On November 3, California voters passed Proposition 24, the California Privacy Rights Act (CPRA). This new privacy law, which substantially amends the California Consumer Privacy Act (CCPA), will come into effect on January 1, 2023, and enforcement will begin July 1, 2023.
While the 2+ year period to come into compliance may provide some comfort, experience with Europe’s General Data Protection Regulation (GDPR), CCPA, and many other privacy laws has taught us that this is not a lot of time, and that compliance work must start quickly. Further, given that some aspects of CPRA arguably clarify and alter the meaning of certain CCPA provisions, it is conceivable that CPRA could affect the California Attorney General’s interpretation and enforcement priorities under those existing CCPA requirements. Thus, CPRA is likely to have more immediate effects over the coming months.
CPRA is, at best, a mixed bag. The fact that it was opposed by a wide range of critics, from privacy advocates, to academics, to industry coalitions is telling. It is long, complex, and poorly drafted. While it clarifies some aspects of CCPA, it adds new ambiguous provisions that will cause more confusion and uncertainty. It changes (mostly expanding) the consumer rights in CCPA, and it imposes a wide range of new compliance obligations on companies.
CPRA also establishes and funds a new agency, the California Privacy Protection Agency, with rulemaking, auditing, investigation, and enforcement authority. The creation of this well-funded enforcement agency is likely to increase enforcement activity and, therefore, amplify the risk of even minor or inadvertent violations.
Like the CCPA, many aspects of the CPRA are subject to further rulemaking – initially by the California Attorney General, but the rulemaking authority will be handed over to the new California Privacy Protection Agency on or after July 1, 2021. This reliance on implementing regulations will have the effect of putting off the hope of clarification and opening up the possibility of additional new requirements being imposed. On top of all that, the CCPA restricts the California legislature’s ability to amend the law to fix its many flaws and ambiguities.
While the substantive compliance challenges of CPRA are many, these are exacerbated by the timing of this measure. It comes on the heels of companies making enormous investments in CCPA compliance. And it substantially changes the CCPA when that law has been in effect for only a few months and there has not yet been enforcement, judicial interpretations, or time to fully understand its impact. Thus, CCPA compliance is still a moving target. The passage of CPRA guarantees that the privacy compliance challenges will continue to be a moving target for years to come.
Below is a summary of what we know now about key new requirements under CPRA.
New, Expanded, or Changed Consumer Rights
CPRA dramatically changes the consumer rights that exist under CCPA.
Right to opt-out of data “sale” or “sharing”
CPRA expands the “Do-Not-Sell” requirements of CCPA. It adds the concept of “share” in addition to “sale” and “disclosure for a business purpose.” Under CPRA, “sharing” is disclosing to a third party for cross-context behavioral advertising where no money is exchanged. Arguably, this type of data sharing would have already been considered a “sale” under CCPA, but this addition makes that clear.
Further, the “do not sell my personal information” choice in CCPA will become a “do not sell or share my personal information” choice under CPRA. Given that the existing CCPA definition of “sell” is much broader than that term is normally used and the new CPRA definition of “share” is much narrower than that term is normally used, it will be important that companies provide guidance to consumers about what this “do not sell or share” choice will actually do (i.e. that it will not stop all data sharing).
Right to opt-out from secondary use of “sensitive information.”
CPRA adds a new definition and requirements for “sensitive personal information.” Sensitive personal information includes: government-issued IDs, login information, financial information with credentials, contents of communications, genetic data, biometric info used for identification, and info about race, ethnicity, religion, philosophical beliefs, union membership, health, and sex life or orientation.
Such information will be subject to new transparency requirements and consumer choices. Notably, consumers will have the right to opt-out of secondary uses or disclosures of sensitive information (i.e., uses other than those that are specifically allowed by statute or regulation). If a company uses or discloses sensitive information for secondary purposes, this new consumer choice will require a “Limit the use of my sensitive personal information” link on the homepage of company websites.
Note that between the “Do not sell or share my personal information” link and this new “Limit the use of my sensitive personal information” link, that is a lot of words to add to a company homepage. CPRA does provide some alternatives, however. First, the “do not sell or share my personal info” and “limit the use of my sensitive personal info” links can be combined in one (very long) link. More significantly, a business does not need to provide the link(s) if it complies with automated DNT-like signals sent from browsers or other user agents for these opt-out choices. Because the AG regulations under CCPA already require companies to respect such signals, this provision may allow companies to remove existing “do not sell” links they already have implemented under CCPA.
Right to delete
The consumer right to request deletion of personal data is expanded. In particular, some of the exceptions to the right to delete that exist under the CCPA are narrowed.
Further, under CPRA, when a consumer makes a deletion request, the company must do more than just delete the data (unless an exception applies). The company must require any service providers or contractors that hold relevant data to also delete it and notify all other third parties with which the data was shared to delete the data (unless that proves to be impossible or involves a disproportionate effort). Particularly with respect to third parties that are not service providers or contractors, this provision raises many difficult questions and challenges.
Right of correction
Consumers have a new right to request a company correct any personal data that is inaccurate or incomplete.
Automated decision-making and profiling
Consumers have a new GDPR-like right regarding automated decision-making and profiling. CPRA directs that the AG will develop regulations requiring transparency and opt-out rights for certain automated decision-making and profiling. However, at this point, it is unclear what those regulations will require.
Right of non-discrimination
CPRA adds a new exception to a consumer’s right to not be discriminated against for exercising their rights under the Act. In particular, CPRA adds that this right of non-discrimination does not prohibit a business from offering loyalty or rewards programs. Presumably, this means that if such a program depends on retaining certain data or sharing certain data with partners, a consumer who requests to delete data or who requests to opt-out from selling or sharing data may be denied the benefits associated with that program. However, the interpretation of the AG may differ, so companies that offer such programs will need to watch for further guidance.
Data Minimization and Security
CPRA adds new substantive requirements regarding data collection, retention, and protection. Many of them appear to be based on the EU GDPR. New requirements include:
Collection and purpose limitation
Data collection and use must be reasonably necessary and proportionate, and personal data may not be processed in a manner that is incompatible with the disclosed purposes.
Personal data may not be kept longer than is reasonably necessary for the disclosed purpose. Companies must be transparent about data retention (e.g., the duration or criteria for determining the retention periods must be disclosed in the privacy notice).
Companies must adopt reasonable security measures to protect personal data. Notably, under CPRA, the scope of data that could trigger a private right of action for a data breach is expanded to include email / password combinations.
Privacy Risk Assessments
For data processing that creates a significant risk, companies must conduct annual cybersecurity audits and document risk assessments. These risk assessments must be submitted to the newly-established California Privacy Protection Agency.
Requiring that these be submitted to a government agency will obviously affect how companies create and draft these assessments, with the result being quite different from an internal risk assessment that a company might perform. This will likely result in companies taking a two-phased approach: first conducting an internal risk assessment, ideally under attorney-client privilege, and only then produce a more polished document for submission to the government (and, if possible, after any significant issues identified in the internal assessment have been adequately addressed).