California Privacy Rights Act (CPRA) and the future of privacy law

California Privacy Rights Act (CPRA) and the future of privacy law

Table of contents

Show more Show less

At a glance

What the CPRA covers
How the CPRA differs from the CCPA
What the CPRA means for consumers and businesses
How the CPRA clarifies rights and tightens restrictions

Introduction to the CPRA

The California Consumer Privacy Act (CCPA) came into effect January 1st, 2020 and is the state’s current privacy law. However, it is already due to be expanded and amended by the California Privacy Rights Act of 2020 (CPRA), approved by California voters in November 2020. The CPRA will come into effect as of January 1st, 2023. It does not replace the CCPA, but is rather an update and addition to it. 

 

Given how quickly digital technologies develop, the three years between the commencement of the two Acts have provided plenty of opportunity for change.

What is the California Privacy Rights Act?

The California Privacy Rights Act is a state-level privacy law that applies to companies that provide services or conduct their business addressing California Residents. Companies don’t have to be headquartered there, though. The California Consumer Privacy Act (CCPA) and CPRA were the first state-level laws of their scope passed in the United States. They have already been influential over privacy bills and laws in other states.

 

The CPRA’s changes are significant, and some of the rights, regulations, and oversight are entirely new. The CPRA will bring California’s privacy laws a bit closer to the European Union’s General Data Protection Regulation (GDPR)

What are the biggest changes or updates from the CCPA?

The California Privacy Rights Act was not drafted entirely from scratch. It was designed to work in tandem with the CCPA, but will likely evolve to replace it over time.

 

The CPRA’s provisions bring greater clarity on inclusions and exemptions, take technology advancements since the CCPA was drafted into account, and position California privacy law to remain relevant and flexible well into the future.

Besides the newly introduced or altered rules, which are explained in detail below, one of the most important changes made within the CPRA is that it expands companies’ notice obligations. 

 

With the new change, companies must inform consumers “at or before the point of collection” as to; whether personal information is sold or shared; information about the collection, processing and disclosure of “sensitive personal information”; “the length of time the company intends to retain each category of personal information” or, if not possible, “the criteria used to determine such period” among other information.

Consumer rights 

 

The CPRA retains consumers’ data privacy rights granted by the CCPA, and adds four new rights:

 

  • Right to Correction (to request and have inaccurate data collected about them be corrected)
  • Right to Restrict Sensitive Personal Information (to limit use of data categorized as sensitive personal information)
  • Right to opt-out of Automated Decision-making Technology (to request information about automated decision-making and the likely outcomes of using such processes, specifically with regards to profiling)
  • Right to Access information about Automated Decision-making (to opt out of the use of automated decision-making technology with regards to personal information)

 

The CPRA also expands or modifies five existing consumer rights:

 

  • To request personal information collected before the CPRA’s look-back period (the 12 months prior to January 1st, 2023) as long as it’s possible or not unreasonably difficult to provide 
  • To opt out of the sharing and sale of personal information to third parties 
  • To request and have data deleted by the company that collected it and by third parties who bought or received it (with some exceptions)
  • To request that a company port collected personal information to another entity (if technically feasible)
  • For minors’ personal information not to be shared or sold without explicit consent, and for them not to be asked for consent within 12 months of declining a company’s consent request.

 

Employee and B2B data

 

Under the CCPA, companies’ full-time staff, contractors, and applicants are classified as consumers. However, as employees they were not granted the same full rights within their companies as regular consumers who were just doing business with companies. 

 

The CPRA adds distinction between employer/employee and consumer/business relationships, and notes employees’ particular privacy interests. They will also gain the same rights that regular consumers have had under the CCPA when the CPRA goes into effect. Until then, and continuing once the CPRA is enacted, employees do have the following rights:

 

  • To be notified when their personal information is collected
  • To bring lawsuit action against employers if their personal information in breached due to a lack of reasonable safeguards by the employer

 

The CPRA also extends the business-to-business exemptions in the CCPA until it enters into force. When CPRA comes into effect, it will cover B2B data as personal information.

Sensitive Personal Information under the CPRA

 

The CCPA borrows from the California Civil Code for its definition of personal information. However, as some of the class action lawsuits resulting from the implementation of the CCPA have shown, specific definitions of “personal information” and the qualifier of “sensitivity” are contentious. 

 

Sensitive Personal Information under the CPRA

 

The CCPA borrows from the California Civil Code for its definition of personal information. However, as some of the class action lawsuits resulting from the implementation of the CCPA have shown, specific definitions of “personal information” and the qualifier of “sensitivity” are contentious. 

