So, You're CCPA-Compliant…But Are You Ready For CPRA?
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. While many entities who do business in California have worked tirelessly to achieve compliance with CCPA, California voters approved Proposition 24 in November of 2020, which has solidified the California Privacy Rights Act (CPRA) as CCPA’s replacement (effective January 1, 2023). Despite the change in name, CPRA is not a revolution; instead, CPRA iterates upon the foundation of CCPA to further refine California privacy law, more closely emulate the European Union’s General Data Protection Regulation (GDPR), and grant greater data protections to consumers.
However, the passage of Proposition 24 does bring one sweeping change to California data privacy law: permanence. CPRA’s text states that any amendment or change to the law must be “consistent with and further the purpose and intent of this Act.” Consequently, any amendment to CPRA must not undermine or weaken consumer data protections in any way. This means that CPRA is here to stay, and California data protections will likely only become stronger over the coming years.
Keep this in mind as we highlight some of the key new features of CPRA and what updates should be made to an existing CCPA response plan in order to comply with these new features.
KEY CHANGES AND UPDATES FROM CPRA
- Sensitive Personal Information. CPRA creates a new category of personal information (PI), referred to as Sensitive Personal Information. The types of data that comprise this new category include government identifiers; financial account and login information; precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications; genetic data; biometric or health information; and sex life or sexual orientation information. Any data that falls under these categories will be subject to heightened protections. The inclusion of sensitive PI brings California data privacy law closer in function to the EU’s GDPR.
- Necessary Updates to Your CCPA Plan: Privacy policies must be revised to ensure businesses are making proper disclosures with respect to the collection, use, and sharing of any sensitive PI. Consumers must be given the option to opt-out of usage of their sensitive PI and businesses must obtain opt-in consent for disclosure of such sensitive PI.
- Consumer Rights. California residents are granted new rights under CPRA. These new rights include a right to correction, a right to opt-out of automated decision-making technology, a right to access information about automated decision-making, and a right to restrict usage of sensitive PI (noted above). Additionally, CPRA modifies some rights that were previously recognized under California law. The previously-established right to delete now extends to third parties, as any covered business that receives a request of deletion must pass-on the request to any third parties that bought or have access to the data. In addition, the right to opt-out now permits consumers to opt-out of the sharing of their data, in addition to the previously-recognized right to opt-out of the sale of their data. Consumers’ right to data portability has been modified as well, as consumers may now request that businesses transfer their data to another entity.
- Necessary Updates to Your CCPA Plan: Privacy policies and consumer request procedures should be updated to add the new consumer rights and to update procedures with respect to the modified rights. Businesses should perform necessary training to ensure employees understand the new and modified rights and what procedures should be followed with respect to each consumer request.
- Advertising Regulation. CPRA distinguishes between two types of advertising: “cross-context behavioral advertising” and “non-personalized advertising.” This is consequential because the sharing of PI for cross-context behavioral advertising is subject to the consumer’s right to opt-out, whereas the use of PI for non-personalized advertising is generally not. This means that consumers can opt-out of receiving personalized, PI-driven advertising efforts, but they cannot opt-out of general, non-personalized advertisement efforts.
- Necessary Updates to Your CCPA Plan: Businesses need to ensure that proper marketing opt-out lists are maintained to ensure compliance with CPRA and that the business’s marketing teams are aware of the requirements. Proper training should be implemented within the organization to ensure an organization-wide understanding of the restrictions applicable to marketing materials delivered to California residents.
- Other GDPR-Esque Principles. Generally, CPRA attempts to align California law more closely with the EU’s GDPR. This is most evident in the areas of purpose limitation, data minimization, and storage limitation. Purpose limitation principles under CPRA mandate that a business must not collect or use PI for a purpose that is incompatible with the business’s previously disclosed purposes. Under CPRA’s data minimization requirements, businesses must minimize the collection, use, retention, and sharing of PI to what is reasonably necessary and proportionate to achieve compatible, disclosed purposes. The storage limitations under CPRA require the disclosure of the retention periods for each category of PI. Additionally, businesses are barred from retaining PI for longer than reasonably necessary for the disclosed purpose.
- Service Providers and Contractors. CPRA modifies CCPA’s definition of service providers while also adding the new category: contractors. Contractors are entities “whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract.” A service provider is defined similarly, with the primary difference being that a service provider receives personal information from or on behalf of the business instead of the information being made available to them. This distinction is of little consequence however, as the requirements imposed upon service providers and contractors are largely the same. The new mandates that CPRA places upon these entities are to notify businesses of any engagement with subcontractors or other service providers and bind them to the same contractual obligations as between the original business and service provider or contractor, to assist businesses with consumers seeking to exercise their privacy rights, and to generally refrain from combining any PI received from the business with PI from other sources.
- Necessary Updates to Your CCPA Plan: Whether a business serves the role of “business”, “service provider” or “contractor” under the CPRA, every business should evaluate its relationships where California resident information is either received from the counterparty or shared with the counterparty and determine whether the necessary contractual provisions are in place to protect the businesses from additional liability under the CPRA.
The California Privacy Protection Agency
Under CCPA, the enforcement of the law fell upon the shoulders of the Office of the California Attorney General. With the passage of Proposition 24, a new enforcement agency is to be created: the California Privacy Protection Agency (CPPA). The CPPA has been granted investigative, enforcement, and rulemaking powers and will wholly adopt the role of enforcement of California data privacy and security laws. Businesses may be compelled to submit mandatory risk assessments and cybersecurity audits for high-risk activities on a “regular basis”. It is unclear what this will look like in practice. Additionally, since CCPA’s enforcement began, businesses have been granted a 30-day cure period after being notified by the California Attorney General of a violation. CPRA has eliminated this 30-day cure period, making enforcement much stricter.
Timelines and Exemptions
The two most important dates to remember are January 1, 2023 and July 1, 2023. The first day of 2023 will mark the date that CPRA goes into effect, while the first day of July 2023 is when the law will become fully enforceable by the CPPA. However, there are several other important dates to remember when navigating this new legislation. Critically, CPRA’s “right to know” incorporates a 12-month lookback period that commences on January 1, 2022. This means that any data collection practices from January 1, 2022 onward will become eligible for all CPRA consumer requests, despite the law not going into effect until one year later. Thus, businesses must take diligent records regarding their held consumer PI beginning the first day of 2022.
CCPA introduced several exemptions, with the most notable being the employee and business-to-business (B2B) exemptions. The employment exemption exclusively applies to personal information that is collected about job applicants, employees, owners, directors, officers, medical staff members, and contractors within the context of the individual’s role in the business, for the individual’s emergency contact information, or to help administer the person’s benefits. The B2B exemption applies to personal information that reflects a communication or transaction between the business and a person acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency. Personal information that falls under these categories is generally exempt from CCPA and CPRA. Currently, these exemptions are set to expire on January 1, 2023, with hopes that a separate bill will be adopted to address them before then. Due to the requirement that any amendment or change to the law must further the objectives of CPRA, an extension of the exemptions may not be feasible.
Finally, CCPA, while soon to be replaced, is still fully in effect and enforceable. If you are subject to CCPA, remain in compliance with CCPA while preparing for CPRA.
Need assistance updating your CCPA plan or navigating through the requirements of CCPA or CPRA? Reach out to the McGrath North Privacy and Cybersecurity team who has the experience and knowledge to guide you through these complex and burdensome rules in an efficient and tailor-made manner.