California voters approved Proposition 24 on November 3, 2020, paving the way to the California Privacy Rights Act (CPRA). Starting in January 2023, CPRA will expand California consumers’ ability to limit the use of their personal information in the context of targeted advertising, beyond the rights already acquired under the current provisions of CCPA, and create additional rights for consumers. There will be, as well, additional obligations and restrictions for businesses related to the use of consumer’s personal information, including limits to data collection and retention, among other.
Unfortunately, this takes 52 pages of clauses that are anything but clear and easy to understand
In practice, the will be additional benefits for consumers, and additional administrative and financial burdens for businesses. CPRA is not really a CCPA 2.0. It introduces new concepts that have not yet permeated US laws, for example data minimization and retention limitation, which is likely to require most businesses within its scope to re-evaluate their activities and develop new processes beyond those that they may have just finished implementing to comply with CCPA.
CPRA is intended to replace the California Consumer Privacy Act (CCPA) in 2023. Most of CPRA will become operative on January 1, 2023, and the law will apply to personal information collected after January 1, 2022. There will be a 6-month delay between the effective date of the act and its enforcement, with enforcement actions commencing on July 1, 2023. In the meantime, CCPA will remain in full force and effect until it is superseded by CPRA.
New or Updated Definitions
CPRA changes existing definitions and introduces new terms. The most noticeable changes include the following:
Sharing
CPRA introduces “sharing” as an activity different from “selling”. “Sharing” is defined as disclosing, making available, transferring, or communicating a consumer’s personal information to a third party for “cross-context behavioral advertising”, whether or not for monetary or other valuable consideration. The new definition is especially relevant to affiliate advertising networks, advertisers and data brokers in the context of re-targeting and behavioral advertising, in which advertisements are targeted to a consumer based on information derived from information collected about that consumer’s activities across different websites, applications or services.
Business
CPRA revises the definition of “business”, i.e., those entities subject to the law. The current definition under CCPA identifies three threshold: gross revenue, number of records processed, and percentage of revenue from the sale of personal information compared to gross revenue. The threshold associated with the number of records purchased or sold is increased from 50,000 to 100,000, and the threshold associated with calculating the percentage of revenue from the use of personal information is now computed by combining both revenue from selling and revenue from “sharing” personal information.
Contractor; Service Provider
CPRA introduces the notion of “contractor” and updates the definition of “service provider” to keep the two definitions consistent. Under CPRA, a business “makes available” personal information to a “contractor” for a business purpose pursuant to a written contract that prohibits the contractor from selling or sharing the personal information and includes other restrictions.
The definition of Service Provider is modified to include the new concept of “sharing”. A service provider is a person that “receives personal information” from, or on behalf of, a business and processes the information on behalf of that business for a business purpose pursuant to a written contract that prohibits the service provider from selling or sharing the personal information and includes other restrictions.
Sensitive Information
CPRA creates the concept of “sensitive personal information”, which includes, among other, Social Security numbers and other identity-related information; financial account or payment card information in combination with access code; precise geolocation data; race, ethnic origin, religion; sexual orientation; genetic, biometric information when used to uniquely identify a consumer; and certain health information outside the context of HIPAA.
New Rights for Individuals
The CPRA introduces several new consumer rights. Some of these rights are similar to those found in most data protection laws, such as Canada’ PIPEDA or the EU General Data Protection Regulation. Examples of new rights include:
Right to Know what Personal Information is Sold or Shared
The right to know under CPRA is an expanded version of the “Right to Know” under CCPA. It is a consequence of the introduction of the concept of sharing personal information as a restricted activity. It will be important to keep in mind that the definition of “sharing” is limited to “cross-context behavioral advertising”.
Right to Opt-out of Information Sharing / Behavioral Advertising
Consumers will be granted the right to opt-out of information sharing with third parties for behavioral advertising across websites. This right supplements the pre-existing right to opt-out of the sale of personal information. The new provisions concerning the use of personal information for marketing purposes are detailed below.
Right to Limit the Use of Sensitive Information
Consumers will have the right to direct a business that collects sensitive personal information about them to limit its use of that information to that which is necessary to perform the services or provide the goods, as “reasonably expected by an average consumer who requests such goods or services”. The detail of the definition is left to upcoming Regulations.
Right of Correction
Consumers will have the right to request the correction of inaccurate information. Businesses that receive requests for correction will be required to use commercially reasonable efforts to correct inaccurate personal information, as directed by the consumer.
Right to Object to Automated Decision Making and Profiling
Consumers will have the ability to object to the use of their personal information for automated decision making and profiling. Profiling is defined as automated processing of personal information to evaluate certain aspects relating to a natural person, such as economic situation, health, personal preferences, interests, reliability, behavior, location, movements, or performance at work.
New Obligations for Businesses
The CPRA creates new obligations for businesses, some of them are similar to those found in other data protection laws, worldwide.
Updated Content of the Notices to Consumers
CCPA requires that different types of notices be provided to consumers at different stages of the interaction between the consumer and the business. CPRA modifies the content of these notices to match the new rights of consumers and obligations of businesses.
