Just as the ink had dried on what we thought was the CA Attorney General’s final set of regulations for the California Consumer Privacy Act (CCPA), a new, fourth draft set was submitted earlier this month, building upon the third draft set issued in October. Both sets of regs have yet to be finalized.
However, the bigger privacy news coming out of CA is the recent passage of the state’s ballot initiative for a new privacy law – the California Privacy Rights Act of 2020 (CPRA) – which is set to amend and replace the CCPA in 2 years’ time. Although not effective until January 1, 2023, companies subject to California’s privacy rules are encouraged to look ahead to the CPRA’s requirements, especially when designing and implementing privacy policies and procedures today, in order to keep pace with CA’s continually evolving privacy landscape.
Why adopt the CPRA?
The CPRA ballot initiative arose out of consumer concerns that the CCPA had been weakened by amendments and regulations passed to appease pro-business lobbyists. To that end, the CPRA essentially amends and expands the CCPA by enacting stricter consumer protection provisions which are more closely aligned with the EU’s General Data Protection Regulation (GDPR) than is the current law.
Key Differences between CCPA and CPRA
1. Creation of an enforcement agency
The CPRA establishes a new, independent enforcement agency - the California Privacy Protection Agency (CPPA) - which will provide guidance to both consumers and businesses which are subject to the law, in addition to its enforcement responsibilities. This model is similar to the GDPR requirement that each EU member state create a data protection authority to handle privacy matters within their boundaries. With a budget more than 2 times that of the current enforcement body (the CA AG’s office), the CPPA will have greater bandwidth to enforce the protections being afforded under the CPRA. The agency will assume responsibility for the enforcement of the CPRA as of July 1, 2021. The existence of the CPPA represents a sizable step forward in terms of protecting consumers and their privacy rights.
2. New threshold of applicability for businesses
The new law also changes the threshold for determining which businesses are subject to the CPRA. Unlike the CCPA which applies to businesses whose activities touch 50,000+ consumers/households, the CPRA increases this number to 100,000+, which effectively limits the applicability of the law to smaller businesses. The current $25M annual revenue threshold remains the same. The CPRA does, however, increase applicability by expanding its reach to businesses that either “share” or sell data.
3. New category of protected data
The CPRA creates a new category called “sensitive personal information,” effectively expanding consumer rights with respect to specific sets of data such as government-issued identifiers (Social Security numbers and driver’s licenses); financial account and login information (credit or debit card number together with login credentials); genetic data; biometric or health information; and sex life or sexual orientation information by creating new limitations and disclosure requirements.
4. New rights for consumers
In addition to amending existing rights, consumers also will be given new rights under the CPRA, such as the right to correct any personal information held by a business which is inaccurate and the right to exercise a private right of action free of charge. The right to opt-out of the sale of personal information will also be expanded under CPRA to include situations where personal information is being shared with third parties for behavioral advertising across websites. Consumers will now have the right to limit use and disclosure of sensitive information, as well as the ability to object to the use of their personal information for automated decision making, which includes “profiling.”
5. Increased penalties
Two noticeable changes are the elimination of the existing 30-day cure period that businesses presently enjoy after receiving notice of a violation. Likewise, the fine for violations involving minors will increase threefold to $7500 per incident.
6. New definition of Contractor
The CPRA adds a new definition of “contractor,” which is similar to CCPA’s definition of “service provider” in that a contractor is not a third party and is bound by a written contract limiting its use of any personal information disclosed to it by a business. However, rather than processing information for the business, a contractor is given access to personal information for a specific, contractual business purpose.
7. Updated requirements for consumer notices
CCPA requires different types of consumer notices based on the stage of the interaction between the consumer and the business. The CPRA modifies the content of these notices to match the new rights of consumers and obligations of businesses. For example, the updated notices must disclose whether sensitive personal information is collected and the use(s) of such information. They also will be required to provide information about data sharing practices and data retention policies.
8. New limits on data retention and minimization
Similar to the GDPR, CPRA makes it a “general duty” for businesses that collect personal information to limit their retention of such data for no longer than is needed to fulfill the purpose(s) related to the data collection. Businesses will also be required to inform consumers of either the length of time they retain each category of personal information or the criteria used to determine such period. CPRA goes as far as prohibiting the processing of such data for any purpose which is incompatible with the disclosed purpose.
Once more, following in the footsteps of the GDPR, CPRA significantly expands the obligations imposed on service providers and contractors under the CCPA by requiring the inclusion of specific contractual obligations in data processing agreements (DPAs) between companies and their service providers, contractors or other third parties, such as mandating certain notice and certification requirements and prohibiting the sale, sharing, retention, use or disclosure of personal information for any purpose other than those specified in the DPA.
10. New audit and risk assessment requirements
CPRA also imposes on businesses annual cybersecurity audits in certain circumstances where there may be a significant risk to consumer privacy or security and mandates the regular submission of risk assessments to the newly formed CPPA relating to their processing of personal information.
Impact of CPRA
California’s first privacy law – the CCPA – undoubtedly had a trailblazing impact on privacy rights across the U.S. by helping to encourage stricter protections for consumer data and greater uniformity among privacy laws across the states. The CPRA will bring these protections considerably further, and certainly closer to GDRP standards. It is also likely to put more pressure on the federal government to adopt a federal privacy law.
In the meantime, companies doing business in CA should begin taking steps to understand the CPRA, as it will become the nation’s most stringent privacy law once enforceable on July 1, 2023. Until then, the CCPA and its regulations will continue to apply. When you consider that the CPRA includes a 12-month lookback period for collected data, beginning January 1, 2022, there really is no time like the present to begin compliance work.
If you would like to learn more about the CPRA and its impact on your business, please Contact Us to speak with one of our privacy attorneys.
Stephan Grynwajc (NY team) served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape.
Mabell Aguilar (CA team) has over 25 years of experience advising clients on key business priorities, including privacy compliance matters. As GC at Singularity University, she handled the company’s global GDPR compliance effort; today, she supports her clients in designing "right-sized" compliance models and supporting their implementation efforts.
Virginia Fournier (CA team) has over 20 years of in-house experience advising Fortune 100 and start-up companies in the areas of technology licensing, IP, standards, and privacy and data security compliance (including GDPR and CCPA).
Mark Johnson (Washington D.C. team) has over 20 years of experience advising clients on data privacy regulations and public policy, and is a former member of the Data Privacy practice group at the international law firm, Squire Patton Boggs in Washington D.C.
Bill Porter (CA team) has over 20 years of legal experience advising emerging technology companies on a range of corporate and transaction matters, including privacy compliance issues.
Lakshmi Sarma Ramani (Washington D.C. team) has over 20 years of experience advising clients on a range of global legal and compliance matters, including cross-border privacy issues. She led global technology and privacy efforts, including GDPR and children’s privacy matters, while General Counsel at NAEYC; served as the lead global attorney for technology and privacy matters at The Nature Conservancy; and handled freedom of information and privacy issues while at the PA Department of Revenue.
Karen Scarr (CA team) has over twenty years of in-house experience at Fortune 500 companies, including significant privacy and data security experience (regulatory compliance, incident response, IT audits, and policy development).