While the world anxiously awaited the results of the November 2020 U.S. federal elections, California silently passed California Proposition 24, the California Privacy Rights Act (CPRA). Labeled on the ballot simply as “Expand Consumer Privacy,” the ballot initiative passed with little lobbying by businesses and an overwhelming majority, making the CPRA one of the most expansive privacy laws in the United States and a template for both a possible Federal privacy law and other States. The law contains revisions to the CCPA that include significant new obligations to businesses that often mirror those of the European General Data Protection Act (GDPR). In fact, many of the new obligations are adopted wholesale from the GDPR with little, if any, modification. However, the CPRA continues to be a relatively long and often vague and ambiguous law that spreads an organization’s obligations across multiple sections rather than model a relatively well-structured privacy law like the GDPR. While organizations that comply with the GDPR have a significant head start on compliance with the CPRA, compliance with the GDPR is not sufficient for compliance with CPRA (or even the CCPA for that matter), or vice versa. As a result, some organizations will continue to have to comply with multiple, partially overlapping and partially divergent regulatory schemes, with the possibility of additional states adopting similar or different laws in the future.
THE CPRA: WHAT YOU NEED TO KNOW | |
• Threshold for applicability based on amount of processing raised from 50K consumers to 100K consumers. • B2B and Employment Information exceptions extended to January 1, 2023. • Creates the California Privacy Protection Agency (CPPA) as the first agency in the U.S. charged solely with enforcing privacy rights. • New privacy notice obligations: right to know about information shared with third parties for contextual advertising, longer lookback period for rights to know information, disclosure of retention periods, and the right to correct information. • New consumer rights: right to correct personal information, limit the disclosure of personal information for contextual advertising, and to limit the use of sensitive personal information. • Businesses must contractually require service providers and contractors to maintain the same level of protection as that required under the CPRA and to assist the business in complying with data subject rights. • Where processing presents significant risk to consumers’ privacy or security, businesses must conduct a privacy impact assessment and undergo an annual independent cybersecurity audit and provide the results of a risk assessment to the CPPA. • Businesses are required to limit the processing of personal information to what is necessary for the purposes for which the information was collected. • Businesses are required to implement reasonable security measures, and can be held liable for data security incidents as a result of a failure to implement them, including for compromises of email addresses and required credentials used to access an account. • The CPPA can bring enforcement actions immediately without any cure period, and enhanced statutory fines for violations involving a minor’s personal information. |
WHAT TO DO TO PREPARE | |
• Begin data mapping to understand the types of data the business holds, how its protected, and the purposes for which it is used for. • Update policies and procedures to comply with the new requirements and obligations of the CPRA. • Update privacy notice to comply with the new disclosure requirements. • Perform a privacy impact assessment. • Begin engagements with independent cybersecurity audit firms for high-risk processing. • Draft and adopt a data privacy addendum for use with third parties. |
Background of the CPRA
The CPRA is the result of Allistar MacTaggart’s frustration with the legislative amendments to the CCPA. Those who have been following the progression of privacy in California may recall that the CCPA was initially enacted due to MacTaggart’s compromise with the California legislature to pull his original ballot initiative from certification in exchange for the somewhat rushed passage of the CCPA. The California legislature has since proposed and considered several bills to amend the CCPA, which MacTaggert believed inappropriately weakened the privacy protections of the CCPA. The authors of the CPRA, to ensure the CPRA is not weakened by legislation or attacked by its opponents, MacTaggart decided to introduce the CPRA by bypassing the legislature and having the law certified on the November ballot as Proposition 24. By doing so, he secured the long term viability of the CPRA and made it somewhat immutable. While amendments that would enhance the CPRA only require a simple majority to pass, any amendment that would purport to weaken the CPRA would require a two-thirds majority vote by both the Senate and House of Representatives, making any such process highly improbable.
New Thresholds for Applicability
The CPRA slightly changes the thresholds for “businesses” such that some small and medium-sized businesses may find themselves no longer subject to the CPRA (even after expending resources to comply with the CCPA). In contrast, a small subset of other businesses may find themselves subject to it now. The new threshold requirements include when an organization:
- Annually buys, sells, or “shares” personal information of 100,000 or more consumers or households. The CCPA threshold was 50,000 consumers.
- Annual gross revenues of $25M or more in the prior calendar year. The CPRA clarified that annual revenue is measured on January 1 for the previous calendar year and not the anticipated or forecasted revenue for the current year. Since the CCPA regulations failed to address whether the annual revenue calculation was supposed to be based upon revenue derived from within California, and the CPRA failed to clarify this, organizations should continue to expect that its overall (worldwide) revenue will be considered.
- Derives 50% or more of its annual revenues from selling or sharing the personal information of consumers. “Sharing” is a new important term defined in the CPRA as described below.
