California voters approved Proposition 24 on November 3, 2020, paving the way to the California Privacy Rights Act (CPRA). Nicknamed CCPA 2.0, the CPRA has been presented as an improved version of the California Consumer Privacy Act (CCPA), California’s current data protection law, which was adopted in 2018 in the most unusual circumstances. CPRA slightly reshapes CCPA, creating additional rights for consumers and additional obligations and restrictions for businesses related to the use of consumer’s personal information, including limits to data collection and retention, among other. In practice, the 52-page document introduces a number of new concepts, increases administrative burdens, and is likely to require most businesses within its scope to re-evaluate their activities and develop new processes beyond those that they may have just finished to implement to comply with CCPA.
CPRA is intended to replace the California Consumer Privacy Act (CCPA) in 2023. Most of CPRA will become operative on January 1, 2023, and the law will apply to personal information collected after January 1, 2022. There will be a 6-month delay between the effective date of the act and its enforcement, with enforcement actions commencing on July 1, 2023. In the meantime, CCPA will remain in full force and effect until it is superseded by CPRA.
Among other things CPRA:
|Revises some of the definitions currently existing in CCPA; especially the definition of “business” and “sale”, and defines new terms, such as “sensitive personal information” and “sharing”;|
|Increases security requirements with the addition of audits and assessments for businesses whose processing present a significant risk to consumers’ privacy and security;|
|Creates additional limitations and contractual requirements for service providers and contractors;|
|Introduces several new concepts that are similar to those found in most modern data protection laws, worldwide; such as data minimization or retention limitation;|
|Expands consumer rights with respect to their personal information; such as right to correction, or right to object to the use of automated decision making and profiling;|
|Introduces the notion of “sharing” personal information; clarifying the difference between selling and sharing;|
|Sets forth stringent limitations to cross-context behavioral targeting;|
|Increases penalties for violations related to the personal information of children under 16;|
|Creates a new agency responsible for enforcing the CPRA; and|
|Extends the CCPA exemptions for B2B and Employee data|
New or Updated Definitions
CPRA changes existing definitions and introduces new terms. The most noticeable changes include the following:
CPRA introduces “sharing” as an activity different from “selling”. “Sharing” is defined as disclosing, making available, transferring, or communicating a consumer’s personal information to a third party for “cross-context behavioral advertising”, whether or not for monetary or other valuable consideration. The new definition is especially relevant to affiliate advertising networks, advertisers and data brokers in the context of re-targeting and behavioral advertising, in which advertisements are targeted to a consumer based on information derived from information collected about that consumer’s activities across different websites, applications or services.
CPRA revises the definition of “business”, i.e., those entities subject to the law. The current definition under CCPA identifies three threshold: gross revenue, number of records processed, and percentage of revenue from the sale of personal information compared to gross revenue. With the new definition, the 25 million gross revenue threshold remains, but the other thresholds are changed.
The threshold associated with the number of records purchased or sold is increased from 50,000 to 100,000, which may exclude more SMEs than under CCPA. Conversely, the threshold associated with calculating the percentage of revenue from the use of personal information is now computed by combining both revenue from selling and revenue from “sharing” personal information. This change is likely to increase the number of SMEs within the scope of the law.
CPRA introduces the notion of “contractor” and updates the definition of “service provider” to keep the two definitions consistent. Under CPRA, a business “makes available” personal information to a “contractor” for a business purpose pursuant to a written contract that prohibits the contractor from selling or sharing the personal information and contains other restrictions.
The definition of Service Provider is modified to include the new concept of “sharing”. A service provider is a person that “receives personal information” from, or on behalf of, a business and processes the information on behalf of that business for a business purpose pursuant to a written contract that prohibits the service provider from selling or sharing the personal information and contains other restrictions.
CPRA creates the concept of “sensitive personal information”, which includes, among other, Social Security numbers and other identity-related information; financial account or payment card information in combination with access code; precise geolocation data; race, ethnic origin, religion; sexual orientation; genetic, biometric information when used to uniquely identify a consumer; and certain health information outside the context of HIPAA.
This long list combines the concept of “sensitive information” frequently used in the United States to designate information that receives the highest level of protection in particular in the context of data breaches (for example, identifiers or financial account access information), and the concept of “special categories of data” currently used in most privacy laws abroad to designate certain types of information that might be used for discrimination (for example, discrimination based on ethnicity or religion), or might contain intimate details that a majority of individuals tend to keep highly confidential (for example, health information, sexual preferences).
