The California Consumer Privacy Act (CCPA) is considered by many to be the most stringent state privacy law in the country. The CCPA, which may apply to businesses located in and outside of California, was signed into law on June 28, 2018, went into effect on January 1, 2020, and became enforceable on July 1, 2020. Although COVID-19 initially delayed the finalization of early regulations promulgated under the CCPA, California’s Supervising Deputy Attorney General has confirmed that letters have already been issued to noncompliant businesses.1 While the content of these compliance letters remains confidential, the Supervising Deputy Attorney General reported that the letters target a variety of different industries, mainly focused on online businesses that were missing key disclosures or a “Do Not Sell” link on their websites.2 Early enforcement efforts indicate buy-in from consumers. Indeed, the targets of the letters were identified, in part, through consumer-submitted complaints.3 Violations of the CCPA and the Attorney General regulations can result in regulatory penalties as articulated in Section 1798.155(a) of the CCPA. These penalties can range from $2,500 for each violation to $7,500 for each intentional violation after notice, and a 30-day opportunity to cure has been provided.
On November 3, 2020, California residents voted to approve the California Privacy Rights Act (CPRA or “Act”) via a referendum. First introduced on October 9, 2019, the then-proposed law quickly garnered the support it needed to make it onto the ballot for the November elections. The CPRA amends large portions of the CCPA primarily by expanding its scope and consumer rights. California Governor Gavin Newsom is expected to sign the Act into law, and while it revised many aspects of the CCPA, most of these revisions will not take effect until January 1, 2023,4 which gives businesses time to comply. Below are some notable provisions of the CPRA.
The new Act amends the types of organizations that are subject to the CCPA by revising existing threshold criteria, as well as adding new categories of organizations. The amendments introduced by the CPRA appear to be aimed at clarifying specific uncertainties regarding applicability under the CCPA.
The CPRA introduces several important changes to the definition of “business” under the CCPA, which identifies what organizations are subject to the law. First, the requirement that a business must gross annual revenues in excess of $25 million is now based on the previous year’s earnings.5 This requirement offers some much-needed clarity, as the CCPA did not previously indicate the time period relevant to the calculation of annual revenue. Second, the CPRA effectively excludes some smaller and medium-size businesses from regulation by doubling the amount of consumer or household data that a business must process in order to be regulated by the law.6 Originally, the CCPA required that a covered business had to process the data of 50,000 consumers or households.7 Now, that threshold has been raised to 100,000, potentially reducing the applicability of the law as it applies to smaller businesses.8 Third, the CCPA requirement that at least 50% of a business’s annual revenue must come from selling personal data was clarified to expressly include selling and sharing data.9 Although the CCPA’s definition of “selling” does not include the word “share,” a reasonable reading of the definition undoubtedly includes the act of sharing. The CPRA removes this potential loophole and any ambiguity surrounding the definition’s interpretation by including “sharing” in the language of the Act. Finally, the CPRA includes a new subset of entities to its definition of “business.”10 Any entity “with whom a business shares a consumer’s personal information” is also considered the same business.11 This extension to third parties is significant because it has the potential to greatly increase the number of entities and industries that are directly subject to the CCPA.
The CPRA introduces “sensitive personal information” as a whole new category of data that is separate from “personal information.”12 This new addition covers a broad range of data, including government IDs; login information; credit card numbers; “precise geolocation”; racial or ethnic origin; religious or philosophical beliefs; contents of mail, email and texts; genetic data; uniquely identifying biometric information; health care data; and information pertaining to sexual activities and preferences.13 Information that falls into the above categories, but is “publicly available” as defined by the Act,14 is not considered “sensitive information” for purposes of the law.15 The CPRA grants consumers enhanced control over this subset of data, including limitation on processing.16
The CPRA simplifies and broadens the definition of “service provider” to include an individual, organization, legal entity or “group of persons acting in concert”17 that processes information for a business pursuant to a written contract.18 The original definition under the CCPA included only legal entities organized for financial benefit that process personal information pursuant to a written contract. Additionally, the definition clarifies service provider compliance obligations.19 These obligations include a prohibition on selling or sharing consumer information, retaining personal information for any purpose outside of what is outlined by the written contract and combining the personal information with additional information it received from other sources.20I n contrast, the CCPA did not specify within its definition of “service provider” that selling or sharing was a prohibited activity, nor did it explicitly prevent service providers from combining personal information with other data.
Related to service providers, the CPRA introduces “contractors” as a new class of covered entity.21 Under the new law, a contractor is an entity for whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract.22 This is meant as a catchall provision for entities that obtain personal data from businesses, but do not necessarily “process” the data. This distinction appears to be for clarification purposes only, as the CPRA requires contractors to adhere to the same obligations that it imposes on service providers.23
The CPRA extends the CCPA’s personal information exceptions for employment and business-to-business contexts to January 1, 2023.24 A prior amendment to the CCPA initially created this exception that was set to expire on January 1, 2022, to give the legislature time to address concerns that the CCPA’s broad language would restrict processing of personal information during business communications and/or transactions. This is welcome news for companies that transfer large quantities of data to business partners or for those that routinely hire a large number of employees. While these areas will likely come under the CCPA’s purview in the future, companies can take advantage of the additional time to develop a sound internal policy with the possibility of helpful legislation being developed in the interim.
The CPRA introduces and amends several obligations for businesses that apply to different stages of the data lifecycle. Some additions, like the new obligation to “implement reasonable security procedures” to prevent unauthorized access, apply to use, modification and disclosure of personal information.25 The following are some of the new requirements:
Businesses are not the only class of actors with rights and obligations that have been affected by the CPRA. The new Act presents a variety of modified and new consumer rights, ultimately granting more control to consumers over the collection, use and dissemination of their information.
The CPRA introduces four notable amendments to existing consumer rights. First, the new Act now requires businesses to notify all third parties to delete consumer information, subject to certain exceptions (including impossibility or disproportionate effort, which are new).33 Originally, the CCPA required businesses to only inform service providers about deletion requests.3 Second, the CPRA expands the right to opt out of the sale of data to third parties to also cover instances where businesses “share” data with third parties.35 Third, the CPRA bolsters minors’ rights by extending existing opt-in rights to include the sharing of personal information for behavioral advertising purposes.36 Finally, the CPRA strengthens consumer rights concerning data portability.
Aside from expanding existing provisions, the CPRA adds important new rights to protect consumers. These include a new right to correction that allows consumers to request modification of inaccurate information;37 the right to opt out of automated decision-making technology (including “profiling” in evaluating work performance, financial health, consumer preference, location and behavioral characteristics); and the right to be informed of the underlying logic involved, among other things.38 Consumers can also request limitations on the use of their data.39
While the CPRA does not modify the private right of action established by the CCPA, the Act introduces important new enforcement measures. The CPRA establishes a new enforcement body – the California Privacy Protection Agency (CPPA) – charged with promulgating rules to enforce the CCPA through the administrative process.40 It also authorizes the Attorney General and the CPPA to regulate the identification of “business purpose[s],” update key definitions, establish when service providers and other third parties can combine personal information from multiple sources, and define data minimization procedures.41 Finally, in addition to existing penalties, the CPRA also imposes a $7,500 fine for each violation involving minors under the age of 16, which triples the typical civil penalty for a non-intentional violation and matches the civil penalty for each intentional violation.42
While the vast majority of the CPRA’s new provisions will not come into effect until January 1, 2023, businesses will likely need this time to develop and implement a compliance plan. To start preparing, companies should consider data minimization, consumer notification requirements, and contracting and monitoring obligations, among other things.