CCPA 2.0 and the Changing Privacy Landscape, Part II: CPRA’s Covered “Businesses” & Exemptions
California voters’ approval of the California Privacy Rights Act (CPRA), a privacy ballot initiative that amends and expands the California Consumer Privacy Act (CCPA), is a significant development in the U.S. privacy world. The CPRA makes noteworthy changes to the CCPA, including creating additional obligations on businesses and service providers, the provision of broadened individual rights, and the creation of the first U.S. state privacy agency, the California Privacy Protection Agency. Additionally, the CPRA limits the ability of the legislature to amend the law. This post is our second installment in a Digital Insights series discussing the most significant changes effected by the CPRA. Our first installment, which focused on “sensitive personal information,” is available here.
The CPRA takes effect on January 1, 2023, but, importantly, applies to personal information collected on or after January 1, 2022. Thus, though businesses have two years to prepare for the CPRA’s requirements, their privacy programs must apply retroactively to personal information collected on or after January 1, 2022. Additionally, we can expect that new regulations under the CPRA will be introduced on or by July 1, 2022, further defining the privacy protections that the CPRA will require.
What Qualifies as a Regulated “Businesses” Under the CPRA?
The CPRA modifies the CCPA’s thresholds for an entity to be a covered “business,” and therefore subject to its provisions. To be a covered “business” under the CPRA, a for-profit entity doing business in California that collects consumers’ personal information must meet one of the following threshold requirements:
Processing Amount: The CPRA increases the number of “consumers” or “households” from whom an entity annually buys, sells, or shares personal information from 50,000 to 100,000.
Gross Revenue: The CPRA clarifies that the annual gross revenue in excess of $25 million threshold should be measured based upon the preceding calendar year. Like the CCPA, the CPRA does not address whether this threshold is intended to apply to a business’ revenue in California only or overall. Thus, businesses with an overall revenue meeting this threshold should consider compliance with CCPA and CPRA.
Selling and Sharing Revenue: The CPRA applies to businesses who derive at least 50% of their annual revenue from both “selling” and “sharing” personal information of California consumers. As a newly defined term under the CPRA, the addition of “sharing” to this requirement will expand the scope of businesses to which the law applies as it now includes transfer of personal information “whether or not for monetary or other valuable consideration.”
The CPRA also expands the types of businesses that must comply with the law to include: (1) joint ventures or partnerships composed of businesses in which each business has at least a 40% interest, and (2) entities doing business in California that voluntarily certify to be subject to and comply with the CPRA to the California Privacy Protection Agency. The CPRA clarifies that it also applies to entities that control or are controlled by a covered business, including entities that an average consumer would believe to be commonly owned, if consumers’ personal information is shared between the two entities.
Expanded CPRA Exemptions
Employee Data: The CPRA recognizes the different relationship in employment-related contexts and thus expands the CCPA’s limited exemption for employee data to January 1, 2023. The Act makes it clear that, until 2023, it will not apply to certain personal information collected in the employment context (personal information collected from a job applicant, employee, owner, director, officer, medical staff member or independent contractor).
Business-to-Business Data: Similarly, the CPRA extends the CCPA’s limited exemption for certain personal information collected from consumers in a business-to-business context until January 1, 2023.
Security and Integrity Data: The CPRA clarifies that businesses, when responding to consumer’s requests, do not need to provide “data generated to help ensure security and integrity” or as prescribed by regulation.
Publicly Available Information: The CPRA also clarifies that publicly available information is not personal information under the CPRA. Publicly available information includes information that a business has a “reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media.”
Education Records and Assessments: The CPRA states that it does not require a business to comply with a consumer request to delete personal information if the request for deletion applies to a student’s grades, educational scores, or educational test results that the business holds on behalf of a “local educational agency” at which the student is enrolled. It also does not require that a business disclose an educational standardized assessment, or a consumer’s responses thereto, if doing so would jeopardize the validity of the assessment.
Entities doing business in California should assess whether the CPRA’s modified thresholds bring them within the definition of a covered “business.” Entities within the CPRA’s purview should begin review of their current compliance programs to identify gaps and incorporate the CPRA’s new obligations while monitoring regulatory developments. Additionally, it is important to remember that the CCPA is the governing law until the CPRA takes effect in 2023 and therefore, CCPA-covered businesses must meet its requirements in the meantime.
You can find our first installment of this series on the CPRA, which focused on “sensitive personal information,” here. Our next installment will discuss notice obligations and the right to opt out under the CPRA. Subscribe to this blog to receive notifications when new posts go up.