Privacy Protection Patchwork, Part V: How the California Privacy Rights Act Could Impact Your Business
The number of states enacting comprehensive privacy laws is growing, adding to the existing complex patchwork of privacy, security, and data breach notification laws that keep legal and compliance personnel on their toes. Businesses should start preparing to comply with these laws, many of which become effective in 2023.
This five-part series highlights key provisions in a few of the new comprehensive privacy laws. The past few weeks, we have examined laws in the following states – Virginia, Colorado, Utah, Connecticut, and California – and provided recommendations on what steps businesses should consider taking now to comply. This post – the fifth in our series – explores how the California Privacy Rights Act (CPRA) could impact your business.
This is the final installment in our series… for now. We anticipate that this series will continue to grow as states enact or revise consumer privacy laws. Stay tuned.
The California Privacy Rights Act
California passed the United States’ first comprehensive state-level consumer privacy law in 2018 with the California Consumer Privacy Act (CCPA), which entered into force January 1, 2020. In November 2020, California voters passed the California Privacy Rights Act (CPRA) to amend and expand upon the CCPA.
One of the most significant pieces of CPRA is the creation of the California Privacy Protection Agency (CPPA) to enforce the law. On May 27, 2022, the CPPA issued draft proposed regulations, which are currently open for public comment and are expected to be finalized sometime this fall. Although select sections of the CPRA are already operative, the majority of CPRA provisions become operative January 1, 2023, with a lookback period to January 2022.
1. Applicability Threshold
The CPRA modifies the CCPA’s applicability thresholds. The CPRA applies to for-profit legal entities doing business in California that collect consumers’ “personal information” and meet one or more of the following:
- Annual gross revenues of more than $25 million in the preceding calendar year;
- Annually buys, sells, or shares “personal information of 100,000 or more consumers or households”; or
- Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information.
The CCPA and CPRA are generally not applicable to nonprofit organizations or government entities.
2. Summary of Consumer Rights
The CPRA both expands rights granted under the CCPA and extends new rights to California consumers. New rights include:
- The right to correct inaccurate personal information held by an entity; and
- The right to limit certain uses and disclosures of sensitive personal information.
CCPA rights extended or expanded under the CPRA include:
- The right to opt out of “selling” now also extended to “sharing” of personal information; and
- The right to delete data held by a business, its service providers, contractors, and third parties.
Although the CCPA previously granted consumers the right to opt out of the sale of their personal information, the CPRA provides needed clarity through its updated language, inclusion of the right to opt out of “sharing,” and related definitions. The CPRA defines “sharing” as the practice of providing information for the purposes of “cross-context behavioral advertising.”
Another critical change brought by the CPRA is the expansion of rights to employees. The prior exemption of employee data in the CCPA is set to expire January 1, 2023.
3. Data Use and Retention
The CPRA adds “sensitive personal information” as a subset of “personal information” and imposes restrictions on processing this new category of data. Entities should carefully assess the categories of sensitive personal information they collect and the purposes for which that information is collected or used. The draft regulations discuss a mechanism by which entities processing sensitive personal information may be required to allow consumers to opt out, although the specifics of that mechanism could change through the revision process. Entities should prepare to comply with consumer requests to limit the use or disclosure of sensitive personal information but maintain some flexibility in the mechanism until the regulations are finalized.
A critical component of CPRA compliance will involve assessing and updating contracts. The CPRA added the additional category of “contractor” to go along with service providers and third parties as entities to be aware of when drafting contracts. The CPRA requires entities disclosing personal data to third parties to include certain provisions within the data processing agreement governing the disclosure. If the contract does not contain the correct provisions, the third party will not be considered a service provider or a contractor under the law, and the disclosure may be considered a “sale” under the law. These provisions include but are not limited to:
- A prohibition on the sale or sharing of personal information received from or on behalf of the business.
- Identification of the permitted purposes for processing, including the specific business purpose and service for which the service provider or contractor is processing the personal data.
- A prohibition on retaining, using, or disclosing the personal data received from or on behalf of the business for any purpose other than those specified in the contract or otherwise permitted by CCPA and/or CPRA regulations.
Certain CPRA requirements will necessitate updates to privacy policies. Entities should carefully review their privacy policies and revise them to include the new rights granted to California consumers, including the right to opt out of certain disclosures of sensitive personal data. The CPRA also requires that privacy policies include the categories of sensitive personal information collected, and the purposes for which that information will be used. Entities should update their retention policies and revise notices at the point of collection to include information about the length of time the entity will retain each category of personal information it collects and uses.
5. State Enforcement
The CPRA established the CPPA, a five-member board tasked with implementing and enforcing the law. This includes rulemaking authority, administrative investigation, and enforcement. The CPPA can also order fines of up to $2,500 per violation or up to $7,500 per intentional violation or for violations involving the data of minors. Importantly, the California Attorney General also retains authority to enforce the law.
The CPPA’s rulemaking activities are underway and can be followed here.
Businesses that will be subject to the CPRA should review their privacy programs now to confirm that they meet or exceed the new requirements. Critically, businesses should update contracts with vendors to address new contracting requirements, and review privacy notices to incorporate all necessary disclosures. Businesses subject to the CPRA should also have policies and procedures in place to receive consumer requests regarding personal data. Businesses should also consider conducting an inventory of personal and sensitive data so they can process consumer requests within the statutory time periods.
For more information about CPRA, or for assistance with your privacy compliance program, please contact the authors of this post or reach out to the entire Compliance Advisory team at PrivacyCompliance@lewisbrisbois.com. You can also subscribe to this blog to receive email alerts when new posts are published. View all installments in this series here.