To add clarity, the California Privacy Rights Act has created a new category of “Sensitive Personal Information” (SPI). Influenced by the GDPR, it’s more specific than previous definitions of “personal information”, and will be more strongly regulated. 

 

As with personal information under the CCPA, under the CPRA’s provisions companies have to limit their use of sensitive personal information to the extent that: “It is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services”. 

 

Companies that process sensitive personal information are required to implement either a “Limit the Use of My Sensitive Personal Information” link to enable consumers to exercise these rights, or a “single, clearly-labeled link if such link effortlessly allows a consumer to opt-out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.” 

 

SPI includes information that is not publicly available, including government records. It specifies a variety of physical, digital and identifying details about a person. Businesses will need to be able to segregate SPI from less regulated personal information with regards to its access and use.

 

Hard copy data defined as SPI (often used digitally but includes a tangible format like an ID card):

 

  • Passport number
  • Social Security Number
  • Driver’s license number
  • State identification card
  • Credit or debit card number (in combination with a password or access code enabling access to an account)
  • Contents of consumers’ mail, email, text messages (unless the business is the intended recipient)

 

Digital data defined as SPI:

 

  • Account logins (in combination with a password or access code enabling access to an account)
  • Precise geolocation
  • Genetic data
  • Biometric data (if its processing is intended to uniquely identify a consumer)

 

Additional personal identity data defined as SPI:

 

  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Union membership
  • Health information (and its analysis)
  • Sex life or sexual orientation information (and its analysis)

California Privacy Protection Agency (CPPA)

 

Another significant change that the California Privacy Rights Act introduces is the creation of the California Privacy Protection Agency (CPPA), which is a new enforcement agency with broad jurisdiction over personal data protection. This new body will have an appointed five-member board and a Chief Privacy Auditor.

 

In addition to the powers and responsibilities of administering the CCPA, which the California Attorney General’s office has handled to date, the CPPA will have both greater influence and obligations. The Agency will take over one of the biggest issues with the CCPA, that of interpretation of the Act. Issues relating to that are central to many of the class action lawsuits filed since it came into effect.

 

The Agency will monitor data privacy and protection broadly, including evolving technology as well as legislation being passed in other US states and around the world. It will use this information to provide advice and technical assistance to the California state legislature. The CPPA will also coordinate their efforts with other states and countries.

 

The CPPA will become responsible for CCPA and CPRA compliance and enforcement, including conducting audits and levying fines. It will update rules of the Acts as well as making new ones. Proactively, the CPPA will also provide education about and promotion of privacy rights and responsibilities to consumers and business. 

 

As the CPRA introduces mandatory risk assessments and cybersecurity audits for high risk activities, risk assessments will have to be submitted to the newly founded Agency. 

 

Not all companies or other organizations will be subject to the CCPA or CRPA. However, compliance with the Acts will demonstrate a commitment to best practices for consumers’ and business partners’ data privacy and security. To that end the CPPA will also establish a mechanism for such organizations to be able to self-certify their compliance.

What does the California Privacy Rights Act mean for consumers?

Consumer consent will take a larger role under the CPRA, including how it’s defined, which requires that it be a “freely given, specific, informed and unambiguous indication of the consumer’s wishes”

 

The CPRA also notes that:

 

“Acceptance of a general or broad terms of use or similar document that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.”

 

Consumers do have responsibilities under the CPRA, in addition to their rights. They can’t go after just any business for anything they think is a data violation. Additionally, information that is publicly available is not considered regulated personal information under the Act. 

 

Consumer information that a business can reasonably believe to have lawfully been made public, or that consumers make public themselves, is not included. This includes disclosure to another person if access to the information was not restricted, including via “widely distributed media”. So individuals’ social media account settings become more important.

 

One notable inclusion in light of expanding applications of technology is that consumers’ biometric information – if collected by a business without consumer knowledge – is specifically not classified as “publicly available”. There are already CCPA class action lawsuits centered around this issue, so clarifying it in the CPRA is likely meant to help address that.

What does the California Privacy Rights Act mean for businesses?

The CCPA, while being a state-level law, has had national impact in many respects, since it applies to any company that meets its criteria and does business with California residents. Those companies could be in any state, or even other countries. This will continue with the CPRA.

 

What businesses does the California Privacy Rights Act affect?

