Effective January 1, 2023, the California Privacy Rights Act (CPRA) will come into effect, which changes the scope of the California Consumer Privacy Act (CCPA), a comprehensive data privacy law that went into effect on January 1, 2020. The CPRA may apply to businesses located in and outside of California who conduct business with California consumers. Our earlier client alert regarding the CCPA and the CPRA, titled “California Law Expands the California Consumer Privacy Act,” can be found on the Phillips Lytle website.
Key Changes to the CCPA
The CPRA amends the rights granted to individuals and the obligations imposed on covered businesses. We highlight some of those changes below.
Definition of Covered Businesses
Whereas the CCPA currently applies to companies that annually buy, receive, sell or share the personal information of more than 50,000 consumers or households, among other threshold criteria, the CPRA increases this threshold to 100,000 consumers or households.
Covered businesses could also include businesses that derive 50% or more of their annual revenue from sharing personal information (and not just the sale of such information as set forth in the CCPA). The CPRA may operate to clarify the uncertainty surrounding the CCPA’s definition of sale, which arguably already included sharing the information by expressly adding the terms “share,” “shared” or “sharing” which are defined as making available, or otherwise communicating, a consumer’s personal information by the business to a third party for cross-context behavioral advertising or targeting consumer advertising based on consumer activities. Cross-context behavioral advertising is defined narrowly. Therefore, communicating a consumer’s personal information to, for example, a service provider, to enable it to provide marketing and advertising services (excluding cross-context behavioral advertising services) such as serving non-personalized advertisements—which are based on the consumer’s personal information derived from their current interaction with the business—would count as a permitted business purpose.
Sensitive Personal Information
The CPRA introduces a new category of regulated information, “sensitive personal information,” which includes government identification; login information; credit and debit card numbers in combination with any required access code; precise geolocation; racial or ethnic origin; religious or philosophical beliefs; contents of mail, email and texts; genetic data; uniquely identifying biometric information; healthcare data; and information pertaining to sexual activities and preferences. The CPRA also grants consumers more control over a covered business’ use of this category of information by, for instance, directing a covered business to limit its use of sensitive personal information to specifically permitted purposes.
New and Modified Consumer Rights
The CPRA modifies existing rights under the CCPA and creates new rights for consumers. The CPRA amends a consumer’s right to request deletion of personal information. Whereas the CCPA requires covered businesses to only inform service providers about deletion requests, under the CPRA, businesses must notify all third parties to whom the business has sold or shared a consumer’s personal information of a deletion request.
The CPRA also creates new consumer rights. These include a consumer’s right to correct inaccurate personal information; the right to restrict the processing of sensitive personal information; and the right to opt out of the sharing of personal information for cross-context behavioral advertising.
Expanded Pre-Collection Disclosure Obligations
The CCPA already requires certain consumer notices regarding the collection and use of their personal information. The CPRA also requires disclosure of the length of time each category of personal information will be retained.
Reasonable Information Security
The CPRA makes clear that covered businesses are required to implement and maintain reasonable security practices and procedures.
Unlike the CCPA, the CPRA imposes audit and risk assessment requirements. If the processing activities of a covered business present significant risk to a consumer’s privacy or security, the business is required to perform a cybersecurity audit on an annual basis. The business must also submit to the California Privacy Protection Agency (CPPA), on a regular basis, an assessment with respect to the covered business’ processing of personal information which identifies and weighs the benefits resulting from the processing against the potential risks to the rights of the consumer.
Service Provider Requirements
The CPRA specifies certain restrictions that must be incorporated in a written contract with a service provider including, but not limited to, restrictions on selling or sharing, retaining, using or disclosing personal information other than for the purpose specified in the written agreement or by the business-service provider relationship. The CPRA also requires service providers to cooperate with and assist a covered business in responding to verifiable consumer requests.
The CPRA establishes a new enforcement agency, the CPPA, which is charged with administering, implementing and enforcing the provisions of the CCPA. If the CPPA determines that a violation has occurred, it may require the violator to cease and desist the violation and/or pay an administrative fine of up to $2,500 for each violation or up to $7,500 for each intentional violation and each violation involving the personal information of minor consumers.
On October 17, 2022, the CPPA released the second set of draft regulations governing compliance with the CCPA as amended by the CPRA. The period to submit written comments ended on November 21, 2022. The revised regulations, which are still not finalized, update the previous set of regulations that were released on July 8, 2022, and provide valuable guidance for covered businesses regarding the requirements of the CPRA. These include guidance on a covered business’ use and collection of personal information along with the consumer’s right to limit the use of their sensitive personal information; the process for obtaining consumer consent; responding to consumer requests; and the permitted business purposes for which a service provider can process personal information pursuant to the written contract with the covered business.
Even though businesses may presently have existing CCPA compliance programs, those programs do not guarantee compliance with the CPRA. Accordingly, businesses should determine if they are subject to the CCPA/CPRA and review any CCPA compliance programs. In addition to the CPRA, comprehensive privacy laws enacted by Virginia, Colorado, Connecticut and Utah also take effect in 2023 and should be considered when reviewing compliance programs.