The California Privacy Rights Act (“CPRA”) is a proposed privacy regulation that has been approved to appear on the November ballot in California. If passed, it would prompt massive changes to privacy and data protection rights for California residents and obligations for businesses operating in California. You might be asking: Where did this bill come from and what’s in it? VeraSafe can help to break it down for you.
History of the CPRA
The CPRA is a private initiative created by Californians for Consumer Privacy, a privacy advocacy group headed by, among other leaders, Alastair Mactaggart. Mactaggart previously drafted the 2018 ballot initiative that was ultimately replaced by the California Consumer Privacy Act (“CCPA”). The CPRA is now qualified and approved to appear on the November 2020 ballot in California. If preliminary polling holds true, the vast majority of Californians support the bill and it will likely become law.
The CPRA is designed to adapt terminology and address perceived gaps and weaknesses in the CCPA. Many of these proposed changes would more closely align the CCPA with the European General Data Protection Regulation (“GDPR”). If passed, the CPRA provisions must be implemented by January 1, 2023.
The CPRA contains a huge number of proposed changes. In the interest of keeping this article’s length reasonable, we will focus on what we believe to be the updates that will have the most substantial effects on businesses and individuals. To address these changes in an organized way, we first look at the new and updated terms proposed by the CPRA and will then shift to how the CPRA will affect businesses, consumers, enforcement activity, and third parties.
Definitions in the CPRA
The CPRA proposes several new terms, including “sharing,” “sensitive personal information,” and “contractor.”
“Sharing” is any form of communicating personal information to a receiving entity for cross-context behavioral advertising, whether or not for anything of value. This means that if a business shares personal information with another entity and that personal information is used for targeted advertising, the business has “shared” that personal information.
“Sensitive personal information” is a new sub-category of personal information that includes i) any government identification number (including social security, passport number, driver’s license number, etc.); ii) account log-in, financial account information, or payment card number combined with any required credentials to access an account; iii) precise geolocation; iv) racial or ethnic origin, religion, or union membership; v) contents of consumer mail, email, or text unless the business is the intended recipient of the communication; and vi) genetic, biometric, health, or sex life/sexual orientation data. Sensitive personal information cannot be used or disclosed for any purpose that is not necessary for providing the requested goods and services unless the consumer has been provided a right to limit this disclosure or use. Please note that provision of advertising or marketing services or internal research are not considered to be “necessary” in this context.
A “contractor” is a person to whom the business makes available personal information for a business purpose under a written contract that i) prohibits sharing or selling personal information or retaining, using, or disclosing it for any purpose other than the business purpose and prohibits combining the personal information with information from other sources; ii) includes a commitment to comply with the written restrictions in the contract; and iii) permits the business to monitor contractor compliance. For the sake of clarity, we will refer to any service providers, contractors, or third parties that businesses sell personal information to, share personal information with, or otherwise disclose personal information to as “receiving entities.”
Businesses Under the CPRA
Changes affecting businesses under the CPRA vary — some may help businesses and some impose additional obligations. The vast majority of changes proposed under the CPRA will directly affect businesses.
One of the beneficial changes proposed under the CPRA adjusts the threshold for what entities will be considered a “business.” The CPRA states that a business is a for-profit entity that determines the means and processing of consumers’ personal information, does business in California, and either i) had annual gross revenues over twenty-five million dollars in the previous calendar year; ii) annually buys, sells, or shares personal information of 100,000 or more consumers or households (as opposed to the 50,000 under the CCPA); or iii) derives 50% or more of its annual revenue from selling or sharing personal information. This shifted threshold may allow some small businesses to avoid falling under CCPA and CPRA requirements.
Another helpful change is that while businesses must notify any receiving entities of consumer requests to delete or correct personal information or to opt out of selling, sharing, or processing of such personal information, the liability for complying with those requests now rests with the receiving entity.
