California has once again decided it needed to pass privacy legislation to protect the residents of the great state from the nefarious actions of Big Tech. However, this time they did it with a ballot initiative and not via the thoughtful (mostly) mechanism of the legislative process. The proponents of the California Privacy Rights Act of 2020 (“CPRA”) touted this as an improvement over the CCPA – but is it really? To listen to the proponents of the CPRA, it aims to strengthen California consumer privacy rights, while for the most part, avoiding the imposition of overly-burdensome requirements on a business, particularly those businesses that are already CCPA compliant. So, what’s changed, really?
CPRA will go into effect on January 1, 2023, and similar to CCPA enforcement will begin on July 1 of the same year. Passage will also push out the employee and business to business exceptions in the CCPA to January 2023.
Here’s what’s new in the CPRA:
Adjustment of Definition of “Covered Business.”
The CPRA amends the CCPA’s definition of a covered business in a manner that both expands and contracts the CPRA’s applicability.
First, it narrows the threshold number of consumers from 50,000 to 100,000 thus alleviating some stress on small and mid-sized businesses.
Second, it integrates the concept of “sharing” personal data in the restricted activities, and expands the scope of applicability to businesses that generate most of their revenue from sharing or selling personal information.
Finally, it adds that a covered business may also be a joint venture or partnership in which was business has at least a 40% interest, or can voluntarily submit to jurisdiction as a business that self-certifies under the CPRA. We are not sure why a business would subject itself to the Act when it otherwise does not rise to the level of a business, but stranger things have happened.
So – a small change to the CCPA.
Sensitive Personal Information.
The CPRA introduces an additional layer of information called “Sensitive Personal information,” including information that reveals a consumer’s social security, driver’s license, state Identification card, or passport number; a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; or a consumer’s precise geolocation. It is worth noting that most of this is actually already covered by the breach notice provisions of the CCPA (which the CPRA doesn’t change). So, this isn’t really anything new.
What is new is the addition of EU-style coverage of data considered “sensitive”. A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership are now “sensitive”. While understandable in the EU historical context, this makes absolutely no sense in the state of California. Last time we checked, no one had been put into concentration camps as a result of their membership in a union.
In addition, the contents of a consumer’s mail, email, and text messages (unless the business is the Intended recipient of the communication), genetic data; and the processing of biometric information for the purpose of uniquely identifying a consumer; personal information collected and analyzed concerning a consumer’s health; or personal information collected and analyzed concerning a consumer’s sex life or sexual orientation is now “sensitive”. This makes more sense, but it is still somewhat of a rehash of old rules. The CCPA and the California Medical Information Privacy Act already protect most of this information.
Another interesting carve-out is that sensitive information that is “publicly available” pursuant to paragraph (2) of subdivision (v) of Section 1798.140 shall not be considered Sensitive Personal Information or Personal Information. This recognition and separation of SPI also brings with it additional requirements and restrictions relating to disclosure, opt out, consent, as well as purpose limitations.
CPRA includes new consumer rights, and also builds upon and expands some existing consumer rights. If passed consumers will have the following rights:
- The Right to Deletion – this is an existing right in the CCPA, but one that has been expanded to require that business notify 3rd parties to delete consumer Personal Information bought or received, with some exceptions. Of course, this assumes that the deletion right isn’t subsumed by the exceptions to the deletion obligation – which for the most part have been brought over from the CCPA.
- The Right to Correct Inaccurate Personal Information – this is a new consumer right in the CPRA, allowing consumers to request correction of the their personal information if found to be inaccurate. Practically speaking, most businesses want to have accurate information on their customers, so it isn’t really clear how challenging this is going to be – or how much of a “new protection” this is for California consumers.
- The Right to Know What Personal Information is being Collected, and to Access Personal Information, – this is also an existing right in the CCPA that has not substantially changed. So, nothing new there.
- The Right to Know what is Sold or Shared (and the affiliated opt-out rights) This is an expanded version of the CCPA’s “Right to Know”. The CPRA introduces the notion of sharing Personal Information as a restricted activity. Now, normally, this would be viewed as a strong enhancement in an individual’s control over their personal information. However, the CPRA does something tricky with a very common word (i.e. “share”) – it narrows the scope of the “share” concept to a specific use-case. This makes the seemingly broad protection actually quite narrow.
The CPRA defines “sharing” as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising…” Clearly, not all sharing is a problem under the CPRA.
The effect of this change will cause a new burden for affiliate advertising networks (and their clients), advertisers, and data brokers, but likely not many others. While these companies will once again be faced with making changes to ensure any transfer of Personal Information is subject to an opt-out, those businesses are already dealing with the broad provisions of the CCPA around opt-outs.
