What is the California Privacy Rights Act (CPRA)?
The California Consumer Privacy Act (CCPA), signed into law in 2018 and has been in effect since 2020, has dramatically changed the data privacy landscape in California and the US. The CCPA defined personal data rights, businesses’ responsibilities for handling and processing data, and consequences for non-compliance. It also requires that businesses provide Californian residents with the ability to “opt-out” of having their personal information sold to third parties, to know what data has been collected about them, and, if requested, to delete it.
The California Privacy Rights Act (CPRA) is not a new law that overwrites the CCPA. It should be considered an amendment to the CCPA. It clarifies and amends some requirements where there was uncertainty in interpreting and enforcing the CCPA, as well as introduces some new and additional requirements.
When does it come into force?
The California Privacy Rights Act (CPRA) came into force in December 2020. The main provisions that took effect then were the provisions around establishing the California Privacy Protection Agency (CPPA). The remaining provisions of the CPRA come into effect on January 1st, 2023.
The CPRA will become enforceable on July 1st, 2023, meaning that companies in the scope of the CPRA could face potential enforcement actions after July for non-compliance. Any enforcement actions will only apply to infringements that occur after July 1st, 2023.
The existing CCPA requirements remain in effect until that date.
What is the California Privacy Protection Agency (CPPA)?
The California Privacy Protection Agency (CPPA) is the first dedicated privacy regulator in the US. The CPRA established the CPPA to implement and enforce the CPRA and CCPA. Enforcement is not the CPPA’s only role – it also has the responsibility to prepare new rules and regulations since that transferred from the California Attorney General (AG) in April 2022. Both the California AG and the CPPA will enforce the law.
Why should I care?
The CCPA and the CPRA impose obligations on businesses in the law’s scope. Non- compliance with these obligations can result in potential administrative fines of up to $2,500 per violation or $7,500 per intentional violation. The CPRA also increases potential fines for non-compliance regarding consumers under the age of 16 to $7,500 per violation, where it is known that the consumer is under 16.
Under the CCPA, only the California Attorney General could enforce the law. This responsibility was on top of their other duties as the leading legal officer in California. This may explain why we have only seen one enforcement action under CCPA so far – the $1.2 million fine to Sephora in August 2022.
On July 1st, 2023, when the CPRA becomes enforceable, both the California Attorney General and the CPPA will enforce the law. With an agency dedicated to ensuring Californian consumers’ data privacy rights in place, we can likely expect to see increased enforcement actions in this space in the coming year.
How do I know if my business is in scope of the CPRA?
A business that is in the scope of the CPRA is:
- a for-profit legal entity
- that collects consumers’ personal information on its own or by others on its behalf
- that alone or jointly with others determines the purposes and means of the processing
- that does business in the state of California
- and satisfies at least one of the following thresholds:
- At least $25 million in gross annual revenue for the previous year
- annually buys, sells, or shares the personal information of 100,000 or more Californian consumers or households
- derives 50% or more of its annual revenues from selling or sharing Californian consumers’ personal information
Most of the above already applied under CCPA; the CPRA amendments are highlighted in bold above.
The second threshold increased from 50,000 to 100,000 consumers. This means that some small or medium-sized businesses that were in the scope of CCPA will no longer be in scope after the CPRA comes into effect in 2023.
The CPRA also broadens the thresholds by adding the term “share,” which is defined as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information by the business to a third party for cross context behavioural advertising, whether or not for monetary or other valuable consideration”. This also includes “transactions between a business and a third party for cross-context behavioural advertising for the benefit of a business in which no money is exchanged.” Cross-context behavioural advertising (CCBA) is defined as targeting advertising at a consumer based on the personal information collected from their activity across businesses, websites, applications, or services with which the consumer did not intentionally interact.
Who is a consumer and what is a consumer’s personal information?
According to the California Attorney General, a consumer is a natural person who is a California resident, even if the person is temporarily out of the state.
Personal information is information that identifies, relates to, or could reasonably be linked with a particular consumer or household, such as name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about a consumer’s preferences and characteristics.