Retention Limitation
CPRA introduces a data retention requirement. CPRA makes it a “general duty” for a business that collects personal information not to retain personal information for longer than necessary for the purposes for which the personal information was collected. Businesses will also be required to inform consumers of the length of time they retain each category of personal information or if not possible, the criteria used to determine such period.
Data Minimization
Data Minimization is another “general duty” introduced by CPRA. CPRA requires that the collection, use, retention and sharing of personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed”, and prohibits the further processing of the data for a purpose incompatible with the disclosed purpose.
Reasonable Security Measures
CPRA significantly expands the obligation of businesses to implement reasonable security measures and practices for personal information. These measures are discussed later in this article.
Contract with Service Providers, Contractors and Third Parties
CPRA imposes mostly similar direct or contractual obligations on service providers and contractors and significantly expands those that are currently imposed under CCPA. As a result, businesses will have to review their contracts with their service providers and contractors to ensure these contracts contain all of the newly required provisions. Overall, the new data processing agreements will have significant similarities – and differences – with the corresponding provisions required by GDPR Article 28.
Use of Personal Information for Cross-Context Behavioral Advertising
One of the key changes from CCPA is the introduction of the term “sharing” as the practice of disclosing or communicating a consumer’s personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transaction between a business and a third party. Under CPRA, consumers will have the right to opt-out of the sharing of their personal information. This addition is likely to have a significant impact on businesses that use digital marketing techniques to target California consumers.
Security
CPRA gives security and security measures a more prominent place.
General Duty to Use Security Measures
First, CPRA makes it a general duty for businesses to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification or disclosure. Regulations will be needed to clarify whether the obligation applies to all categories of personal data, or to a subset.
Security Audits and Privacy Risk Assessments
CPRA will also impose security audits and privacy risk assessments in certain circumstances. At this point, there is limited detail, and CPRA points to upcoming Regulations but provides minimal guidance, limited to a handful of general requirements. These obligations with apply only to businesses whose processing of consumers’ personal information “presents a significant risk to consumers’ privacy or security”.
Security Breaches
CCPA provides for a limited private right action in the event of a data breach for failure to provide adequate security, and statutory damages in case of a data breach affecting certain categories of personal information. CPRA makes a minor addition to the type personal information that may trigger action for damages: unauthorized access to an email address in combination with a password or security question.
Children
CPRA increases the protection of personal information of children under the age of 16 by tripling the statutory amounts currently imposed by the CCPA. CCPA §1798.155(b) as amended by CPRA will impose penalties up to $7,500 for “violations involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge is under 16 years of age”.
California Privacy Protection Agency
CPRA establishes the California Privacy Protection Agency (CPPA) as a regulatory body with full administrative power and jurisdiction, to enforce any CPRA violations. The CPPA will enforce consumer privacy laws and impose fines. Among its numerous responsibilities and powers, the CPPA will be responsible for providing guidance to businesses regarding their duties and responsibilities, and appoint a “Chief Privacy Auditor” to conduct audits of businesses to ensure compliance with the law and its regulations.
Employee and B2B Exceptions
While most provisions of CPRA will enter into force in January 2023, several provisions have an effective date of January 1, 2021. As a results of amendments to CCPA adopted in October 2019, CCPA contains partial exemptions for the handling of personal information collected in an Employer / Employee relationship (employees, job applicants and independent contractors), and information obtained in the context of a B2B relationship. That exemption, which took employee and independent contractors, and information collected in the context of a B2B relationship out of the scope of the application of CCPA, was due to expire as of January 1, 2021. CPRA extends that moratorium period through the end of 2022.
Rulemaking
CPRA requires the development of regulations on a wide range of topics relating to definitions, exemptions, technical specification for opt-out preference signals, automated decision making, cybersecurity audits, risk assessments, and monetary thresholds for the definition of a “business”. The final regulations must be adopted by July 1, 2022.
Conclusion
California voters have approved Proposition 24, and CPRA is here to stay. Starting in January 2023, CPRA will expand California consumers’ ability to limit the use of their personal information in the context of targeted advertising,. But, CPRA does more than just that. It has significant implications for privacy and data management as they exist currently in the United States. It creates a significant paradigm shift towards concepts found in most privacy laws worldwide, outside the United States.
CPRA imposes specific new restrictions on data collection and data retention, making them part of the “general duties” of businesses that collect personal information of California consumers. Both concepts, which were shaped in the 1970’s and laid down in the 1980 OECD Privacy Principles. While they have been an integral part of most foreign privacy laws, worldwide, for decades, United States laws, for most parts, have stay away from these restrictions, allowing enterprises to collect and retain large amounts of data, so long as they disclosed these practices in their privacy notices.
Requiring data minimization and storage limitation paves the way for drastic changes to the framework in which personal data is collected and processed, and the way businesses monetize personal information in the United States. These changes will require that businesses assess the nature and scope of their personal information collection and use practices, and balance those activities against their actual needs or legal obligations, to determine whether they can justify why certain information is needed or why it stored longer than necessary.