On November 3, 2020, Californians approved another significant piece of privacy rights legislation, the California Privacy Rights Act, or the CPRA. The CPRA amends and expands the already (almost) infamous CCPA (California Consumer Privacy Act), which is the privacy law that went into effect in the Golden State last year.
New Rights under CPRA
The CPRA provides for, among other things, new and expanded rights for consumers. The new rights under the CPRA include:
- Right to Correct Information. A consumer may request that a business correct his or her personal information if it is inaccurate. Covered businesses must disclose this new right to consumers and use “commercially reasonable efforts” to correct personal information upon receiving a verifiable consumer request.
- Right to Limit Sensitive Personal Information. The CPRA created a sub-category of personal information, labeled as “sensitive personal information”. The definition of sensitive personal information includes 20 different data points including for example, racial origin, religious beliefs, sexual orientation and geolocation. A consumer may limit the use and disclosure of sensitive information to that “which is necessary to perform the services or provide the goods reasonable expected by an average consumer who requests such goods and services,” subject to certain exemptions. For example, a consumer may prohibit a business from disclosing sensitive personal information to third parties, in most cases. A covered business is required to implement a process (like a clearly labeled link) to allow consumers to limit the use of sensitive personal information.
- Right to Access Information About Automated Decision Making. Consumers may request information about the logic involved in automated decision-making and a description of the likely outcome of processes.
- Right to Opt-Out of Automated Decision-Making Technology. Consumers are allowed to opt-out of the use of automated decision-making technology in connection with decisions about the consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Expanded and Modified Rights Under the CPRA
There are also several expanded and modified rights under the CPRA, including:
- Expanded Right to Know. For personal information collected on or after January 1, 2022, the CPRA allows a consumer to make a request to know beyond the CCPA’s normal 12-month look-back period as long as doing so is not “impossible” or does not involve a “disproportionate” effort. However, this expanded right does not require a business to keep personal information for any specific period of time.
- Expanded Right to Opt Out. The CPRA expands the existing opt-out right to include both the sale and “sharing” of personal information, which is defined as the transfer or making available of a “consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
- Modified Right to Delete. Businesses that receive a consumer deletion request are required to notify third parties who bought or received the consumer’s personal information, subject to some exceptions. Service providers and contractors also must pass the deletion request downstream in certain circumstances.
- Expanded Right to Data Portability.A consumer may request that a business transmit his or her personal information to another entity, to the extent it is technical feasible.
- Strengthened Opt-In Rights for Minors. Businesses must wait 12 months before asking a minor for consent to sell or share his or her personal information after the minor has declined to provide it.
Employee Privacy Rights under the CPRA
The CPRA specifically calls out the privacy interests of employees, noting the differences in the relationships between employer and employee versus business and consumer. (CPRA, Sec. 8, Purpose and Intent). Like the CCPA, the full scope of rights afforded to consumers under the CPRA is not extended to applicants, employees, and independent contractors, and the CPRA keeps it that way until January 1, 2023, unless the CPRA is further amended. However, employees, applicants, and independent contractors do have the following rights (and employers should be putting processes in place to address these if they do not already have per the CCPA): 1) the right to receive notice at collection; and 2) the right to sue if their sensitive personal information is breached as a result of their employer not having reasonable safeguard in place.
Companies should continue to monitor CCPA/CPRA developments, and ensure their privacy programs and procedures remain aligned with current compliance requirements. And in case you missed it, here are the first two installments of our CPRA series: