One of the most impactful changes is the creation of the California Privacy Protection Agency.
On November 3, 2020, California voters approved the California Privacy Rights Act (“CPRA” or the “Act”). The CPRA is sometimes referred to as “CCPA 2.0” because it includes a number of revisions to the California Consumer Privacy Act (CCPA) while adding new privacy and security obligations for covered businesses. The revisions bring the CCPA closer to the European Union’s General Data Protection Regulation (GDPR) by adding a right to correction, restrictions on the collection and retention of data, a special category of “sensitive data,” rights relating to automated decision making, expanding security requirements and creating a dedicated privacy authority. The substantive provisions become operable on January 1, 2023, and enforceable on July 1, 2023. Enforcement shall only apply to violations occurring on or after July 1, 2023.
Key provisions of CPRA include:
Extends Exemption for B2B and Employee Data
The current exemption for all business-to-business data and partial exemption for employee data will be extended to January 1, 2023. Covered employers are still required to provide applicants, employees and contractors with an initial disclosure, at or before the point of collection, identifying the categories of personal information collected and the purposes for which the categories of personal information shall be used. Employees may also have a right to statutory damages in the event of a data breach caused by a failure to implement reasonable security measures. See our Alert for more detailed information on the scope of employer obligations under the CCPA.
Creation of the California Privacy Protection Agency
One of the most impactful changes is the creation of the California Privacy Protection Agency. This is a new administrative agency responsible for enforcing compliance with the CCPA. Enforcement is currently handled by the California attorney general. The attorney general has admitted to having limited resources to enforce the CCPA and may only be able to bring a few cases a year. Having a dedicated enforcement agency means that enforcement is more likely to be a reality for companies. The agency is required to adopt final regulations required under the CPRA by July 1, 2022. Enforcement of the CPRA provisions shall not commence until July 1, 2023.
Special Categories of Sensitive Personal Information
The Act adds a new category of “sensitive personal information.” Sensitive personal information includes: Social Security, driver's license, state identification card or passport number; account log-in, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs or union membership; contents of a consumer's mail, email and text messages unless the business is the intended recipient; genetic and biometric information; consumer health information; and sexual orientation.
Privacy notices must identify categories of sensitive personal information collected, purposes for which the information is collected or used, and whether such information is sold or shared. Consumers have the right to limit the use of their sensitive personal information to that which is necessary to provide them with goods and services. Business that sell or share sensitive personal information may be required to provide a clear and conspicuous link on the business' internet homepage(s), titled "Limit the Use of My Sensitive Personal Information" or a clear and conspicuous link that combines the “Do Not Sell My Personal Information” and “Limit Use of My Sensitive Personal Information” links.
Additional Limitations and Contractual Requirements for Service Providers and Contractors
The Act adds the category of “contractors,” which is highly similar to “service providers.” It appears that contractors receive information from a business for a business purpose, while service providers are processing information on behalf of the business. Contractors have an additional certification requirement. The Act increases limitations on the use of personal information by service providers and contractors and adds new contractual requirements. The Act explicitly requires service providers and contractors to cooperate in responding to verified requests and to notify their own service providers and contractors to delete personal information upon receipt of a request. Additionally, if service providers or contractors engage their own service providers or contractors, they must notify the business and have a written agreement that complies with all service provider or contractor requirements.
Limitations on Cross-Context Behavioral Advertising
The Act introduces the concept of “sharing,” which specifically relates to disclosure of information for the purposes of cross-context behavioral advertising. Businesses will need to identify categories of personal information that are shared, the business purposes for sharing and the categories of third parties to whom the personal information was shared. Consumers have the right to opt out from any sharing of their personal information, and businesses cannot share information for consumers under the age of 16 without opt-in consent (though it is unclear how this may be determined in practice). A business that shares information must provide a clear and conspicuous link on its homepage, titled “Do Not Sell or Share My Personal Information.”
Limitations on Processing and Retention of Personal Information
The Act requires that data collection, use, retention and sharing be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed. A business must notify consumers of the length of time it intends to retain each category of personal information or, if that is not possible, then the criteria that will be used to determine such period and shall not retain the information longer that is reasonable necessary.
Increased Security Requirements
The Act requires reasonable security measures be implemented to protect all personal information, expanding the current requirements, which are limited only to the protection of certain categories of information. Notably, the Act also requires the California Privacy Protection Agency to issue regulations for certain categories of businesses whose processing presents a significant risk to consumer privacy or security to: (i) perform an annual security audit; (ii) submit a risk assessment to the agency on a regular basis.
Right to Correct Inaccurate Information
The Act provides consumers with the right to correct inaccurate personal information. A business must make two or more methods available for submitting such requests.
Automated Decision-Making Technology
Although the Act does not include any restrictions on automated decision-making, it includes a requirement that the California Privacy Protection Agency issue regulations governing access and opt-out rights with respect to the use of automated decision-making technology, including profiling and requiring responses to access requests to include meaningful information about the logic involved in such decision-making processes and a description of the likely outcome of the process with respect to the consumer.
Definition of a Covered Business
The Act also modifies the definition of a covered business by increasing one of the qualifying criteria from collecting, using or sharing 50,000 California consumers to 100,000, which may be helpful to small business and startups.
For More Information
If you have any questions about this Alert, please contact Michelle Hon Donovan, Sandra A. Jeskie, any of the attorneys in our California Consumer Privacy Act Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.