It should be noted that the definition of “sensitive personal information” includes the contents of a consumer’s mail, email, and text messages unless the business is an intended recipient of the communication. This last element is not commonly found in other data privacy laws, abroad. Finally, “publicly available” information is not considered sensitive personal information or even personal information.
New Rights for Individuals
The CPRA introduces several new consumer rights. Some of these rights are similar to those found in most data protection laws, such as Canada’ PIPEDA or the EU General Data Protection Regulation. Examples of new rights include:
Right to Know what Personal Information is Sold or Shared
The right to know under CPRA is an expanded version of the “Right to Know” under CCPA. It is a consequence of the introduction of the concept of sharing personal information as a restricted activity. In this context, the consumer right to object to the sale of their personal information is expanded to the right to also object to the sharing of their personal information. It will be important to keep in mind that the definition of “sharing” is limited to “cross-context behavioral advertising”.
Right to Limit the Use of Sensitive Information
Consumers will have the right to direct a business that collects sensitive personal information about them to limit its use of that information to that which is necessary to perform the services or provide the goods, as “reasonably expected by an average consumer who requests such goods or services”. The detail of the definition is left to upcoming Regulations.
A business that uses or discloses the sensitive personal information for other purposes, must inform the consumer that this information may be used by the business, or disclosed to a service provider or contractor, for additional purposes, and that consumers have the right to limit the use or disclosures of their sensitive personal information.
Right of Correction
Consumers will have the right to request the correction of inaccurate information. Businesses that receive requests for correction will be required to use commercially reasonable efforts to correct inaccurate personal information, as directed by the consumer.
Right to Object to Automated Decision Making and Profiling
Consumers will have the ability to object to the use of their personal information for automated decision making, which includes “profiling”. Profiling is defined as automated processing of personal information to evaluate certain aspects relating to a natural person, such as economic situation, health, personal preferences, interests, reliability, behavior, location, movements, or performance at work. In addition, consumers will have a right to access meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.
Expanded Right of Deletion
The right of deletion already existing under CCPA will be expanded to require businesses to notify all parties to whom the business has sold or provided, or with whom they have shared, personal information to delete it. The updated right of deletion also includes an obligation for service providers and contractors to delete or enable the deletion of the information, and notify their own service providers and contractors to do the same.
Right to Opt-out of Information Sharing / Behavioral Advertising
Consumers will be granted the right to opt-out of information sharing with third parties for behavioral advertising across websites. This right supplements the pre-existing right to opt-out of the sale of personal information. The new provisions concerning the use of personal information for marketing purposes are detailed below.
New Obligations for Businesses
The CPRA creates new obligations for businesses, some of them are similar to those found in other data protection laws, worldwide.
Updated Content of the Notices to Consumers
CCPA requires that different types of notices be provided to consumers at different stages of the interaction between the consumer and the business. CPRA modifies the content of these notices to match the new rights of consumers and obligations of businesses. For example, the updated notices will have to disclose whether the business collects sensitive personal information, and what uses it makes of such information. It will also have to provide information about its data sharing practices and its data retention policies.
CPRA introduces a data retention requirement, another concept that has been found in most data protection laws in all continents for decades. CPRA makes it a “general duty” for a business that collects personal information not to retain personal information for longer than necessary for the purposes for which the personal information was collected. Businesses will also be required to inform consumers of the length of time they retain each category of personal information or if not possible, the criteria used to determine such period.
Retention limitation is a new concept for most US based companies. Businesses should pay special attention to this requirement as it is likely to be used in litigation and enforcement actions, especially in the case of data breach. When large amounts of data are retained just because it “might be useful one day”, and a data breach exposes personal information that should have been deleted long time ago if be business or other custodian of the personal information had followed reasonable data retention and disposal practices, the business or custodian is exposed to liability. The violation may become clear in the course of an investigation following a data breach, and the exposure to penalties or increased damages might increased in view of the violation of applicable law requiring limitation to data retention.
Data Minimization is another “general duty” introduced by CPRA. Like data retention, data minimization has been a significant element of most data protection laws, worldwide and a ground for prosecution under those other laws when a business collected and processed more data than was necessary to perform its services. CPRA requires that the collection, use, retention and sharing of personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed”, and prohibits the further processing of the data for a purpose incompatible with the disclosed purpose.
