California Privacy Rights Act (CPRA) and the future of privacy law

Updated on May 23, 2023

The California Consumer Privacy Act (CCPA) came into effect January 1st, 2020 and was the first privacy law in California, as well as the first state-level privacy law in the United States. January 1st, 2023 sees amendment and expansion of the CCPA with the California Privacy Rights Act of 2020 (CPRA), which was approved by California voters in November 2020. The three years between the commencement of the two Acts has seen significant evolution in the regulatory and technology landscapes.

The California Privacy Rights Act is a state-level privacy law that applies to companies that provide services to or conduct business with California residents. Companies don’t have to be headquartered in California, though. The CCPA was the first state-level privacy law in the United States, and influential over privacy bills and laws in other states.

The changes that the CPRA brings are significant, and some of the rights, regulations, and oversight are entirely new. The CPRA will bring California’s privacy laws a bit closer to the European Union’s General Data Protection Regulation (GDPR).

The California Privacy Rights Act was not drafted entirely from scratch. It was designed to amend and work in tandem with the CCPA, but will likely evolve to replace it over time.

The CPRA’s provisions bring greater clarity on inclusions and exemptions, take technology advancements since the CCPA was drafted into account, and position California privacy law to remain relevant and flexible well into the future.

Besides the newly introduced or altered rules, which are explained in detail below, one of the most important changes made within the CPRA is that it expands companies’ notice obligations.

With the change, companies must inform consumers “at or before the point of collection” as to; whether personal information is sold or shared; information about the collection, processing and disclosure of “sensitive personal information”; “the length of time the company intends to retain each category of personal information” or, if not possible, “the criteria used to determine such period” among other information.

The CPRA retains consumers’ data privacy rights granted by the CCPA, and adds four new rights:

• Right to Correction (to request and have inaccurate data collected about them be corrected)
• Right to Restrict Sensitive Personal Information (to limit use of data categorized as sensitive personal information)
• Right to Access information about Automated Decision-making (to request information about automated decision-making and the likely outcomes of using such processes, specifically with regards to profiling)
• Right to opt-out of Automated Decision-making Technology (to opt out of the use of automated decision-making technology with regards to personal information)

The CPRA also expands or modifies five existing consumer rights:

• To request personal information collected before the CPRA’s look-back period (the 12 months prior to January 1st, 2023) as long as it’s possible or not unreasonably difficult to provide
• To opt out of the sharing and sale of personal information to third parties
• To request and have data deleted by the company that collected it and by third parties who bought or received it (with some exceptions)
• To request that a company port collected personal information to another entity (if technically feasible)
• For minors’ personal information not to be shared or sold without explicit consent, and for them not to be asked for consent within 12 months of declining a company’s consent request

Under the CCPA, companies’ full-time staff, contractors, and applicants are classified as consumers. However, as employees they were not granted the same full rights within their companies as regular consumers who were just doing business with companies.

The CPRA adds distinction between employer/employee and consumer/business relationships, and notes employees’ particular privacy interests. Under the CPRA they also have the same rights that regular consumers had under the CCPA. Under the regulations, employees have the following rights:

• To be notified when their personal information is collected
• To bring lawsuit action against employers if their personal information in breached due to a lack of reasonable safeguards by the employer

The CPRA also extends the business-to-business (B2B) exemptions in the CCPA until it enters into force. When CPRA enters into force, it will cover B2B data as personal information.

The CCPA borrows from the California Civil Code for its definition of personal information. However, as some of the class action lawsuits resulting from the implementation of the CCPA have shown, specific definitions of “personal information” and the qualifier of “sensitivity” are contentious.

To add clarity, the California Privacy Rights Act has created a new category of “Sensitive Personal Information” (SPI). Influenced by the GDPR, it’s more specific than previous definitions of “personal information”, and will be more strongly regulated.

As with personal information under the CCPA, under the CPRA’s provisions companies have to limit their use of sensitive personal information to the extent that “It is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services”.

Companies that process sensitive personal information are required to implement either a “Limit the Use of My Sensitive Personal Information” link to enable consumers to exercise these rights or a “single, clearly-labeled link if such link effortlessly allows a consumer to opt-out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.”

