California voters just passed the California Privacy Rights Act (CPRA), also known as Proposition 24. This act will effectively replace the California Consumer Privacy Act (CCPA) once it takes effect on January 1, 2023.
The new law expands consumer privacy rights to more closely mirror the GDPR in Europe, adds additional obligations on businesses, and establishes the first agency dedicated to ensuring Americans’ privacy, the California Privacy Protection Agency (CCPA). Even though the law won’t take effect for another three years, businesses should already start laying the groundwork to ensure compliance.
CPRA vs. CCPA: Implications For Businesses
The CPRA expands and changes the CCPA in multiple ways. Here, we will cover the main areas that are impacted by the new law, and actions businesses should consider to get prepared.
1. Which Businesses Get Regulated
The CPRA changes the definition of a regulated “business.” Some of these ways increase or decrease the scope of businesses accountable to the regulations:
- Applies to businesses that process over 100,000 people or households (up from 50,000 under the previous law), making the law less relevant to smaller businesses.
- Covers businesses whose primary source of revenue comes from sharing PI, not just selling it (e.g., sharing, renting, making available, or transferring consumers’ personal information).
- Extends to joint ventures and partnerships that each have at least a 40% interest.
The Takeaway: Smaller businesses can breathe a sigh of relief, as they will be held to less stringent regulatory demands than larger companies. But those that already made changes to their business practices in reaction to the old CCPA obligations may choose to maintain them.
2. Sensitive Personal Information
The CPRA defines “sensitive personal information” as a new regulated category in California. The use of data designated as “sensitive personal information” requires new disclosures and consumers have new rights designed to regulate businesses’ use of their sensitive PI.
Examples of sensitive PI include government ID numbers, eSignatures, credit card and login information, exact geolocation, race, ethnicity, religion, sexual orientation, union membership, the content of private communications, protected health information (PHI), and more.
The Takeaway: Consumers in highly regulated industries have even more reason now to safeguard their consumers’ PI. For example, healthcare providers will want to ensure HIPAA-compliant emails. Telecom companies will want to ensure total PCI compliance. Insurance companies will want to keep their policyholders’ sensitive data under wraps.
3. Expanded Consumer Privacy Rights
The CPRA puts forth both new rights and changes certain existing rights. The following are just a few examples.
- Right to Correction: Consumers may request any correction of their PI held by a business if that information is inaccurate.
- Right to Opt Out of (or Ask About) Automated Decision Making Technology: Consumers can opt out of the use of automated decision-making technology, including “profiling,” in connection with decisions related to a consumer’s personal characteristics or behavior. Consumers can also request access to information about how automated decision-making technology works.
- Audit Obligations: High-risk activities will require mandatory risk assessments and cybersecurity audits. The risk assessments must be submitted to the newly established California Privacy Protection Agency (see below) regularly.
- Modified Right to Delete: Businesses must notify third parties to delete any consumer PI bought or received, subject to some exceptions.
- Expanded Right to Opt Out: The CCPA already grants consumers the right to opt out of the sale of their PI to third parties. Under the new law, the opt-out explicitly covers “sharing” of PI for “cross-context behavioral advertising,” which refers to targeted advertising (more on this in the next section).
- Expanded Opt-In Rights for Minors: As with the opt-out right, businesses must wait 12 months before asking minors for consent to sell or share their PI after they have declined to provide it.
- Expanded Right to Data Portability: Consumers are entitled to request that the business transmit specific pieces of PI to another entity, as long as doing so is technically feasible.
The Takeaway: Many of the new and modified rules give consumers the right to request changes to their personal information, opt out of targeted advertising, and ask for explanations as to how targeted ads work. Businesses should make it easy for customers to contact them with concerns, perhaps through eForms on the company website.
4. Right to Opt Out of Cross-Context Behavioral Advertising
Unlike the law it’s replacing, the CPRA differentiates between two types of advertising: “cross-context behavioral advertising” and “non-personalized advertising.”
Sharing PI for cross-context behavioral advertising is subject to the Right to Opt Out, while the use of PI for non-personalized advertising is not and is instead designated as an internal “business purpose.” Delineating these distinctions affirms the common assumption that the Right to Opt Out extends to certain kinds of behavioral advertising practices.
The Takeaway: Businesses that were already distinguishing between personalized and non-personalized advertising may not need to significantly modify their compliance programs. But those that didn’t will need to start minimizing cross-contextual use. This may also mean evaluating third-party vendors and software companies, and ensuring they are up-to-date with the latest requirements.
5. Establishes the California Privacy Protection Agency (CPPA)
The EU’s GDPR uses a network of Data Protection Authorities for each member state to enforce the law.
The absence of such authorities in the U.S. has given rise to the California Privacy Protection Agency (CPPA), which is currently enforced by the California Office of the Attorney General (OAG).
Under the new law, the CPPA is granted investigative, enforcement, and lawmaking powers. Critically, the CPRA removes the 30-day cure for general privacy violations of the law, allowing immediate enforcement by the attorney general. The CPRA also triples the maximum penalties to $7,500 for privacy violations concerning minors.
The Takeaway: Businesses would be wise to take the new regulations seriously, as the CPPA has legal standing to enforce the rules.
6. Takes a Leaf Out of the GDPR Book
The CPRA solidifies the principles of data minimization, purpose limitation, and storage limitation — concepts that are all covered in the EU’s GDPR:
- Data minimization: A business’s collection and use of consumer PI must be minimized to what is necessary to achieve the specific purpose of that usage. Additional usage for undisclosed purposes is not permitted.
- Purpose limitation: Businesses must not collect or use PI for a new purpose without informing consumers first.
- Storage limitation: Businesses must disclose how long the PI will be retained at the time of collection. Furthermore, businesses are prohibited from storing PI for longer than is “reasonably necessary” for each stated purpose.
The Takeaway: The CPRA brings consumer privacy laws in California closer to those seen in Europe. Under the Biden administration, data protection will likely start to look more like the GDPR in other states as well. Companies outside of California are recommended to pay attention to the nuances in the CPRA and GDPR, as similar laws may be headed their way.
The Bottom Line: Prepare, Prepare, Prepare
Companies that fall under the CPRA should start reviewing their privacy policies far ahead of January 2023, when the law will take effect. The law grants consumers the right to sue companies for violations of their privacy rights, and the newly established California Privacy Protection Agency (CPPA) the right to enforce the rules. Companies that fail to prepare for the CPRA are risking immense reputational and financial damage for being out of compliance.