Privacy

Here We Go Again: From CCPA to CPRA

Published: Nov. 04, 2020

Last Updated: Nov. 05, 2020

Less than a year after the effective date of the watershed California Consumer Privacy Act (CCPA), the newly passed California Privacy Rights Act (CPRA) – aka CCPA 2.0 – once again sets the scramble of California privacy law compliance in motion. The new law builds upon the CCPA’s framework by creating additional rights for consumers, further compliance obligations for businesses, and the establishment of a new California Protection Agency to develop regulations and enforce the law. Helpfully, the substantive portions of the CPRA do not become operative until January 1, 2023, and most of them apply only to information that a business collects after January 1, 2022. In addition, the CPRA amends the CCPA to extend until January 1, 2023 the partial business exemption in relation to employee information and business to business transactions, giving businesses an additional two years of respite.

We will provide further CPRA analysis and insights during an upcoming webinar series, including what you should be doing to prepare. Details and dates for early December will be announced shortly.

Below is a summary of the most significant changes from the CCPA to the CPRA.

1 – Consumer Rights & Opt-out Requests:

New rights for sensitive personal information. The CPRA introduces a new definition for “sensitive personal information” and for such information gives consumers the right to:

  • opt out of the sale of “sensitive personal information,”
  • opt out of a business’s mere use of “sensitive personal information” for purposes other than providing services or goods to the consumer.

Businesses must have a separate link to a mechanism for exercising this right on their homepage. §1798.121(a).

“Sensitive personal information,” includes: Social Security Number, driver’s license number, passport number, financial account information, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation.

New right to opt out of cross-context behavioral advertising. The CPRA creates the new term “cross-context behavioral advertising,” defined as advertising targeted to a consumer based on personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, except for consumer’s activity across the entity with which the consumer intentionally interacts. §1798.140(k). Notably, cross-context behavioral advertising is regulated in several ways that go beyond the CCPA.

  • Cross-context behavioral advertising is explicitly excluded as a “business purpose” that can be performed by a service provider. §1798.140(e)(6).
  • A consumer has the right to opt out of the “sharing” of information for cross-context behavioral advertising purposes, regardless of whether or not such sharing is for “monetary or other valuable consideration.” §1798.140(ah); §1798.135(a).

Expanded right to deletion. Businesses will be required to pass on consumer deletion requests not only to service providers, but also to third parties to which the business has shared or sold information (unless it proves impossible or involves disproportionate effort). §1798.105(c). Service providers must also pass on deletion requests to their subcontractors.

Right to correct inaccurate personal information. Similar to the GDPR, the CPRA grants California consumers a new right to request the correction of inaccurate personal information held by a business. §1798.106.

Changes to consumer request responses. The CPRA makes several changes to how businesses must address consumer requests to know such as:

  • Allowing consumers (if the AG adopts an appropriate regulation) to request more than the 12-month lookback period for access requests for data collected on or after January 1, 2022. §1798.130(a)(2)(B).
  • Not having to duplicate information in their privacy policies in response to requests to know. §1798.130(a)(2).

Opt-out signals in lieu of DNS link. A business will not have to post an opt-out link if it allows consumers to communicate their Do Not Sell/Do Not Share preferences via signals or preferences that are set “with the consumer’s consent by a platform, technology, or mechanism based on technical specifications set forth in regulations.” §1798.135(b).

2 – New & Enhanced Business Requirements:

New requirements for service providers. Service providers will have to notify businesses of the identities of their subcontractors. §1798.140(ag)(2). Contracts with service providers must also prohibit the provider from: (1) selling or sharing the business’s personal information; (2) retaining, using, or disclosing personal information outside of the direct business relationship between the service provider and the business; and (3) combining personal information received from one business with that received from another business. §1798.140(ag)(1).

New contractual requirements for all disclosures not just service providers. Businesses will need to have a contract with any entity to which they disclose personal information, including third parties to which they sell personal information. The contract must include purpose limitations and must require the same level of protection as the CPRA. §1798.100(d).

Enhanced “Notice at Collection” requirements. In addition to the requirements for Notice at Collection included in the CCPA regulations, the CPRA requires such notices to include: (1) separate categories, purposes, and whether each category of sensitive personal information is sold or shared; and (2) the retention period for personal information by category. §1798.100(a).

Data minimization requirement. Businesses may only collect, use, retain, and share a consumer’s personal information to the extent that it is “reasonably necessary and proportionate” to either: (1) the purpose for which it was collected or processed, or (2) another disclosed purpose that is compatible with the context in which it was collected. §1798.100(a)(3); §1798.100(c).

New high bar for consent. “Consent,” which was undefined in the CCPA, is defined by the CPRA as “any freely given, specific, informed and unambiguous indication of the consumer’s wishes,” such as a statement or a clear affirmative action signifying agreement to the processing of personal information for a particular, narrowly defined purpose. A consumer’s acceptance of general or broad terms of use does not constitute consent, regardless of whether the document contains descriptions of personal information processing. Like the General Data Protection Regulation (GDPR), consent may not be bundled with other, unrelated information. Consent cannot be obtained by a consumer hovering over, muting, pausing, or closing a given piece of content, nor can agreement obtained through the use of “dark patterns” that attempt to sway a consumer’s opt in constitute consent. §1798.140(h).

3 – Enforcement & Liability:

Enforcement authority. The CPRA creates the “California Privacy Protection Agency,” an independent executive agency tasked with protecting consumer privacy, educating consumers about their rights, promulgating regulations, and enforcing the law. §1798.199.10. The law includes a timeline for phasing out the California Attorney General’s current rulemaking and enforcement responsibilities in favor of the new agency and sets 2021 as the start of new rulemaking activities. §1798.185.

  • Cure: The CPRA makes clear that the AG does not have to provide a cure period before the AG brings an action. However, the AG does have to provide 30 days notice and give the business an opportunity to be heard in a private proceeding before finding that there is probable cause to believe the business violated the CPRA. The AG also retains the option to provide a business the opportunity to cure. §1798.199.45; §1798.199.50.

Data breach liability. The CPRA amends the data breach liability provision of the CCPA to clarify that breaches resulting in the compromise of a consumer’s email address in combination with a password or security question and answer that would permit access to the consumer’s account are within scope for the data breach private right of action. §1798.150.(a)(1).