SPI includes information that is not publicly available, including government records. It specifies a variety of physical, digital, and identifying details about a person. Businesses will need to be able to segregate SPI from less regulated personal information with regards to its access and use.

Hard copy data defined as SPI (often used digitally but includes a tangible format like an ID card):

• Passport number
• Social Security Number
• Driver’s license number
• State identification card
• Credit or debit card number (in combination with a password or access code enabling access to an account)
• Contents of consumers’ mail, email, text messages (unless the business is the intended recipient)

Digital data defined as SPI:

• Account logins (in combination with a password or access code enabling access to an account)
• Precise geolocation
• Genetic data
• Biometric data (if its processing is intended to uniquely identify a consumer)

Additional personal identity data defined as SPI:

• Racial or ethnic origin
• Religious or philosophical beliefs
• Union membership
• Health information (and its analysis)
• Sex life or sexual orientation information (and its analysis)

Another significant change with the California Privacy Rights Act is the creation of the California Privacy Protection Agency (CPPA) This is a new enforcement agency with broad jurisdiction over personal data protection. This new body has an appointed five-member board and a Chief Privacy Auditor.

In addition to the powers and responsibilities of administering the CCPA, which the California Attorney General’s office has handled to date, and the CPRA, the CPPA has both greater influence and obligations. The Agency takes over one of the biggest issues with the CCPA, that of interpretation of the Act. Issues relating to that are central to many of the class action lawsuits filed since it came into effect.

The Agency monitors data privacy and protection broadly, including evolving technology as well as legislation being passed in other US states and around the world. It uses this information to provide advice and technical assistance to the California state legislature. The CPPA also coordinates their efforts with other states and countries.

The CPPA is responsible for CCPA and CPRA compliance and enforcement, including conducting audits and levying fines. It updates the rules of the Acts as well as making new ones. Proactively, the CPPA also provides education about and promotion of privacy rights and responsibilities to consumers and businesses.

Also, as the CPRA introduces mandatory risk assessments and cybersecurity audits for high risk activities, the risk assessments have to be submitted to the Agency.

Not all companies or other organizations are subject to the CCPA or CPRA. However, compliance with the Acts demonstrates a commitment to best practices for consumers’ and business partners’ data privacy and security. To that end the CPPA also establishes a mechanism for such organizations to be able to self-certify their compliance.

Consumer consent takes a larger role under the CPRA, including how it’s defined, which requires that it be a “freely given, specific, informed and unambiguous indication of the consumer’s wishes”.

The CPRA also notes that:

“Acceptance of a general or broad terms of use or similar document that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.”

Consumers do have responsibilities under the CPRA, in addition to their rights. They can’t go after just any business for anything they think is a data violation. Additionally, information that is publicly available is not considered regulated personal information under the Act.

Consumer information that a business can reasonably believe to have lawfully been made public, or that consumers make public themselves, is not included. This includes disclosure to another person if access to the information was not restricted, including via “widely distributed media”. So individuals’ social media account settings become more important.

One notable inclusion in light of expanding applications of technology is that consumers’ biometric information — if collected by a business without consumer knowledge — is specifically not classified as “publicly available”. There have been CCPA class action lawsuits centered around this issue, so clarifying it in the CPRA is likely meant to help address that.

The CCPA, while being a state-level law, has had national impact in many respects, since it applies to any company that meets its criteria and does business with California residents. Those companies could be in any state, or even other countries. This will continue with the CPRA.

