California voters approved Proposition 24 on November 3, 2020, paving the way to the California Privacy Rights Act (CPRA), which, on January 1, 2023, will replace California’s current data protection law, the California Consumer Privacy Act (CCPA). CPRA slightly reshapes CCPA, creating additional rights for consumers and additional obligations and restrictions for businesses related to the use of consumer’s personal information, including limits to data collection and retention, among other.
Most of CPRA will become operative on January 1, 2023. The law will apply to personal information collected after January 1, 2022. There will be a 6-month delay between the effective date of the act and its enforcement, with enforcement actions commencing on July 1, 2023. In the meantime, CCPA will remain in full force and effect.
Among other things CPRA:
|Revises some of the definitions currently existing in CCPA; especially the definition of “business” and “sale”, and defines new terms, such as “sensitive personal information” and “sharing”;|
|Increases security requirements with the addition of audits and assessments for businesses whose processing present a significant risk to consumers’ privacy and security;|
|Creates additional limitations and contractual requirements for service providers and contractors;|
|Introduces several new concepts that are similar to those found in most modern data protection laws, worldwide; such as data minimization or retention limitation;|
|Expands consumer rights with respect to their personal information; such as right to correction, or right to object to the use of automated decision making and profiling;|
|Introduces the notion of “sharing” personal information; clarifying the difference between selling and sharing;|
|Sets forth stringent limitations to cross-context behavioral targeting;|
|Increases penalties for violations related to the personal information of children under 16;|
|Creates a new agency responsible for enforcing the CPRA; and|
|Extends the CCPA exemptions for B2B and Employee data|
CPRA changes existing definitions and introduces new terms. The most noticeable changes include the introduction of “sharing” as an activity different from “selling”, which CPRA defines as disclosing, making available, transferring, or communicating personal information to a third party, for cross context behavioral advertising for the benefit of a business, whether or not for monetary of other valuable consideration.
Other new or updated definition that affect significantly several parts of CPRA include the new concept of “contractor” and updated the definition of “service provider” to keep the two definitions consistent. Under CPRA, a business “makes available” personal information to a “contractor” for a business purpose pursuant to a written contract that prohibits the contractor from selling or sharing the personal information. A “service provider” is person that “receives personal information” from, or on behalf of, a business and processes the information on behalf of that business for a business purpose.
The new concept of “sensitive personal information”, combines the concept of “sensitive information” frequently used to designate information that receives the highest level of protection in particular in the context of data breaches in the US (for example, identifiers or financial account access information), and the concept of “special categories of data” used in most privacy or data protection laws abroad to designate certain types of information that might be used for discrimination (for example, discrimination based on ethnicity or religion), or might contain intimate details (that a majority of individuals tend to keep highly confidential for example, health information, sexual preferences).
New Rights for Individuals
The CPRA introduces several new consumer rights, some of which are similar to those found in most data protection laws, worldwide.
The right to know what personal information is sold or shared is the successor of the CCPA “do not sell” right. The right is upgraded to address the addition of the concept of “sharing”. in this regard it will be important to keep in mind that the definition of “sharing” is limited to “cross-context behavioral advertising”.
New or expanded rights include the right to limit the use of sensitive information, right of correction, right to object to automated decision making and profiling; and right to opt-out of information sharing / behavioral advertising.
New Obligations for Businesses
With the creation of new rights for consumers come new obligations, including the obligations to provide notices of these new rights and put in place the required opt-out procedures and related mechanisms that implement those rights. In addition, CPRA introduces new restrictions.
Data Minimization and Retention Limitation
CPRA makes it a “general duty” for a business that collects personal information to limit its collection, use, retention and sharing to what is reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” It prohibits the further processing of the data for a purpose incompatible with the disclosed purpose, and requires businesses not to retain personal information for longer than necessary for the purposes for which the personal information was collected. Businesses will also inform consumers of the length of time they retain each category of personal information or if not possible, the criteria used to determine such durations.
Contractual Requirements When Engaging Service Providers and Contractors
CPRA imposes the use of a broad range of direct or contractual obligations on services providers and contractors and significantly expands those that are currently imposed under CCPA. As a result, businesses will have to review their contracts with their service providers and contractors to ensure these contracts contain all of the newly required provisions.
Security measures and audits accountability take a more prominent place under CPRA.
General Duty to Use Security Measures
CPRA makes it a “general duty” for businesses to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect it from unauthorized or illegal access, destruction, use, modification or disclosure. Regulations will be needed to clarify the actual scope and nature of this requirement.
Security Audits and Privacy Risk Assessments
In addition, CPRA imposes security audits and privacy risk assessments for businesses whose processing present significant risks to consumers’ privacy and security. CPRA outlines general requirements; the detail will be provided in upcoming regulations. Concerned business will be required to perform an annual cybersecurity audit, and to submit to the newly formed California Privacy Protection Agency, on a regular basis, a risk assessment with respect to their processing of personal information.
California Privacy Protection Agency
CPRA establishes the California Privacy Protection Agency (CPPA) as a regulatory body with full administrative power and jurisdiction, to enforce CPRA violations. The agency will be responsible for providing guidance to businesses regarding their duties and responsibilities, and appoint a “Chief Privacy Auditor” to conduct audits of businesses to ensure compliance with the law and its regulations. CPRA creates the Consumer Privacy Fund, a special fund for use to offset the costs of enforcement actions by both the California Privacy Protection Agency and the California Attorney General.
California voters have approved Proposition 24, and CPRA is here to stay. Starting in January 2023, CPRA will expand individuals’ ability to limit the use of their personal information in the context of targeted advertising, beyond the rights already acquired under the current provisions of CCPA. Unfortunately, this takes 52 pages of clauses that are anything but clear and easy to understand. It will take time for most parties affected by it, or charged with implementing it, to understand what CPRA law means in practice. In the meantime, CPRA is likely to cause administrative and financial burdens to most businesses that target California consumers.