This is a very important provision. It will likely cause a significant shift from the practices that have been in place in the United States (with exceptions, such as HIPAA), where numerous businesses elected to collect and store very large amounts of personal information, just because storage had become inexpensive, and the information “might be useful one day”. Businesses, and some of their service providers and contractor will have to evaluate carefully the detail of their data collection and handling practices, so that they can explain why certain personal information is collected and in which was the information is necessary for the purposes identified to the consumer.
Reasonable Security Measures
CPRA significantly expands the obligation of businesses to implement reasonable security measures and practices for personal information. These measures are discussed later in this article.
Contract with Service Providers, Contractors and Third Parties
CPRA imposes mostly similar direct or contractual obligations on service providers and contractors and significantly expands those that are currently imposed under CCPA. As a result, businesses will have to review their contracts with their service providers and contractors to ensure these contracts contain all of the newly required provisions. Overall, the new data processing agreements will have significant similarities – and differences – with the corresponding provisions required by GDPR Article 28.
Among other things, Data Processing Agreements under CPRA will be required to include the following provisions:
- Specify that the personal information is sold or disclosed by the business only for limited and specified purposes;
- Obligate the service provider, contractor or third party to comply with the applicable obligations under CPRA; and obligate them to provide the same level of privacy protection as required under CPRA;
- Grant the business rights to take reasonable and appropriate steps to ensure that the service provider, contractor or third party uses the personal information so received in a manner consistent with the obligations of the business under CPRA;
- Require the service provider, contractor or third party to notify the business if it determines that it can no longer meet its obligations under CPRA;
- Grant the business the right, upon notice, to take reasonable and appropriate steps to stop unauthorized use of personal information.
The same requirements apply to contracts with third parties, a term that is used to identify some entities that are neither service providers nor contractors.
Other requirements for the DPA are found in separate sections of the CPRA. For example,
- The DPA must prohibit the contractor or service provider from selling or sharing the personal information; retaining, using or disclosing it to others for any purpose other than those specified in the DPA; or from retaining, using or disclosing it outside the direct business relationship with the business.
- The DPA must prohibit the service provider from combining personal information that the service provider obtains in the course of assisting a business with the personal information it receives from or on behalf of another person, or that it collects from its own interaction with the consumer (with exceptions).
- The DPA must include a certification that the contractor understands the restrictions above (not required for service provider DPAs).
- When engaging a sub-service provider or sub-contractor, service providers and contractors must notify the business of any such engagement, and bind those subprocessors to the same written terms as those between the business and the service provider or contactor.
Use of Personal Information for Cross-Context Behavioral Advertising
One of the key changes from CCPA is the introduction of the term “sharing” as the practice of disclosing or communicating a consumer’s personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transaction between a business and a third party.
Under CPRA, consumers will have the right to opt-out of the sharing of their personal information – whether or not for monetary or other valuable consideration – with third parties for “cross-context behavioral advertising”, a practice that is explicitly excluded from the definition of “business purpose”. This right is in addition to the right to object to the sale of their personal information.
This addition is likely to have a significant impact on businesses that use digital marketing techniques to target California consumers. Those that previously determined that their disclosure of personal information for advertisement related purposes does not constitute a sale because the exchanges do not involve valuable consideration may need to revisit those decisions to determine whether such activities would constitute “sharing”. Further, businesses that engage in “selling” or “sharing” will also need to provide or update their opt-out links and processes to provide consumers with a “Do Not Sell or Share My Personal Information” choice.
CCPA already contains an implied requirement to use appropriate data security measures to protect the security of a limited category of personal information. CPRA gives security and security measures a more significant place.
General Duty to Use Security Measures
First, CPRA makes it a general duty for businesses to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification or disclosure.
Regulations will be needed to clarify whether the obligation applies to all categories of personal data, or to a subset. Most of the provisions of CPRA that make reference to security, use the term “personal information”. However, CPRA Section 3(A)(1) refers to “most sensitive personal information”, while Section 3(B)(6) uses the term “personal information”. Section 4, which creates CPRA Section 1798.100(e) refers to California Civil Code Section 1798.81.5, however this code section – written more than 15 years ago in conjunction with the historic California Breach Notice Law – refers to a different group of “personal information” that is a subset of the CCPA Personal Information. Unfortunately, the categories of personal information listed in Section 1798.85.1 do not match either the definition of “sensitive information” or the definition of “personal information” in CCPA or CPRA.
Security Audits and Privacy Risk Assessments
CPRA will also impose security audits and privacy risk assessments in certain circumstances. At this point, there is limited detail, and CPRA points to upcoming Regulations but provides minimal guidance, limited to a handful of general requirements.