The CPRA has changed the parameters of which businesses are required to comply. The CCPA applies to businesses that:

• Have annual gross revenues exceeding $25 million USD, or
• Receive, buy, or sell personal information of 50,000 or more consumers, households, or devices, or
• Earn more than 50 percent of their annual revenue from the sale of consumers’ personal information

The CPRA applies to businesses that:

• Have annual gross revenues exceeding $25 million USD
  • change: now specifies the revenue is from the “preceding calendar year”

or

• Receive, buy, or sell personal information of 100,000 or more consumers or households
  • change: no longer includes “devices”, also doubled from 50,000

or

• Earn more than 50 percent of their annual revenue from the sharing or sale of consumers’ personal information
  • change: now specifies selling or sharing

It is also noteworthy to take into consideration that the CPRA has altered the scope of other entities that are required to comply with the law. These are:

• Commonly Controlled entities
• Joint ventures (joint venture or partnership composed of businesses in which each business has at least a 40 percent interest)

The CPRA also expands the current opt-out right to include both “sale” and “sharing” of personal information, which is read as the transfer or making available of a “consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” Therefore, companies have to implement opt-out procedures and “Do Not Sell Or Share My Personal Information” link if they fall into this criteria.

Businesses’ use of collected consumer information is further restricted under the CPRA. In particular, how it can be shared with third parties and how it can be used for targeted or behavioral advertising. These restrictions tie in to those regarding sensitive personal information as well.

The CPRA defines what qualifies as a third party in business relationships. For example, business partners, contractors, or service providers. Businesses must have contractual agreements with third parties. These contracts must include details like the new restrictions on disclosure, sharing, and sale of consumers’ information, as well as why it’s needed to do business. Companies also have to ensure that these third parties are in compliance with the relevant legislation.

Companies need to ensure they have sufficiently robust security policies and processes in place to avoid new penalties. Under the CPRA it is easier for consumers to sue businesses that fail to adequately protect their data from unauthorized access, including breaches and theft. The “reasonableness” of companies’ security effects depends on the volume and types of data they collect and use.

The CPRA also eliminates the 30-day “cure” period that the CCPA allowed, when companies had that time to correct noncompliance issues after being notified of them.

Fines for violations involving minors under age 16 have also been increased from $2,500 to $7,500 USD per violation.

Processes and mechanisms to enable consumers (including employees) to exercise their new rights under the CPRA need to be added or upgraded. This includes enabling consumers to:

• Communicate their preferences on the collection, sharing, or sale of their data
• Request to receive data that companies have on them
• Request to have their data corrected or deleted

“Browsewrap agreements” are no longer allowed under the CPRA. Those are legal agreements wherein websites have their terms and conditions listed somewhere, and by using the sites you agree to those terms. Websites require more explicit and documented user consent, so visitors can expect to see even more consumer privacy- and consent-related banners and popups upon arriving at websites (aka “clickwrap agreements”).

Companies have to ensure their websites’ data privacy policies meet CPRA requirements regarding consumer requests about their data. Businesses have to reasonably enable consumers to communicate preferences like opting out of the sharing or sale of their data. Further, consumers have to be able to receive confirmation, via websites, that their requests have been fulfilled. Companies need trained staff to manage these requests and actions.

Additionally, businesses have to communicate to consumers how long they will retain collected data and track how long they have it. Or, if the business isn’t able to do that, it has to communicate how it determines its data retention period. This enables enforcement of deletion or destruction of consumer data, whether by request or under CPRA rules, once the business no longer has a valid reason to retain it.

Data retention is an area that remains fairly loosely defined and regulated in the CPRA, so it is likely that clarity and tighter interpretation will develop over time via further regulations or case law.

This is not an exhaustive analysis of the changes that the CPRA brings for businesses, but gives an idea of the areas it most focuses on and where businesses’ updated and increased obligations lie.

California’s privacy laws have already proven influential, as quite a few additional states have privacy bills in progress. For example, Virginia has its Consumer Data Protection Act, which both borrows from and in some ways goes further than the CCPA and CPRA. Some states’ proposed laws have been referred to as “copycat laws”, given they take content directly from California’s privacy acts.

The landscape for consumer privacy and doing business continues to change rapidly. The class action lawsuits resulting from the CCPA will continue to contribute to that, as will further challenges resulting from the CPRA. In the European Union, there are calls for significant updates to the GDPR, in part due to new technologies since its 2018 adoption and the COVID-19 pandemic.

With the speed and volume of changes in compliance requirements for doing business and maintaining customer relationships and data privacy, it’s important to have expert advice. Get in touch with one of our experts today.