Last month we discussed California’s Proposition 24, called the California Privacy Rights Act (“CPRA”), and that California voters approved the CPRA on November 3, 2020.  The CPRA amends the California Consumer Privacy Act (“CCPA”), which the final regulations of the CCPA were only recently approved by Attorney General Xavier Becerra in August, 2020. The CPRA makes a few substantial changes to the CCPA, such as additional rights to consumers, additional obligations on businesses that apply to the CPRA, an increased focus on “sharing” information for behavioral advertising, and the creation of a new governing entity to enforce the CPRA. The CPRA is set to become effective on January 1, 2023.  Until then, the CCPA will remain in full force and effect.

Section 1798.140 – Definitions

  • Business.” The three thresholds, of which only one must be met for an entity to qualify as a business under CPRA, did not change much from the CCPA. Under the CPRA, an entity can qualify as a business if it buys, sells or shares the personal information of 100,000 or more consumers, instead of the 50,000 or more consumers set by the CCPA. Additionally, the 50% revenue threshold can now be derived from selling and “sharing” consumer personal information.
    • The CPRA also includes joint ventures and partnerships as “Businesses” when each business has at least 40% interest.
  • Share.” The term share (shared or sharing) was added throughout the CPRA. Share is defined as sharing, making available, or otherwise communicating a consumer’s personal information to a third party for cross-context behavioral advertising, whether or not for valuable consideration. There are a set of exceptions in which the transaction is not deemed to be “sharing”:
    • Consumer consents to such sharing;
    • Business shares such information to inform the third party that the consumer opted out of such sharing;
    • If the sharing is part of a merger, acquisition, bankruptcy, or other transaction involving the control of the company.
  • Sensitive Personal Information.” A new category of information, sensitive personal information, includes a consumer’s:
    • Social Security, driver’s license, state identification card, or passport number;
    • Account log-in, financial account, debit card, credit card number with security, or access code or password;
    • Precise geolocation;
    • Racial or ethnic origin, religious/philosophical beliefs, or union membership;
    • Contents of mail, email, and text messages;
    • Genetic data and processing of biometric information;
    • Health and sexual orientation.
  • Contractor.” The CCPA definition of Contractor has been changed to Independent Contractor. Contractor under the CPRA now means a person that gains access to consumer personal information from the business and has a written contract with the business, provided the contract:
    • Prohibits the contractor from:
      • Selling or sharing the personal information;
      • Retaining, using or disclosing the personal information for any purpose other than what is provided for in the contract;
      • Using the personal information outside of the business relationship;
      • Combining the personal information with personal information retained from another business relationship or that it collects on its own;
    • Includes a certification that the Contractor understands the restrictions listed above; and
    • The business must monitor the Contractor’s compliance through manual reviews or other methods.

Section 1798.100(a)(2), (3) – Notifying Consumers and Data Retention

This section details the business notification requirements when collecting personal information. The CPRA adds the requirement of informing consumers whether the business collects sensitive personal information, the categories of sensitive personal information, what purposes the sensitive personal information will be used for, and if it is sold or shared.

Additionally, the business must inform its consumers of the length of time it intends to retain each category of personal information, including sensitive personal information. If that is not possible, the business must disclose the criteria used to determine the retention periods of each category, provided that it will not be collected for longer than is reasonably necessary for the specified purpose.

Section 1798.106 – Right to Correct Inaccurate Personal Information

A consumer has the right to request a business to correct the inaccurate personal information that the business currently maintains. The business must also notify its consumers of this right, such as in a website privacy policy.

Section 1798.120 – Right to Opt-Out of the Sale or Sharing of Personal Information

The consumer now has the right to opt-out of the sale and sharing of his/her personal information to third parties. As the term “share” is defined, this allows the consumer to opt-out of cross-contextual behavioral advertising. Cross-contextual behavioral advertising is targeted advertising to a consumer based on the personal information obtained from the consumer’s activity across multiple businesses, websites, applications and more.

Section 1798.121 – Right to Limit the Use and Disclosure of Sensitive Information

Consumers have the right to direct businesses that collect their sensitive personal information to limit its use and disclosure of the sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer.

Section 1798.125(3) – No Retaliation or Discrimination: Loyalty Programs

The CPRA clarifies that the no retaliation and no discrimination provision does not prohibit the business from offering loyalty programs, rewards, premium features, discounts, or club card programs to consumers.

Section 1798.185(16) – Right to Object to Automated Decision Making and Profiling

This section requires the Attorney General to issue regulations that govern access and opting out rights with respect to automated decision making technology, such as automated profiling and responses to access requests.

Section 1798.199.10 – The California Privacy Protection Agency

This agency is established and vested with full administrative power to enforce the CCPA and is governed by a five-member board, in which the chairperson will be appointed by the Governor. Other members shall be appointed by the Attorney General, Senate Rules Committee, and Speaker of the Assembly.

Section 1798.185(15)(A), (B) – Security Audits and Privacy Risk Assessments

The Attorney General must issue regulations requiring businesses that process personal information that present significant risk to consumers’ privacy or security to (A) perform cybersecurity audits on a yearly basis and (B) on a regular basis, submit a risk assessment to the California Privacy Protection Agency. Factors in determining if there is a significant risk to consumers’ privacy and security include the size and complexity of the business and the nature and scope of the processing.

Exemptions and Enforcement

Section 3(A)(8) – The CPRA extends the CCPA’s exemption for employee and business to business communications until January 1, 2023.

Section 1798.785(22) – The CPRA is effective on January 1, 2023; however, civil and administrative enforcement of the provisions added or amended to the CCPA shall not begin until July 1, 2023.

The CPRA passing shows that even in these turbulent times, privacy and data security is a major issue for legislators and consumers. While the CPRA does not go into effect until January 1, 2023, and because we expect other states to follow California’s example and enact stricter privacy laws, businesses should assess its obligations under the CPRA and work with legal counsel to develop a plan to meet these new obligations.

Taft Privacy and Data Security Insights will continue to monitor and provide updates on this and other developments in the ever evolving world of data governance, privacy and security.  Stay tuned.