CCPA 2.0 and the Changing Privacy Landscape, Part V: New & Expanded Consumer Rights
The newly-passed California Privacy Rights Act (CPRA) includes additional and expanded consumer rights not currently existing under the California Consumer Privacy Act (CCPA). This fifth installment in our ongoing series about the changes to the CCPA brought by the CPRA focuses on these new and revised consumer rights and resulting business obligations.
Specifically, this installment focuses on consumers’ new rights of correction and access to certain personal information and revisions to certain existing consumer rights in the CCPA, including rights to know (and access), deletion, non-discrimination, and rights for minors. Don’t forget, these new and revised consumer rights are in addition to the rights discussed in Part I (Sensitive Personal Information), Part II (Covered Businesses and Exemptions), Part III (Notice Obligations and Right to Opt-Out), and Part IV (Data Minimization and Retention Rights and Obligations). Companies should asses their compliance with these new and revised rights to best prepare for the CPRA, which becomes effective on January 1, 2023.
New Consumer Rights
- Right to Correct Information. The CPRA provides consumers a new right to request that a business correct inaccurate personal information that the business maintains about the consumer. Businesses must disclose this new right to consumers, provide consumers a way to request correction, and use “commercially reasonable efforts” to correct personal information upon receiving a consumer’s verifiable request. NB: Neither the CPRA nor the CCPA defines or provides examples to illustrate what may constitute “commercially reasonable efforts.” We anticipate that the forthcoming CPRA regulations will provide further guidance.
Businesses must provide consumers with at least two methods for submitting correction requests (much like the CCPA’s current requirements for consumer requests), including through a toll-free number and through the business’ website, if it maintains one. However, when a business “operates exclusively online and has a direct relationship with a consumer,” the business is only required to provide an email address for submitting requests.
The CPRA requires that a business must determine whether a consumer request is verifiable and correct the inaccurate personal information within 45 days of receiving the request. The business may extend this time period once, when “reasonably necessary,” by providing the consumer notice of the extension within 45 days of the consumer’s request.
Importantly, service providers and contractors must assist the business in complying with consumer deletion requests “by correcting inaccurate information or by enabling the business to do the same.”
- Right to Access Information About Automated Decision-Making. The CPRA provides for new access and opt-out rights related to automated decision-making, including for the newly defined “profiling.”
The CPRA defines profiling as any form of automated processing of personal information to evaluate personal aspects relating to an individual, and to analyze or make predictions concerning that individual’s performance at work, economic situation, health, preferences, interests, reliability, behavior, location, or movements.
The CPRA requires businesses to provide meaningful information about the logic involved in such automated decision-making processes and descriptions of the likely outcome. These new provisions mirror those in the European Union’s General Data Protection Regulation (GDPR).
- Right to Limit Use and Disclosure of “Sensitive Personal Information.” Consumers will have the right to limit a business’ uses or disclosure of information defined as “sensitive personal information” solely to those uses necessary to perform the services or provide the goods reasonably expected by an average consumer requesting those goods or services.
Expanded Consumer Rights
- Right to Know (and Access). Under the CPRA, for personal information collected on or after January 1, 2022, a consumer may make a request to know what personal information the business has collected about them beyond the CCPA’s current 12-month look-back period, provided that doing so does not prove “impossible” or “involve disproportionate effort.”
- Right to Deletion. Upon receipt of a verifiable consumer request to delete personal information, businesses must notify its service providers, contractors, and all third parties with whom the business has shared or sold personal information to delete the information. Service providers and contractors also must pass the deletion request downstream in certain circumstances.
- Right to Non-Discrimination. The CPRA extends the CCPA’s prohibition on discrimination to include a prohibition on retaliation against an employee, applicant for employment, or independent contractor for exercising any of their consumer rights under the CPRA. The CCPA already prohibits a business from discriminating against consumers for exercising their privacy rights, including requests to access personal information, to delete information, and to opt-out of the sale of personal information.
- Rights of Minors. In an attempt to strengthen the privacy rights of minors, the CPRA triples the fines for violations involving the personal information of minors (under 16). Additionally, individuals under 16 must opt in for a business to sell “or share” their personal information. Businesses may not ask for consent to sell or share data of a minor for at least 12 months after a minor does not provide such consent. Businesses providing services to minors should assess these increased risks of fines and additional compliance obligations under the federal Children’s Online Privacy Protection Act (COPPA).
Additional Guidance to Come
As the effective date of the CPRA approaches, regulations are likely to offer greater clarity and specificity regarding many of the above-described new and revised consumer rights and resulting obligations. In fact, some of these rights specifically call for additional rulemaking related to their requirements (for example, with regard to the privacy rights for minors, the CPRA calls for rulemaking to “establish technical specifications for an opt-out preference signal that allows the consumer, or the consumer’s parent or guardian, to specify that the consumer is less than 13 years of age or at least 13 years of age and less than 16 years of age.”).
To ensure compliance when interpreting the CPRA and implementing these new and expanded rights and obligations, businesses should closely monitor subsequent rulemakings, as the CPRA calls for final regulations to be adopted by July 1, 2022. Additionally, businesses should begin a careful review of their existing privacy compliance programs now to incorporate these new and revised rights and resulting obligations as the final contours of the law are developed.
For more information, contact the authors of this post or visit our Data Privacy & Cybersecurity Practice page to find an attorney in your area. Subscribe to this blog to receive email alerts when new posts go up.
**Please consider nominating our national Data Privacy & Cybersecurity Team for the 2021 Advisen Cyber Risk Awards in any or all of the following categories: Cyber Risk Event Response Team of the Year, Cyber Risk Pre-Breach Team of the Year, and Cyber Law Firm of the Year. Nominations close Friday, February 26. Submit your nominations for Lewis Brisbois here.**