The results are in, and California voters have approved the California Privacy Rights Act (CPRA) which was listed on the ballot as Proposition 24. The law, most of which does not go into effect until January 1, 2023, will substantially overhaul and amend the California Consumer Privacy Act (CCPA) which went into effect just this year, on January 1, 2020, with final regulations issued just a few months ago, on August 14, 2020. And indeed, CCPA obligations continue to evolve, with proposed amendments to the regulations proposed by the Attorney General’s Office mid-October 2020.
Importantly, the CPRA imposes additional obligations on and considerations for businesses subject to the CCPA, including:
- Providing consumers with the right to prevent businesses from sharing their personal information with third parties for behavioral advertising or advertising based on a consumer’s precise geolocation. Consumers will also have opt-out rights relating to the use of their personal information in automated decision-making, including consumer profiling.
- Establishing a new privacy protection agency in California dedicated to the implementation and enforcement of the CCPA and other California privacy laws, with the expectation that it will result in more scrutiny and enforcement actions;
- Expanding the scope of personal information subject to the CCPA’s private right of action by adding emails and passwords/security questions to the categories of personal information subject to the CCPA’s private right of action, while leaving in place a limited private right of action for circumstances where there has been a data breach; and
- Recognizing “sensitive personal information” as a new category of personal information and requiring businesses to disclose how they collect, use and share sensitive personal information, and giving consumers the right to limit the use of their sensitive information in certain circumstances, if that information is collected for the purposes of inferring characteristics about a consumer.
Even so, with these and other new requirements, the CPRA does not go as far as some consumer privacy advocates had hoped it would. It does not expand the private right of action to all CCPA violations; it retains the opt-out consent model for the sale of personal information; and it leaves room for the continued use of loyalty and other financial incentive programs that rely upon the use of consumers’ personal information.
While businesses have until January 2023 to comply with CPRA provisions, they should start taking steps to understand and build out compliance programs soon. As the results of the 2020 election remain unsettled, and with the ultimate composition of the Senate potentially remaining unsettled until 2021, businesses should not likely hold their breath for preemptive federal privacy legislation to simplify the compliance challenge. The CPRA is significantly more complex than the CCPA and will require an investment of time and money to convert existing CCPA programs and build processes to meet the new requirements as California continues to lead the nation on, and with, privacy legislation and regulation.
A Closer Look at Key CPRA Provisions
Changes to the Definition of Businesses Subject to the CPRA. The CPRA adjusts its definition of a “business” as defined by the CCPA; broadening the scope in some cases, and narrowing it in others.
The CCPA defined a “business” as a for-profit entity that does business in California, and either i) has annual revenue of over $25 million a year; ii) annually buys, sells, or shares personal information of 50,000 or more consumers or households; or iii) derives 50% or more of its annual revenue from selling personal information. Additionally, an entity was defined as a “business” if it was controlled or controlled by a CCPA business and shared common branding with that business, such as a shared name, trademark or service mark.
The CPRA expanded the definition of a business in several respects. First, the third prong of the definition includes businesses that derive 50 percent or more of their revenue from sharing personal information for purposes of cross-context behavioral advertising. Second, the law adds to the definition of “business” certain types of joint ventures and partnerships which were previously not included in the CCPA. Third, it creates a new category of businesses: those that voluntarily agree to be subject to the CCPA.
However, in some cases, the definition of “business” is narrowed. Entities must annually buy sell, or share personal information of 100,000 consumers, not 50,000 as under the CCPA, to qualify as a business under the second prong of the test. Additionally, businesses that are subject to the CCPA only by virtue of controlling or being controlled by a CCPA business must receive personal information from the covered business in order to be subject to the law.
Opt-Out Rights for Behavioral Advertising and Profiling
Perhaps the most significant feature of the CPRA is the provision that gives consumers the right to stop a business from sharing their personal information with third parties for the purpose of engaging in “cross-context behavioral advertising.” Cross-context behavioral advertising is defined as the targeting of ads to a consumer based on a personal information “obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.” § 1798.140(k). In practice, this means consumers can prevent businesses from using technologies like cookies and pixels to track them across other websites, apps, or services and then share that information (e.g., websites visited or products viewed) with ad networks to deliver targeted advertisements to them. Unlike the CCPA’s current “sale” opt-out, this opt-out encompasses the sharing of personal information with a third party even where there is no exchange of consideration between the parties.
