With the ink barely dry on the California Consumer Privacy Act of 2018 (“CCPA”) – now comes CCPA 2.0.
On November 3, 2020, Californians voted “Yes” on Prop. 24 and adopted the new California Privacy Rights Act (“CPRA”). The CPRA is an expansion of the CCPA, and is designed to further strengthen consumer privacy protections. It brings California’s privacy rights further in line with the European General Data Protection Regulation (“GDPR”), and ushers in a number of important changes over the next few years:
Creation of a New Regulatory Body
The CPRA creates a new enforcement agency – the California Privacy Protection Agency (“CPPA”), which will have full power to implement and enforce the CCPA, as amended by CPRA. While other countries have had dedicated privacy enforcement regulators for decades, until now, U.S. privacy laws have been enforced by regulators who had plenty of other non-privacy enforcement obligations. With an agency solely dedicated to privacy enforcement, it’s a safe bet that CCPA regulatory enforcement activity will increase.
Addition of “Sensitive Personal Information”
The CPRA creates a new category of “sensitive personal information” as a subcategory of its broad definition of “personal information,” and gives consumers the right to limit the use, sale, and sharing of sensitive personal information where it has been collected or processed for the purpose of inferring characteristics about a consumer. “Sensitive personal information” includes government-issued identifiers, account credentials, precise geolocation, race or ethnic origin, religious beliefs, genetic data, and biometric data. While some business have already been required to provide consumers with the ability to opt out of the sale of their personal information, now any business that uses sensitive personal information to infer characteristics about a consumer will need to ensure that there is a clear means for consumers to opt out of the sale of their personal information, and to limit the use and disclosure of their sensitive personal information.
New Right to Correct
The CPRA introduces the GDPR concept of the right to correct. Consumers will now have the right to request that a business that maintains inaccurate personal information about the consumer correct such information. For businesses, this will require disclosure to consumers of their right to request correction of inaccurate personal information and the use of commercially reasonable efforts to correct inaccurate personal information upon receipt of a verifiable request.
Expansion of the Right to Know
The CPRA expands consumers’ right to know and request specific pieces of their personal information beyond the current 12-month lookback period, so long as providing information beyond the 12-month period does not prove impossible or would not involve disproportionate effort. This obligation will increase the amount of data that is subject to a consumer’s right to know and bring California access rights closer in line to those provided in the GDPR’s right to access.
Expansion of the Right to Delete
In responding to a verifiable consumer deletion request, the CCPA requires businesses to notify service providers to delete that consumer’s information. This obligation still exists, but the CPRA places new requirements on third parties to cooperate with businesses in meeting their privacy obligations. Service providers and contractors must now delete the personal information upon notification of a deletion request and pass the deletion request downstream to any other parties who accessed the consumer’s personal information.
Expansion of the Right to Opt Out
The CPRA expands the right to opt out to not only include the “sale” of personal information but also the “sharing” of personal information for cross-context behavioral advertising, even where no money is exchanged.
Expansion of Breach Liability
In addition to the CCPA’s private right of action for breaches of nonencrypted, nonredacted personal information, the CPRA expands the private right of action to cover the breach of an email address in combination with a password or security question and answer permitting access to an email account. There are also expanded fines for the breach of information pertaining to minors.
Extension of Employee and B2B Exceptions and Timing
A bit of good news for businesses – the CPRA extends the current employee and business-to-business exemptions to January 1, 2023. The CPRA will not take effect until January 1, 2023, but—with the exception of the right to know lookback, which will extend back indefinitely—will apply to information collected on or after January 1, 2022. Enforcement is set to begin on July 1, 2023.
Actions to Take Now
While businesses have just over two years to get fully compliant with the CPRA, that doesn’t mean they should wait until the last minute to develop a compliance plan. The CCPA still requires companies to update their privacy notices at least annually, and for many businesses, their first annual CCPA notice update will take place during the next few months. These notice reviews and updates should be used as an opportunity to assess the potential impact of the CPRA and to formulate a compliance action plan.
If you have any questions about how the CPRA will impact your organization or for assistance with any other privacy issues your business is facing, contact Starr Drum at firstname.lastname@example.org or (205) 254-1852.
This Client Alert is for information purposes only and should not be construed as legal advice.
The information in this Client Alert is not intended to create and does not create an attorney-client relationship.