The CPRA also clarifies that the CPRA also applies to affiliates of the business with whom the business shares consumers’ personal information, if that affiliate controls or is controlled by a business subject to the CPRA and which shares a name, service mark, or trademark that the consumer would understand that the two or more entities are commonly owned.
The CPRA also applies to joint ventures composed of businesses in which each business has a 40% or greater interest in the joint venture. Each joint venture and each business is each considered separate businesses under the CPRA.
The CPRA also allows organizations to voluntarily certify their compliance with the new California Privacy Protection Agency (the CPPA). While few organizations are likely to voluntarily subject themselves to the obligations of the CPRA (especially the small- and medium-sized businesses that are already excluded), some may choose to do so, especially if they perceive a competitive reputational benefit and have already expended resources to comply with the CCPA and the GDPR.
Extension of B2B and Employment Information Temporary Partial Exclusions
The CPRA extends the partial exclusions for employment and business to business information provided under the recent amendments to the CCPA for an additional year, until January 1, 2023.
Consumer Rights and Business Obligations
The CPRA modifies some of the consumer rights and business obligations and creates several new ones, including:
- An explicit right to correct inaccurate personal information. Businesses must make commercially reasonable efforts to correct the inaccurate personal information that the business maintains upon a verifiable consumer request.
- The right to opt-out of a business “selling” or “sharing” of personal information. The new definition of “sharing” makes it clear that the disclosure of personal information (including unique identifiers in cookies) for cross-context behavioral advertising with or without consideration will be subject to the rights of a consumer to opt-out of such a disclosure. The implication here is that for other types of disclosures, i.e., those that are not used in the context of behavioral advertising, not all disclosures will be deemed a sale. However, the CPRA fails to provide the much-needed clarity of what consideration for disclosing personal information is necessary to be considered a “sale” subject to the opt-out rights (or a requirement to enter into certain contractual obligations with contractors and service providers).
- The right to know what personal information has been sold or shared. While this right largely matches the right under the CCPA, it has now been expanded to not just information disclosed for monetary or other valuable consideration but also to include personal information shared for cross-context behavioral advertising, with or without consideration.
- The right to limit the use of Sensitive Personal Information. The CPRA defines a new class of personal information called “sensitive personal information,” which includes personal information that reveals a consumer’s social security number or other government-issued ID number, a consumer’s account log-in or financial information with any required security credentials, a consumer’s “precise” geolocation (within 1850 feet), a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership, a consumer’s genetic data, and the contents of a consumer’s mail, email, text message (unless the business is the intended recipient of that communications). It also includes personal information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation but explicitly excludes publicly available information. Although the definition in the CPRA is broader than the similar definition under the GDPR of “special categories of personal data,” unlike the GDPR, the CPRA doesn’t require consent for processing this new category of personal information and only provides consumer’s the right to limit the use and disclosure of sensitive personal information to what is necessary for the business to provide its goods and services. The CPRA requires that the business provide consumers with a link for consumers to exercise this right, which may be through an additional “Limit the Use of My Sensitive Personal Information” or a combined “clearly labeled” link on its homepage that allows the consumer to opt-out of the sale of its regular personal information along with the ability to limit the use of sensitive personal information.
- Service provider and contractor obligations to assist with consumer rights. The CPRA requires that businesses pass through consumers’ requests to access or delete personal information or to limit the use of sensitive personal information (each with their own exceptions) and for service providers and contractors to assist the business in complying with these requests, with similar notice requirements for third parties.
- Expanded lookback period for the right to know. For information collected after January 1, 2022, consumers can request information about their personal information that the business collected about them further back than the 12 month period provided in the CCPA unless doing so would be impossible or involve a disproportionate effort.
- Reasonable Security. Although there has always been an obligation for a business to provide “reasonable security” for personal information under California Civil Code § 1798.81.5, the CPRA has now expressly incorporated this requirement into the CPRA.
- Data Minimization. Under the CPRA, the collection, use, and sharing of personal information must be limited to the information that is reasonably necessary and proportionate for business to achieve the purposes for which the information was collected. Furthermore, businesses cannot retain personal information for a longer period than is reasonably necessary for the disclosed purposes.
- Additional privacy notice requirements. Many of the above new and modified rights and obligations must be disclosed to consumers in the business’s privacy notice, including the new right to limit the use of sensitive information, the right to correct inaccurate personal information, information about any automated decision making, and a disclosure of the business’ retention period for the personal information collected or the criteria to determine the retention period.
- Audit Requirements. Under the CPRA, businesses will be required to perform privacy impact assessments and independent cybersecurity audits for “high risk” activities. Businesses must provide a risk assessment to the new Consumer Privacy Protection Agency (CPPA) created under the CPRA. Businesses may be required to restrict its processing activities if the risks to consumers outweigh the benefits to the business and the stakeholders.
