California Consumer Privacy Rights Act – Up for a Vote in November
Privacy Plus+
Privacy, Technology and Perspective
California Consumer Privacy Rights Act – Up for a Vote in November. This week, we’re covering the basics of the California Consumer Privacy Rights Act of 2020 (“CPRA”), an initiative aimed to amend the California Consumer Privacy Act of 2018 (“CCPA”) by recognizing additional privacy rights and obligations in California. The CPRA on the November ballot in California, and is expected to pass and become law.
To see the text of the CPRA, click on the following link:
And if you need a refresher on the CCPA, you can also visit our previous post at the following link:
But now, let’s take a look at some CPRA highlights:
Changes in Application / Coverage: The CPRA will change the application of the CCPA by modifying the definition of “business.” It will raise the threshold for application of the CCPA from 50,000 persons or households to 100,000, and “devices” will no longer be counted in the total. Presumably, that will ease the burden on smaller businesses or out-of-state businesses whose nexus to California is relatively small.
Recognition of “Sensitive Personal Information,” with Tighter Restrictions: In addition to the “personal information” covered by the CCPA, the CPRA adds a definition for “Sensitive Personal Information,” which specifically includes information that reveals, among other things, SSNs, drivers’ licenses, account credentials, financial information, “precise” geolocation data, race or ethnic origin, religious beliefs, union membership, mail/email/text contents, genetic, health, sexual history or orientation, or biometric information, access codes, and passwords. This definition specifically excludes “publicly available” information. Under the CPRA, “Sensitive Personal Information” will be subject to new notice requirements (including “Limit the Use of My Sensitive Personal Information”) and special consumer rights (see below).
New and Expanded Consumer Rights: The CPRA will preserve the individual rights set forth in the CCPA, and will add new rights, including:
+ The right to correct: The CPRA will provide California consumers with a right to correct inaccurate personal information. [§ 1798.106] If a business receives a verifiable consumer request to correct inaccurate information, it must use “commercially reasonable efforts” to do so. [Id.] What would be “commercial reasonable” is to be defined under the amended Section 1798.130 and additional regulations that are to be adopted later.
+ The right to limit sale or sharing: Subject to some exclusions, the CPRA proposes to provide California consumers with a right to request that businesses neither sell, nor share their personal information with third parties. [§ 1798.120]
+ The right to limit the use and disclosure of sensitive personal information: The CPRA proposes to restrict the use of sensitive personal information to such use that is “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods and services.” [§ 1798.121] Businesses would also be required to disclose, at the time of collection, the categories of sensitive personal information to be collected and the purposes for which the categories are collected or used, along with whether such information is sold or shared. [§ 1798.100(a)(2)] In addition, businesses would also be required to post a clear and conspicuous link on their websites titled, “Limit the Use of My Sensitive Personal Information” in order to enable a consumer to exercise this right. [§ 1798.135(b)]
+ The right to opt-out of “Cross-Context Behavioral Advertising”: Through complex definitions and exclusions, the practice of “sharing” information with others so they can target advertising to consumers based the consumers’ activity across various businesses, distinctly-branded websites, applications, or services other than the ones with which they have “intentionally interact[ed]” will require giving consumers an opt-out option. [§§ 1798.120 and 1798.140(k)]
+ The right of opt-out of automated decision-making: The CPRA makes clear that businesses will be limited in their use of automated decision-making technologies (a use which is also restricted in the EU). Expect regulations to be issued, governing access and opt-out rights with respect to such technologies. [[§ 1798.185(a)(4)]
New and Expanded Obligations for Businesses: The CPRA would adopt these concepts prominent in the EU’s General Data Protection Regulation (“GDPR”):
+ Consent: Whereas the CCPA is silent on the definition of consent, the CPRA proposes a definition similar to that in the GDPR. "’Consent’ means any freely given, specific, informed and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or Is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.” [§ 1798.140(h)] Accordingly, CPRA would require that businesses not rely on, among other things, a consent to general or broad terms.
+ Retention and Restrictions on Use: The CPRA would require that business disclose, at the time of collection, the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period. Additionally, the CPRA would require that businesses restrict the collection, use, retention, and sharing of a consumer's personal Information in a manner that is reasonably necessary and proportionate to achieve the purpose for which that information was collected or processed, and additionally to prevent incompatible secondary uses. [§ 1798.100(a)(3)]
+ Audits and Assessments Required where Processing Presents Significant Risk: Businesses engaged in processing of personal information that presents a “significant risk to consumers' privacy or security” would be required to comply regulations, which would later be issued, requiring annual cybersecurity audits and the submission of risk assessments on a regular basis the California Privacy Protection Agency (see below).
+ Service Provider/Contractor/Third Party Contracts. The CPRA also will require businesses to contract appropriately with not just service providers, but also contractors (see definition below) and third parties in order to ensure that personal information won’t be used for any purpose other than for the business purposes specified in the contract, and won’t be retained, used or disclosed outside of the direct business relationship with business. [See § 1798.105(c)(3); 1798.105(j)(1)(A); § 1798.100(a)(3)(d)].
Changes in Definition Affecting Obligations:
+ “Sale” and “Do Not Sell”: The definitions of “Sale” and “Do Not Sell” will no longer include certain limited analytics functions. This will be good news to businesses offering loyalty, rewards, and similar programs.
+ “Publicly Available”: What constitutes “Publicly Available” information (and is therefore not “personal information”) will expand beyond just government records, to include information which the consumer has broadcast herself without restriction.
+ “Service Provider”: The CPRA will amend the definition of a “service provider” to require additional restrictions in a contract between the service provider and the business, including a prohibition on combining personal information that the service provider receives from the business with personal information that it receives from other persons. Additionally, it removes the CCPA’s requirement that the service provider contract include a certification. [§ 1798.140(ag)]. It is worthwhile to note that the CPRA will also place direct obligations on service providers to cooperate with businesses in responding to consumer requests. [§ 1798.105(c)(3)]
+ ”Contractor”: The CPRA adds a definition for “contractor” [§ 1798.140(j)] and will also oblige contractors to cooperate with businesses in responding to consumer requests. [§ 1798.105(j)(3)]
+ “Third Party”: The CPRA will clarify the definition of “third party” to exclude service providers and contractors. [§ 1798.140(ai)]
California Privacy Protection Agency and Broader Enforcement (without notice and opportunity to cure). Section 24 of the CPRA will establish a new regulatory agency—California Privacy Protection Agency— that will be charged with CPRA rule-making and enforcement authority, effectively relieving the AG’s Office from this burden. The Agency will have the authority to fine entities that violate any provision of the CPRA up to $2,500 for each violation and/or $7,500 for intentional violations and violations involving the personal information of minors under age 16. The AG will continue to have authority to file civil actions and to recover those civil penalties. [1798.199.90] Importantly, the CPRA will eliminate the CCPA’s 30-day cure period before a violation may be found.
Employee and Business-to-Business Issue Put Off until 2023. At present, the CCPA exempts personal information about one’s own employees or mere B2B contact information – but that is true only until January 1, 2022 (thanks to AB 1281, which was recently signed by California’s Governor). If the CPRA passes, the moratorium will be extended for an additional year, until the CPRA comes into effect. The object is to give California until then to reach consensus on how it wants to handle these.
Effective Date: The CPRA will take effect on January 1, 2023. Until then, the CCPA will continue to apply.
Here, we have merely described some important features of the CPRA. Remember always to read the text and the regulations before acting on them. Details matter. And if your business is covered by the CPRA, the details may matter a lot.
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.