As companies still struggled to come to terms with the compliance requirements of the California Consumer Privacy Act (CCPA), they were hit by a surprising piece of news: voters approved the California Privacy Rights Act (CPRA) following a privacy referendum held during the November 2020 elections. The new law, which was officially certified on 16 December 2020, is set to come into force on 1 January 2023. Until then, the CCPA will apply.
The CCPA itself was hastily drafted and passed on 28 June 2018 to avoid the inclusion of a more stringent privacy initiative on voter ballots in the November 2018 elections. However, due to many compromises and amends made to the law as a result of political negotiations, the CCPA was ultimately deemed too weak and abandoned in favor of a new law, the CPRA. Learning from past mistakes, legislators have added a provision within the law: the CPRA, once passed, cannot be weakened, only strengthened.
The CPRA saw surprisingly little pushback from big tech lobbyists. In a year where a pandemic raged across the world, political turmoil rocked the US and companies scrambled to find a way to continue business operations remotely and remain afloat, the CPRA flew under the radar and was passed, with 56% of California voters in its favor.
The CPRA does not mean CCPA compliance is now obsolete. Companies that have reached CCPA compliance have a leg up on companies that have yet to start their journey into compliance. The CPRA is essentially an expansion of the CCPA, maintaining the core framework of its predecessor, but at the same time introducing a number of significant changes, many inspired by the EU’s broader General Data Protection Regulation (GDPR).
This is good news for companies that are already GDPR compliant. The CPRA is more closely aligned to the GDPR than the CCPA was and, although minor changes might be needed to become fully compliant with CPRA, GDPR compliant organizations have a lot less work ahead of them than companies that have never had to deal with the EU’s strict data protection regulation.
Who does the CPRA apply to?
The CPRA applies to all for-profit organizations that do business in California, collect personal information of California residents and to whom, one or more of the following thresholds apply:
- They have reached $25 million or more in annual revenue during the prior calendar year;
- They buy, sell or share the personal information of 100,000 or more consumers or households;
- They derive at least 50% of their annual revenue from selling or sharing consumer personal information.
The CPRA continues to apply to service providers as defined in the CCPA but introduces a new category of applicability for so-called contractors that are defined as persons to whom a business makes available a consumer’s personal information.
By expanding its applicability criteria to include the sharing of personal information, CPRA will extend its reach to companies that do not receive monetary gains from selling personal data. The move likely targets third-party digital advertising.
What type of information does the CPRA protect?
CPRA introduces a new category of sensitive personal information which is more strongly regulated than personal information as defined under the CCPA. Sensitive personal information includes government-issued IDs such as passports, driver’s licenses, and Social Security Numbers, financial data such as credit card or bank account numbers, racial and ethnic data, religious or philosophical beliefs, genetic, biometric, and health data, but also contents of emails or text messages unless the business is the intended recipient of the communication.
Companies will need to provide consumers with a ‘Limit the Use of My Sensitive Personal Information’ link on their homepage similar to the ‘Do Not Sell My Personal Information’ link already required under the CCPA. The link should enable consumers to limit the use or disclosure of their sensitive personal information.
Data Minimization, Purpose, and Storage Limitations
The CPRA introduces a series of new requirements when it comes to the collection and storage of personal information. Similar concepts exist under the GDPR. The first is data minimization, meaning that companies can only collect, use and share personal information in accordance with what is reasonably necessary and proportionate for the purpose for which the data is being collected.
Organizations cannot collect, use or share information for no stated purpose or for reasons incompatible with the purpose for which the data was initially collected. Businesses are also required to notify consumers at the point of collection for how long they will retain their personal information or, if not possible, the criteria that will determine the length of time it will be kept for. Companies cannot retain personal information longer than reasonably necessary.
New rights for consumers
Besides existing rights under the CCPA such as the right to request the deletion of their personal data and the right to opt-out of the sale of their personal information, the CPRA introduces a series of additional rights for consumers. They will now have the right to correct inaccurate personal information, the right to opt-out of the sharing of their personal information, and, as mentioned earlier, the right to limit the use and disclosure of their sensitive personal information.
Greater risk of liability
Under the CCPA, companies had 30 days to fix problems after consumers filed a complaint. The so-called 30-day cure was scraped by the CPRA: if a company suffers a breach due to poor security practices, even if they subsequently rectify what caused the incident, they are still liable to a private right of action and statutory damages. Consumers will also no longer need to prove they were harmed by a breach to be able to bring a lawsuit.
The CPRA takes a stand on the protection of the personal information of children. Failure to protect the data of minors under 16 years old will lead to automatic fines of $7,500/violation, three times more than under the CCPA.
California Privacy Protection Agency
The CPRA created the California Privacy Protection Agency (CPPA) which will take over the responsibility of enforcing the CCPA and CPRA from the California Attorney General’s Office. The agency was established as soon as the CPRA was approved and board members have already been appointed to it.
In conclusion
By blocking the possibility of the CPRA being weakened by later amends, California legislators have taken a firm stand and cemented the place of tough privacy laws in the state’s legislation. Companies doing business in California will need to carefully review existing practices and evaluate what changes need to be made to their contracts, privacy notices, individual rights response procedures, and other privacy operations to bring them in line with the CPRA.