It is summer and you just finished all the hard work to make sure your organization addressed all applicable California Consumer Privacy Act (CCPA or the “Act”) requirements. You sit down, take a deep breath, and see what California has been up to during your CCPA preparations. Well, lo and behold, California wants to give the nation’s most aggressive data protection law a facelift in a new ballot initiative to be voted on this November.
You may remember that California pioneered the first sweeping privacy reform in the United States in 2018 when the CCPA was passed. The Act was amended in 2019 and went into effect January 1, 2020, with enforcement beginning July 1 of this year. Taft’s Privacy & Data Security group has provided information regarding the data requirements of the CCPA in previous blog posts, but generally, the Act affords consumers the right to know what information is being collected from them, the right to prohibit businesses from keeping their information, and the right to opt-out of the sale of their personal information, among other things. The CCPA already reaches outside California state lines, as it applies to companies that do business within the state that have revenues of over $25 million per year, derive at least 50% of its revenue from selling information, or buy, sell or share personal information of at least 50,000 California consumers, households or devices.
Since the time the CCPA passed, consumer privacy advocacy groups have continued to push for individuals to have greater rights as to who can collect, access and use their personal information and how that information can be used. The CPRA is the result of those efforts and it recently reached the threshold to become a ballot initiative to be considered in the voting booth here in a few short months.
With the California Privacy Rights Act (CPRA), California seeks to go further in strengthening its consumer data protections. This new law, proposed by the same group that put the CCPA on the ballot, aims to supplement and strengthen the CCPA, while also clarifying several key portions of the statute. If passed, the CPRA will go into effect January 1, 2023 and will apply only to personal information collected by a business on or after January 1, 2022. Businesses and organizations that operate in California should prepare for several key changes to take effect if voters pass the statute in November.
- The CPRA both narrows and expands the scope of businesses that are covered under the existing California Civil Code. Under the proposed CPRA, a covered business will now be any entity that meets one of three thresholds.
- An entity that, alone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumers or households. This definition changes the CCPA definition by removing the phrase “receives for the business’s commercial purposes” and changing the consumer threshold from 50,000 to 100,000.
- An entity that derives 50 percent of its annual revenues from selling or sharing consumers’ personal data. In addition to selling consumer data, the CPRA language adds the word “sharing” consumers’ data as a way to meet the 50 percent threshold.
- An entity that had an annual gross revenue in excess of 25 million dollars in the preceding calendar year. The CPRA clarifies that the revenue is determined by reviewing the preceding calendar year.
Additionally, businesses that would be covered by the CPRA are expanded to include certain affiliates of companies that are otherwise covered by the Act, but otherwise mostly tracks the CCPA’s applicability standards. Under the Act, Companies may also voluntarily certify to the California Privacy Protection Agency that it is in compliance with, and agrees to be bound by, the CPRA.
- The CPRA will add a new, second, category of personal information under Cal Civ. Code § 1798.140(ae), called “sensitive personal information.” This is personal information that carries a heightened risk of financial or reputational harm if disclosed or misused, such as a consumer’s Social Security number, driver’s license or state identification card, financial account information, passport number, race, ethnicity, union membership, personal communications, genetic data, biometric or health information, information about sex life or sexual orientation, or precise geolocation. The new bill also provides consumers the ability to opt-out of geolocation advertising.
- The CPRA increases protections for children under the age of 16 with fines tripled up to $7,500 for violating the CCPA’s opt-in to sale right. Businesses must obtain opt-in consent to sell or share data from consumers under the age of 16.
- The CPRA creates the California Privacy Protection Agency, a five-member agency charged with implementing and enforcing both the CCPA and CPRA. The Chair and one member of the board would be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall also each appoint one member. The CPRA stresses that these appointments should be made “from among Californians with expertise in the areas of privacy, technology, and consumer rights.” This would be the first agency in the United States solely dedicated to privacy. Currently, the California Attorney General enforces the CCPA.
In the months leading up to what will undoubtedly be an eventful election season, many businesses will now also have questions as to how they should approach compliance with the CCPA and the potential changes as to how they collect, store, process, and share consumer information if the CPRA is adopted. Because of the breadth of the bill, it will undoubtedly affect different businesses in all industries. If passed, along with the CCPA, California will have some of the strongest data protection laws in the nation. The bill reduces ambiguities in the CCPA and introduces a more balanced compliance obligation.
No matter if the bill passes, this CPRA shows that data security and privacy is becoming a bigger issue for voters. While the federal government has been largely absent from this realm, more states may begin to follow California’s example and enact stricter laws because of voter pressure and advocacy groups. As the legal landscape continues to evolve in the realm of privacy and data security across the nation, Taft’s attorneys are ready to assist businesses in navigating how to comply with these laws and develop and implement best practices.
*Portions of this blog were contributed by Addison Caruso, a Summer Associate in Taft’s Dayton office.