 

The CPRA has changed the parameters of which businesses are required to comply. The CCPA applies to businesses that:

 

  • Have annual gross revenues exceeding $25 million USD, or
  • Receive, buy, or sell personal information of 50,000 or more consumers, households, or devices, or
  • Earn more than 50 percent of their annual revenue from the sale of consumers’ personal information

 

When it comes into effect in 2023, the CPRA will apply to businesses that:

 

    • Have annual gross revenues of the preceding calendar year exceeding $25 million USD, or
  • change: now specifies the revenue is from the “preceding calendar year”
    • Receive, buy, or sell personal information of 100,000 or more consumers or households, or 
  • change: no longer includes “devices”, also doubled from 50,000
    • Earn more than 50 percent of their annual revenue from the sharing or sale of consumers’ personal information
  • change: now specifies selling or sharing

 

The CPRA also alters the scope of other entities that are required to comply with the law. These are:

 

  • Commonly Controlled entities
  • Joint ventures (joint venture or partnership composed of businesses in which each business has at least a 40 percent interest)

 

The CPRA also expands the current opt-out right to include both “sale” and “sharing” of personal information, which is read as the transfer or making available of a “consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” Therefore, companies will have to implement opt-out procedures and “Do Not Sell or Share My Personal Information” link if they fall into these criteria. 

How are business relationships with third parties affected?

 

Businesses’ use of collected consumer information will be further restricted under the CPRA. In  particular, how it can be shared with third parties and how it can be used for targeted or behavioral advertising. These restrictions tie in to those regarding sensitive personal information as well.

 

The CPRA defines what qualifies as a third party in business relationships. For example, business partners, contractors, or service providers. Businesses must have contractual agreements with third parties. These contracts must include details like the new restrictions on disclosure, sharing, and sale of consumers’ information, as well as why it’s needed to do business. Companies also have to ensure that these third parties are in compliance with other relevant legislation.

 

How are consumer interactions and fines affected?

 

Companies will need to ensure they have sufficiently robust security policies and processes in place to avoid new penalties. Under the CPRA it will be easier for consumers to sue businesses that fail to adequately protect their data from unauthorized access, including breaches and theft. The “reasonableness” of companies’ security efforts depends on the volume and types of data they collect and use. 

 

The CPRA also eliminates the 30-day “cure” period that the CCPA allowed, when companies had that time to correct noncompliance issues and avoid penalties after being notified of them. 

 

Fines for violations involving minors under age 16 have also been increased from $2,500 to $7,500 USD per violation. 

 

What will businesses have to communicate and how?

 

Processes and mechanisms to enable consumers (including employees) to exercise their new rights under the CPRA will need to be added or upgraded. This will include enabling consumers to:

 

  • Communicate their preferences on the collection, sharing, or sale of their data
  • Request to receive data that companies have on them
  • Request to have their data corrected or deleted

 

“Browsewrap agreements” will no longer be allowed under the CPRA. Those are legal agreements wherein websites have their terms and conditions listed somewhere, and by using the sites you agree to those terms. Websites will require more explicit and documented user consent, so visitors can expect to see even more consumer privacy- and consent-related banners and popups upon arriving at websites (aka “clickwrap agreements”). 

 

Companies will have to ensure their websites’ data privacy policies meet CPRA requirements regarding consumer requests about their data. Businesses will have to reasonably enable consumers to communicate preferences like opting out of the sharing or sale of their data. Further, consumers will have to be able to receive confirmation, via websites, that their requests have been fulfilled. Companies will need trained staff to manage these requests and actions.

 

Additionally, businesses will have to communicate to consumers how long they will retain collected data and track how long they have it. Or, if the business isn’t able to do that, it has to communicate how it determines its data retention period. This will enable enforcement of deletion or destruction of consumer data, whether by request or under CPRA rules, once the business no longer has a valid reason to retain it.

 

Data retention is an area that remains fairly loosely defined and regulated in the CPRA, so it is likely that clarity and tighter interpretation will develop over time via further regulations or case law.

 

This is not an exhaustive analysis of the changes that the CPRA will bring for businesses, but should give an idea of the areas it most focuses on and where businesses’ new and increased obligations will lie.

Conclusion

California’s privacy laws have already proven influential, as quite a few additional states have privacy bills in progress. Virginia passed its Consumer Data Protection Act, which both borrows from and in some ways goes further than the CCPA and CPRA. Some states’ proposed laws have been referred to as “copycat laws”, given they take content directly from California’s privacy acts.

 

The landscape for consumer privacy and doing business continues to change rapidly. The class action lawsuits resulting from the CCPA will contribute to that, as will further challenges once the CPRA comes into effect. In the European Union, there are calls for significant updates to the GDPR, in part due to new technologies since the beginning of its 2018 enforcement and the COVID-19 pandemic.

 

With the speed and volume of changes in compliance requirements for doing business and maintaining customer relationships and data privacy, it’s important to have expert advice.