, correcting inaccurate information, deletion of information, and the timeframe for right to access information.
4. ADDITION OF “CONTRACTOR”
The CPRA adds the concept of a “contractor,” in addition to the already existing “service provider,” which will require companies to review and update their vendor contracts to ensure alignment with the law. A contractor is a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract provided requirements are met. If your business engages a “contractor” to process personal information, the business will have additional obligations to meet in that vendor contract.
5. NEW AFFIRMATIVE SECURITY OBLIGATIONS
The CPRA adds affirmative security obligations, including requiring yearly annual auditing in certain situations, and makes clear that an enforcement action for failure to implement reasonable security procedures is possible even when there has not been a breach.
6. ELIMINATION OF 30-DAY CURE PERIOD AND NEW ENFORCEMENT AGENCY
The CPRA removes the existing 30-day cure period for enforcement actions under the CCPA and creates a new agency that will take over enforcement from the California Attorney General’s office in 2023. The elimination of this cure period is significant for businesses still trying to understand their CCPA obligations.
STEPS BUSINESSES SHOULD TAKE NOW
Looking ahead to the implementation of the changes in the CPRA, entities should review their privacy policies and vendor contracts, ensure their internal mechanisms are prepared to address expanded consumer rights and company obligations, and make sure their information security programs will meet the new requirements.