- Automated Decision Making and Profiling. The CPRA requires businesses to disclose meaningful information about its automated decision-making and profiling activities and provides consumers with the right to opt-out of automated decision-making and profiling. Profiling uses automated processing to evaluate a consumer’s personal aspects and make predictions concerning the consumer’s performance at work, economic situation, health, preferences, interests, reliability, behavior, location, or movements.
- Opt-out signals for consumers under 16. The CPRA requires that the newly-formed CPPA establish technical specifications for an opt-out signal that identifies consumers as being under 13 or between 13-16 to help obtain opt-in consent for the sharing or selling of those consumers’ personal information.
- Contractual Obligations. Like the GDPR’s contractual requirements, the CPRA requires businesses to enter into contracts with all third parties with whom the business discloses personal information to. The CPRA obligates the business to ensure that the receiving party provides the same level of protection to the personal information as the business is required to provide under the CPRA and to allow the business to take reasonable and appropriate steps to remediate unauthorized use by the recipient. The recipient is also required to notify the business if it can no longer comply. These requirements are in addition to any contractual obligations necessary to avoid a disclosure being deemed a “sale” under the CPRA.
- Expansion of Safe Harbor. A business is not responsible for violations by its service providers, contractors, and, now, third parties if the business did not know or have reason to believe the service provider, contractor, or third party intended to commit a violation; however, this safe harbor does not extend to certain information that is subject to a consumer’s exercise of his or her rights under the CPRA or the exercise of a valid opt-in.
Enforcement Impacts
The CPRA creates a new enforcement agency and increases the potential liabilities for violations.
- California Privacy Protection Agency (CPPA). The CCPA creates the first agency in the United States to be focused solely on consumer privacy. The agency would implement and enforce the CPRA and have both subpoena and audit powers. In addition to taking over most of the enforcement powers from the California Attorney General’s office, it will also take over the Attorney General’s rulemaking authority. In addition to its enforcement powers, the CPPA will also be required to build public awareness about privacy risks and provide guidance to businesses and consumers about their rights and obligations under the CPRA. It is expected that the CPPA will be very zealous in enforcing the CPRA.
- Removal of the statutory cure period. The CPRA removes the statutory 30 day cure period before the California Attorney General (now the CPPA) can bring an enforcement action for any violation of the CPRA; however, the CPPA may provide a business with a time-period to cure the alleged violation, at the agency’s discretion, taking into account a business’s lack of intent and voluntary efforts to remedy the violation.
- Potential fines. The CPRA keeps the potential administrative penalties of up to $2,500 per violation (or $7,500 per intentional violation) and increases the potential violation to $7,500 for violations involving minors (i.e., when the business has actual knowledge that the consumer is under 16).
- Private rights of action. The CPRA extends consumers’ private right of action for failures to implement and maintain reasonable security measures that result in the compromise of personal information to include compromises of a consumer’s email address along with the security question or password that would permit access to the consumer’s account. Further, the added consumer rights and business obligations identified above may be the basis of civil claims – especially as support for claims of unfair business practices, etc. under California Business & Professions Code 17200, et seq.
Action Steps
- Begin data mapping. Businesses should perform a data mapping exercise if they have not already done so to understand the types of data that they hold, how they protect it, the purposes for which they use it, and which vendors have access to that data.
- Update policies and procedures. Businesses should review their policies and procedures for the new CPRA requirements, including their data retention policies, information security policies, and consumer request response policies. Businesses that do not have such policies should begin to draft such policies.
- Update privacy notices to provide new required disclosures. Businesses should consider if they wish to offer consumer rights to all consumers or just California consumers and implement any differences in rights and disclosures.
- Perform a privacy impact assessment. Businesses should assess and document the risks associated with their processing of personal data and consider adopting additional security or privacy measures to further protect consumers’ privacy.
- Begin engagement with independent cybersecurity audit firms for high-risk processing. Businesses should consider getting an early start on cybersecurity audits to understand the audit process and have an opportunity to address any critical findings of such audits.
- Draft and adopt a data privacy addendum for use with third parties, including service providers and contractors. The CPRA requires that all personal information disclosures be subject to contractual obligations that protect personal information. Businesses should understand the scope of the third parties to whom they disclose personal information and begin to put amendments in place to continue to receive services from these third parties after the CPRA is in effect.
Conclusions
The CPRA makes significant changes to the California Consumer Privacy Act and is one of the most comprehensive privacy laws ever enacted in the United States to date. While it does not take full effect until January 1, 2023 (with the lookback period for the expanded to the right of access beginning earlier), businesses should begin preparations as soon as possible to avoid being non-compliant, especially given a new agency who will be committed to ensuring compliance with the CPRA and the removal of the cure period for regulatory actions.
For questions or additional information on this topic, please contact any of the authors or your Foley relationship partner.
Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak creates for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights, and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.