The CPRA describes two methods businesses can use to facilitate this opt-out option. One is to display an opt-out link “Do Not Sell or Share My Personal Information,” which would need to be placed and function much like the Do Not Sell link mandated by existing regulations. Alternatively, a business can comply by respecting consumers’ preferences communicated through a cross-platform global privacy control that meets technical specifications set forth in regulations. There is a two+ year runway for the development of this tool before these CPRA provisions go into effect, and a browser-based global privacy control tool developed by the aptly-named Global Privacy Control group is already being beta tested.
Automated Decision-Making – Access and Opt-Out Rights
The CPRA gives consumers opt-out rights with respect to businesses’ use of “automated decision-making technology,” which includes profiling consumers based on their “performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” § 1798.185(a)(16). In addition, consumers will be able to require a business to disclose “meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.” Id.
The law says little else about automated decision-making rights other than to direct that regulations be issued governing these opt-out and access rights. Businesses familiar with GDPR will recognize the reference to automated decision-making, as Article 22 gives data subjects similar opt-out rights. However, unlike GDPR, the CPRA does not include any exceptions to the opt-out right and may, therefore, have a more significant impact on businesses, including on the use of artificial intelligence.
New Rights for Sensitive Personal Information
The CPRA creates a new category of information called “sensitive personal information.” This new category includes certain government-issued identifications (such as social security, driver’s license, or passport numbers), account login information, mail and email contents, or data pertaining to precise geolocation, racial origin, religious affiliations, genetics, biometrics, consumer health, and sexual orientation data.
Consumers are afforded new rights for sensitive personal information. Businesses must separately identify the categories of third parties with which they share the sensitive information and the purpose in their notices at collection, privacy policies, and in response to consumer requests.
If sensitive information is collected by a business for the purpose of inferring characteristics about consumers, the CPRA gives consumers the right to limit the use of their sensitive personal information to the uses which are necessary to perform the services or provide the goods the consumer would expect from the business and other uses, including the delivery of non-personalized advertisements. Businesses must provide conspicuous links entitled “Limit the Use of My Sensitive Personal Information,” in the same manner Do Not Sell links are currently required, to facilitate consumers’ ability to exercise their rights with respect to sensitive personal information.
Restrictions on the Use of Precise Geolocation Information
Businesses that use vendors to determine consumers’ precise geolocation and use that data to deliver advertisements to consumers may need to treat the transfer of consumers’ personal information for this purpose as a “sale. “Service providers” and the CPRA’s new related category of a “contractor” are limited to entities that process personal information on behalf of a business or receive personal information from a business for “for a business purpose.” A “business purpose” is defined under the CPRA to explicitly include “non-personalized advertising shown as part of a consumer’s interaction with the business.” “Non-personalized advertising” means “advertising and marketing that is based solely on a consumer’s personal information derived from the consumer’s current interaction with the business, with the exception of the consumer’s precise geolocation.”
New Obligations for Buyers and Sellers of Personal Information
The CPRA imposes a series of new obligations on businesses that sell personal information that will also impact purchasers, even if they do not qualify as a CCPA business.
Specifically, a business that sells personal information or provides it to a third party for cross-context behavioral advertising will be required to enter into a contract with the purchaser that obligates the purchaser to (a) comply with non-specific “applicable obligations” under the CCPA, including the same level of privacy protections, and (b) notify the seller if the purchaser determines it cannot meet its obligations in this regard. The seller, in turn, is required to “take reasonable and appropriate steps” to ensure the purchaser uses the purchased personal information “in a manner consistent with the business’s obligations under [CCPA]” and also has the right, upon notice, to take “reasonable and appropriate steps” to stop and remediate any unauthorized use of personal information, including by the purchaser. § 1798.100(d)
These provisions introduce a new level of responsibility on both sellers and purchasers of personal information and will require amendment of form purchase agreements. The same obligations also apply as between businesses and their service providers or contractors which will mean businesses will need to, at a minimum, update their service provider or data protection addenda.