What’s changing with the introduction of CPRA?
As well as the updated thresholds and the introduction of the CPPA mentioned above, other amendments to highlight include the following:
- The introduction of Sensitive Personal Information (SPI) – a new category of personal data that is highly protected and brings additional requirements
- Updates to required links on Business’s websites
- Additional data privacy rights for Californian consumers
- Employees will be granted the same rights as Consumers.
Sensitive Personal Information (SPI)
Sensitive Personal Information is a new category of personal information defined in the CPRA as personal information that reveals a consumer’s:
- Social Security, driver’s license, state identification card, or passport number
- Account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, or union membership
- Mail, email, and text message content, unless the Business is the intended recipient of the communication
- Genetic data.
SPI is highly protected, thus imposing additional obligations and restrictions to its processing, giving consumers more control over how businesses use their personal information. Additional obligations include:
- Notice at collection requirement – Businesses must inform consumers about what SPI is being collected, why it is collected, what it is used for, and whether the information is sold or shared. Businesses cannot collect more SPI than they inform the consumer about, and they cannot use the SPI for additional purposes incompatible with the initially stated purpose without providing the consumer with notice.
- The right to limit use and disclosure – Consumers have the right to limit the use of their sensitive personal information. They can request that a business only use their SPI as necessary to provide the goods or services and as authorised by further regulations.
- Opt-out link requirement to limit use and disclosure – Businesses that use or disclose SPI for purposes other than those allowed by the CPRA must include a clear and conspicuous link on their websites titled “Limit the Use of My Sensitive Personal Information” that enables consumers to restrict the processing of their SPI
Updates to required links on Business’s websites
The “Do Not Sell My Personal Information” link is to be updated to “Do Not Sell or Share My Personal Information” link. This is updated to reflect the expanded scope of the CPRA.
As covered above, there is a new requirement to include a “Limit the Use of my Sensitive Personal Information” link.
Additional data privacy rights for Californian consumers
The CCPA introduced four specific rights for consumers:
- The right to know about the personal information a business collects about them and how it is used and shared. The CPRA expands on this right to include providing consumers with information on the length of time the Business intends to retain each category of personal information, or where this is impossible, the criteria used to determine such period;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt out of the sale or sharing of personal information (CCPA allows consumers to opt-out of businesses selling their data. The CPRA expands this right to include the sharing of personal information, in addition to selling);
- The right to non-discrimination for exercising their privacy rights.
The CPRA introduces two additional rights for consumers:
- The right to correct any inaccurate personal information a business has about them;
- The right to limit the use and disclosure of sensitive PI to that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods and services.”
Minors (consumers under the age of 16) have opt-in rights. The CCPA requires that businesses obtain opt-in consent to sell the personal information of Minors. The CPRA goes one step further, mandating that if a Minor declines to give consent for their personal information to be sold or shared, businesses must wait 12 months before asking the Minor for consent again. It also states that the opt-in right must explicitly include the sharing of data for cross-context behavioural advertising.
Employees will be granted the same rights as Consumers
Under the CCPA, employee data was not provided the same protection as consumer data. Employees did not have the same rights as consumers. The CPRA turns this around entirely by offering Employees the same rights as consumers. Therefore, businesses in the scope of CPRA will need to be ready to respond to, and action employee requests, like requests to access or correct personal information.
What should I do now?
At the time of writing, the CPRA regulations created by the newly created California Privacy Protection Agency (CPPA) are yet to be finalised. The CPPA expects the final rules to be published in late January 2023. Under that timeline, which includes reviews by other authorities, the regulations would take effect around April. This article does not cover requirements that are not finalised and are possibly subject to change.
Although not all aspects of the CPRA will take full effect until April 2023, businesses should start laying the groundwork to comply with the known requirements of the CPRA as soon as possible. Businesses that are already compliant with CCPA and GDPR can perform a gap assessment to see what extra measures they need to put in place to be CPRA compliant.