The Regulations would require businesses whose processing of consumers’ personal information “presents a significant risk to consumers’ privacy or security” to perform an annual cybersecurity audit, and to submit to the newly formed California Privacy Protection Agency, on a regular basis, a risk assessment with respect to their processing of personal information.
According to CPRA, the regulatory framework for the audit would include provisions defining the scope of the audit, and establishing a process to ensure that the audits are thorough and independent. The factors to be considered when determining whether processing poses a significant risk to the security of personal information would include the size and complexity of the business, and the nature and scope of the processing activity.
Information to be provided in the Risk Assessment Report would include “whether the processing involves sensitive personal information, and would require “identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumers associated with such processing, with the goal of restricting or prohibiting such processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders and the public.”
CCPA provides for a limited private right action in the event of a data breach for failure to provide adequate security, and statutory damages in case of a data breach affecting certain categories of personal information. CPRA makes a minor addition to the type personal information that may trigger action for damages: unauthorized access to an email address in combination with a password or security question.
CPRA increases the protection of personal information of children under the age of 16 by tripling the statutory amounts currently imposed by the CCPA. CCPA §1798.155(b) as amended by CPRA will impose penalties up to $7,500 for “violations involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge is under 16 years of age”.
California Privacy Protection Agency
CPRA establishes the California Privacy Protection Agency (CPPA) as a regulatory body with full administrative power and jurisdiction, to enforce any CPRA violations. The CPPA will enforce consumer privacy laws and impose fines. Among its numerous responsibilities and powers, the CPPA will be responsible for providing guidance to businesses regarding their duties and responsibilities, and appoint a “Chief Privacy Auditor” to conduct audits of businesses to ensure compliance with the law and its regulations. CPRA creates the Consumer Privacy Fund, a special fund for use to offset the costs of enforcement actions by both the California Privacy Protection Agency and the California Attorney General.
Employee and B2B Exceptions
While most provisions of CPRA will enter into force in January 2023, several provisions have an effective date of January 1, 2021. As a results of amendments to CCPA adopted in October 2019, CCPA contains partial exemptions for the handling of personal information collected in an Employer / Employee relationship (employees, job applicants and independent contractors), and information obtained in the context of a B2B relationship. That exemption, which took employee and independent contractors, and information collected in the context of a B2B relationship out of the scope of the application of CCPA, was due to expire as of January 1, 2021. CPRA extends that moratorium period through the end of 2022.
CPRA requires the development of regulations on a wide range of topics relating to definitions, exemptions, technical specification for opt-out preference signals, automated decision making, cybersecurity audits, risk assessments, and monetary thresholds for the definition of a “business”. The final regulations must be adopted by July 1, 2022.
California voters have approved Proposition 24, and CPRA is here to stay. Starting in January 2023, CPRA will expand California consumers’ ability to limit the use of their personal information in the context of targeted advertising, beyond the rights already acquired under the current provisions of CCPA. Unfortunately, this takes 52 pages of clauses that are anything but clear and easy to understand. It will take time for most parties affected by it, or charged with implementing it, to understand what CPRA means in practice. In the meantime, CPRA is likely to cause administrative and financial burdens to most businesses operating in California.
But, CPRA does more than just that. It has significant implications for privacy and data management as they exist currently in the United States. It creates a paradigm shift towards concepts found in most privacy laws worldwide, outside the United States.
CPRA imposes specific new restrictions on data collection and data retention, making them part of the “general duties” of businesses that collect personal information of California consumers. Both concepts, which were shaped in the 1970’s and laid down in the 1980 OECD Privacy Principles, have been an integral part of most foreign privacy laws, worldwide, for decades.
In the United States, on the other hand, the mantra commonly used by US enterprises in the context of the collection and use of personal information has been “Say what you do, and do what you say you do”. That allowed them to collect and retain large amounts of data, so long as they disclosed these practices in their privacy notices. With limited exceptions (e.g., HIPAA), no US privacy law has placed limits on how much data can be collected, or how long it can be retained.
The introduction of “general duties” for businesses and the inclusion of data minimization and storage limitation in those general duties paves the way for drastic changes to the framework in which personal data is collected and processed, and the way businesses monetize personal information in the United States. These changes will require that businesses assess the nature and scope of their personal information collection and use practices, and balance those activities against their actual needs or legal obligations, to determine whether they can justify why certain information is needed or why it stored longer than necessary.