However, there are several additional obligations imposed on businesses as well. Businesses that control the collection of personal information (meaning that they either collect the personal information themselves or other parties collect it on that business’s behalf) must provide notice of collection to the consumer at the point of collection. The notice must include i) the categories of both standard and sensitive personal information being collected; ii) the purposes of collection for both standard and sensitive personal information; iii) whether any of those categories of information are sold or shared; and iv) the length of time each category of information is retained or the criteria for determining the retention period. The notice should be delivered in the form in which the information is collected (through a prominent link on the homepage if collected electronically, in a physical notice if collected in a physical location, etc.).
In addition to the notice mentioned above, businesses must disclose all consumer rights to the consumers, must use reasonable efforts to correct inaccurate information when requested, and must notify all receiving entities to respond to consumer requests for deletion, correction, or opt out of sale or sharing of their personal information. The “Do Not Sell My Personal Information” links must be updated to read “Do Not Sell or Share My Personal Information” and must still be prominently displayed on the business’s home page. An additional required link, reading “Limit the Use of My Sensitive Personal Information,” must be implemented as well. These links may be located in the same location on the business’s website so long as they are still prominent, easy to locate, and easy for consumers to use.
Businesses must have written contractual relationships with all entities that personal information is sold to or shared with. Those contracts must i) specify the limited and specified purposes for which the personal information is being sold, shared, or disclosed; ii) obligate the receiving entity to comply with obligations under the CCPA and CPRA; iii) grant the business rights to take reasonable steps to ensure that the receiving entity uses the personal information in a manner consistent with the business’s obligations; iv) require the receiving entity to notify the business if it can no longer meet these obligations; and v) grant the business the right to stop and remediate any unauthorized use.
Finally, businesses must implement reasonable security procedures and practices appropriate to the nature and sensitivity of the personal information. Similar to the “reasonable security” standard implemented by other states, this requirement does not mandate specific technical or security measures, but leaves it to the business to determine what is appropriate, given the nature and volume of personal information processed.
CPRA Consumer Rights
The CPRA proposes additional rights for consumers, including the right to correct incorrect personal information, the right to limit the use or disclosure of sensitive personal information, and the right to opt out of sharing, in addition to the previously-established right to opt out of the sale of personal information. The “right to know” — recently established by the CCPA — has also been modified. Under the CCPA, the “right to know” allows consumers the right to obtain a copy of all personal information a business has collected relating to them for the twelve month period preceding the request. The CPRA extends this to include all of a consumer’s personal information collected by a business from January 1, 2022 onward (keeping in mind that the CPRA will be implemented January 1, 2023). When consumers request a copy of their personal information undergoing processing, the personal information must be delivered to the consumer in an easily understandable, commonly used, and machine-readable format.
Enforcement of the CPRA
The CPRA would create an entirely new agency of the government of the State of California, the California Privacy Protection Agency, which would be tasked exclusively with promulgating CCPA rules, issuing guidance, and enforcing the CCPA through administrative proceedings. The existence of this dedicated enforcement agency is likely to greatly increase the volume of enforcement actions undertaken .
In addition, the CPRA proposes removing the current thirty day grace period for businesses to cure violations, meaning that violations would be subject to enforcement action immediately. A new penalty of $7,500 per violation involving consumers known to be under sixteen years old would also be implemented. Finally, the business-to-business and human resources data exemptions would be extended until January 1, 2023.
Under the CPRA, service providers and contractors are explicitly required to cooperate with data subject rights requests for deletion, correction, or opt-out of sharing or selling their personal information, including by notifying their respective receiving entities that those entities are required to comply with the request as well.
Any business that acts in some cases as a business and in some cases as a service provider is prohibited from combining personal information collected in these different roles.
What Does This Mean?
The CPRA could mean significant changes for companies doing business in California. However, there is no guarantee that the CPRA will be passed and there may yet be textual changes or additional guidance issued well before the CPRA goes into effect. If you have any questions about this proposed regulation and how it may affect your business, please contact VeraSafe today.