Data Minimization and Right to Correction
The CPRA incorporates the principle of data minimization, requiring that a business’s collection and use of a consumers data be reasonably necessary and proportionate to the purposes for which it was collected and to refrain from using personal data incompatible with the disclosed purposes for which it was collected. Similarly, businesses will not be permitted to store personal data for longer than is reasonably necessary. Consumers may request information on the length of businesses’ retention of their data. The CPRA also incorporates the right of correction, meaning consumers can ask that businesses correct any inaccurate personal information they possess.
The CPRA will also result in the adoption of new regulations imposing strengthened auditing requirements. The Attorney General will issue regulations which require businesses in which there is “significant risk” to a consumer’s privacy (based on their size and the nature of their data processing activities) to perform thorough cybersecurity audits on an annual basis. Businesses may also be required to provide the new CPRA enforcement agency risk assessments of the processing of their personal information on a regular basis. These assessments must weigh the benefits of the businesses’ processing of personal information to against its risks to consumers’ privacy rights.
New Enforcement Agency
The CPRA ushers in a new era in California privacy law through the creation of the first state data privacy agency in the United States with the power to implement and enforce the amended CCPA. The agency, the California Privacy Protection Agency (CalPPA), will be responsible for issuing regulations and will share CCPA enforcement powers with the California Attorney General. It will also have responsibilities for overseeing CPRA-authorized audits, educating California consumers about their privacy rights, and acting as a privacy liaison to the California legislature and other agencies.
CalPPA will be governed by a five-member board, with the Chair and one member appointed by the Governor, and one member appointed by the Attorney General, the Speaker of the Assembly, and the Senate Rules Committee. It will hire its own staff, but until it does so, the Attorney General will provide support staff (for which it will later be reimbursed).
The agency will have initial funding of $10 million, but that is only a floor. The state legislature can vote to supplement the budget at any time.
Changes to the Private Right of Action
The CPRA authorizes a discrete, but potentially very significant, expansion of the private right of action by adding email addresses and passwords or security questions to the list of personal information categories that, if subject to a data breach, may give rise to a private right of action. Because emails and passwords are often impacted in data security incidents, adding this category of personal information is likely to increase litigation risk for businesses subject to the CCPA.
The CPRA also injects additional confusion and uncertainty into the private right of action, specifically its cure provisions. Currently, the CCPA authorizes private citizens to bring suit for statutory damages if a breach was caused by a business’s failure to implement reasonable security measures but provides the business with a 30-day notice to cure. The cause of action must be based on an alleged breach of the duty to maintain reasonable security measures, and not merely the fact of the breach, and so a “cure” could likely include steps to fortify security measures. The CPRA, however, appears to foreclose the option to cure, as it states, “the implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 [which codifies the obligation to implement reasonable security measures] following a breach does not constitute a cure with respect to that breach.” § 1798.150(b). Significantly, the CPRA did not expand the limited private right of action to encompass all violations of the law.
Extends Employee- and B2B Exemptions for Two Years
Passage of the CPRA extends the limited employee- and B2B- CCPA exemptions through December 31, 2022. The exemptions, which were set to expire at the end of this year, limit data subject rights (e.g., right to notice at collection) for employees, job applicants, independent contractors, officers, directors, owners, and medical staff members to certain notice provisions. Consumers that fall within the so-called B2B exemption will also continue to have limited CCPA rights (e.g., opting out of the sale of their personal information) through December 31, 2022.
In September, California amended the CCPA to extend these exemptions by one year, through December 31, 2021, in the event the CPRA did not pass. Now that it has passed, that amendment is void.
Businesses will want to keep a close eye on further possible amendments to the CCPA because once these exemptions expire, employee and B2B personal information will be subject to all aspects of the CCPA, including data access rights.