What is going to be unfortunate about the CPRA, is a likely continuing influx of requests from Consumers who misunderstand the true meaning of “sale” and “sharing” under CPRA. All of this doesn’t seem to actually add to the protections of the consumer as the CCPA already mandated an opt-out for “selling” (which got triggered even where there was no “monetary” consideration). So, is this really giving the consumer anything that wasn’t already there?
- The Right to Limit Use of SPI – This is another new consumer right that allows consumers to limit the use and disclosure of their SPI for limited purposes. However, considering the limitation principle in the CCPA under 1798.100(b), this is also an existing obligation. So while there may be a right to object to a use outside the scope of the purposes originally disclosed, the affirmative obligation to not use personal information for undisclosed purposes under 1798.100 make this new right moot. Why does one need a right to object to processing that is elsewhere prohibited anyway.
- The Right to No Retaliation – This is an existing right under the CCPA. The CPRA purports to expands this scope to job applicants, employees, and independent contractors – EXCEPT, those individuals are subject to the exception in the CPRA the same way they are exempt under the CCPA. So, nothing new there either – even though it might look like it.
New Notice Requirements.
Under CCPA business have various layers of notice requirement with which they must comply. CPRA would expand notice obligations for businesses, also requiring businesses to disclose to consumers whether personal information (or SPI) is also sold or shared. The CPRA does however do some narrowing here, as well, adding that to the extent new notice at collection is required – meaning the business is collecting personal information (or SPI) for a new purpose – only applies when the additional purposes “are incompatible with the disclosed purposes for which the personal information was collected.” This was in the CCPA anyway.
So, while the changes in the CPRA look like they impose more restrictions and rights, in practice, most of this looks like “more of the same”.
The Attorney General Regulations to the CCPA require that a business document all CCPA-related consumer requests received and all responses to the same, and keep them for 2 years. The CPRA on the other hand requires businesses to inform California consumers regarding the length of time the business intends to retain each category of Personal Information (or SPI), or at the very least the criteria used to make this determination. The CPRA also clarifies that businesses may not keep Personal Information (or SPI) for longer than reasonably necessary for the disclosed purpose for collection. It also leaves open the door for the California Privacy Protection Agency to implement further recordkeeping requirements to ensure compliance with the Act.
While this is new(ish), most businesses with any level of maturity in their business processes should be able to leverage existing functions to comply. So, while new in the privacy law, maybe not so new practicaly.
CCPA has long been referred to as “GDPR-Lite” by the privacy community. Here CPRA takes one step further by brining to California the principles of data minimization, consent, purpose limitation, and storage limitations. Specifically, businesses will be required to minimize the collection, use, retention, and sharing of personal information; require consent to the sale or sharing of personal information after a consumer has opted out, and for any sale or sharing of minor personal information, require consent for financial incentive programs, secondary use of SPI (note here that we don’t see the same bases for processing that we do in GDPR); be cognizant of the purposes for collection and provide notice when the scope for collection and use changes; and finally notify consumers at the time of collection the length of time that each category of personal information will be retained.
This is new, at least in part. The data minimization principle (only collect what you need, not what is potentially useful) is definitely an EU concept. It is this “necessary and proportionate” limitation on what is collected that is going to create issues with businesses subject to the CPRA. No longer can you merely provide notice of a collection and purpose. The scope of the collection of data has to be “necessary and proportionate” to the purpose.
“Necessary and proportionate” is going to require businesses to dig deeper into their business justifications of why data is collected and likely will require re-drafting of privacy notices so the business has sufficient leeway to collect the data necessary to continue to innovate.
Also similar to GDPR, the CPRA creates an enforcement authority for privacy called the California Privacy Protection Agency (“CPPA”). Right now the California Attorney General carries this responsibility. Now, enforcement will of course pass to the CPPA, but that’s not all. First, the 30 day cure period that businesses enjoy under the CCPA would be eliminated. In addition, the private right of action for consumers would also be expanded to apply to the breach of an email address in conjunction with a password or security question and answer (such that access to an account might be granted).
In summary and simply put, while the list above may appear large and we see things like penalties tripling, for the vast majority of businesses, the sky is not falling. Consumer rights are mostly staying the same and most businesses already in compliance with CCPA will have minor changes and updates to make to their CCPA compliance programs, and with sound guidance should have little problem adjusting to these changes.
Businesses that identify as affiliate ad networks and non-FCRA data brokers will not enjoy the same relatively smooth transition in January of 2023, however those businesses have ample time to prepare between November 3, 2020 and January 1, 2023.
The one big change is that businesses are going to need to have much more sophisticated legal guidance on what is “necessary and proportional” for the purposes of collection. They will also need to do a better job of documenting collection, use, and purposes for same to demonstrate that they are in compliance with the new limitations on collection. While this may not mean that the practice itself changes, it will mean that there is a significant “administrative tax” on justifying those practices.
Compliance initiatives can take time and stress company resources. Seyfarth recommends businesses in these areas begin taking steps towards compliance very soon after the election.