The November 2020 election left a lot of questions. Among them, companies doing business in California are now asking about compliance with yet another California data privacy law, this time the California Privacy Rights and Enforcement Act of 2020 (the “CPRA”). This article gives an overview addressing the what, when, and how of the CPRA. (We won’t hazard a guess as to the why—we leave that to the backers of the new law.)
What is the CPRA?
The CPRA builds on the California Consumer Privacy Act of 2018 (the “CCPA”) in a number of key ways. It includes: new consumer rights, new requirements for businesses, and a number of other miscellaneous changes. Some parts of the CCPA will remain in effect, and others are rephrased or clarified. We provide below a high-level overview of topics we believe businesses should be thinking about now as they look ahead to building-out their CPRA compliance programs.
New Consumer Rights
First, the CPRA creates two significant new consumer rights: (1) the right to correct inaccurate personal information, and (2) the right to restrict the use of “sensitive personal information.” The right to correct is similar to the GDPR’s right to rectification, and requires that businesses take commercially reasonable steps to correct a consumer’s personal information when the consumer notifies the business the information is inaccurate. The rights surrounding sensitive personal information not only allow a consumer to know what sensitive personal information is being collected and used by the business, but to tell the business not to use that information except for certain narrow purposes (e.g., completing a transaction with the consumer or for security/safety purposes). The term “sensitive personal information” encompasses many different types of data such as social security numbers, financial information, health information, precise geolocation (defined as less than an 1,850-foot radius), race, religion, and contents of emails sent to parties other than the business.
The CPRA additionally expands consumers’ right to know the personal information a business collects about them to include what information is being shared outside the business, and to request disclosures dating back more than 12 months. Consumers also have the right to opt-out of sharing for cross-context behavioral advertising (in addition to opting-out of sales of personal information), and the CPRA contemplates that this opt-out may be achieved through automated browser signals.
New Requirements for Businesses
Next, the CPRA includes a number of new requirements for businesses. One such change is the requirements for privacy notices. Businesses must now provide at the point of collection a disclosure regarding how long the business intends to retain the consumer’s personal information (or if that is impossible to determine, the criteria the business will use to decide how long to retain it). Like other disclosures made in a privacy notice, this statement is binding on the business, and the business is prohibited from retaining the information longer than stated. Businesses are also prohibited from retaining personal information for longer than is reasonably necessary for their specific, disclosed business purposes.
The CPRA also requires written contracts with “contractors,” building on the CCPA’s requirement for written contracts with services providers. There are multiple requirements for contractors—including a written agreement prohibiting sale or sharing of personal information and using it for purposes other than those listed in the contract. If this sounds similar to the definition of “service provider” under the CCPA, that is because it is. The intent appears to be requiring businesses to enter into a written agreement with any person or entity to which they disclose personal information or face compliance with the many additional requirements applicable to disclosures of personal information to third parties (any person who is not a service provider or contractor is a “third party”).
Furthermore, the CPRA sets up a process by which a business that shares a consumer’s personal information must contact the parties with which it shared the information to inform them of a consumer’s request to delete. This is similar to the rule under CCPA that applies to service providers, but is expanded to cover all recipients of personal information outside the business. Moreover, a service provider or contractor that receives notice of a request to delete from a business must contact its own service providers and contractors to notify them of the request.
Moreover, the familiar employee and B2B exemptions from the CCPA will carry on until January 1, 2023, after which these individuals will have all the rights available to consumers under the CPRA. In planning for CPRA compliance, businesses should be prepared to provide employees and business contacts with the rights discussed above—the exemption expires simultaneously with the CPRA taking effect.
In addition to the new consumer rights and new requirements for businesses, the CPRA also includes other important changes. One of the most significant enactments of the CPRA is the creation of the California Privacy Protection Agency (the “CPPA”)—the first administrative agency in the United States solely dedicated to privacy regulation and enforcement. Though the CPPA will be vested with full power to draft regulations interpreting the CPRA and to enforce CPRA compliance through administrative action, there will be a transitional period in which enforcement and development of the regulations remains within the purview of the California Attorney General. The sole-purpose agency almost certainly will result in an increase in enforcement against businesses alleged to be out of compliance with California privacy law, though CPPA’s enforcement power does not appear to extend to privacy laws other than the CPRA. The risk of enforcement is further heightened by the CPRA’s elimination of the CCPA’s 30-day right to cure; any opportunity to cure a violation rests in the discretion of the CPPA.
Finally, the CPRA raises the threshold of one of three criteria delineating which organizations must comply with California’s broadest privacy law. The CCPA’s criteria of $25 million in annual revenue or deriving 50% or more of annual revenue from selling or sharing personal information remain as is. However, a business that meets neither of those criteria will not need to comply with the CPRA unless it annually buys, sells, or shares the personal information of 100,000 or more consumers or households. This is an increase from the standard under CCPA, which applies to businesses buying, selling, or sharing personal information of 50,000 or more consumers, households, or devices.
When will the CPRA take effect?
If it seems like only yesterday that CCPA took effect, you are not wrong. In fact, as recently as Fall 2020, the California Attorney General was still tinkering with the CCPA Regulations. The CPRA does provide some time for businesses to prepare for compliance, but it certainly is a good idea to be thinking ahead. In terms of specific key dates, businesses should have the following on their calendars:
- July 1, 2021: Rulemaking Commences
- January 1, 2022: Personal Information Collected after this Date is Subject to CPRA
Note that the right of access may reach back further.
- July 1, 2022: Deadline for Final Regulations
- January 1, 2023: CPRA Takes Effect; Employee and B2B Exemptions Expire
- July 1, 2023: Enforcement Begins.
As we saw with the CCPA, it is likely that the regulations to be published interpreting CPRA will include further requirements that are far more detailed than the shell outline provided in the CPRA. The prudent approach to CPRA compliance may be to start thinking about compliance now, and taking steps behind the scenes to prepare to implement the CPRA’s new rights, procedures and requirements, but waiting on implementation until we have a more definitive picture of the final regulations.
How should businesses approach compliance?
When starting in on CPRA compliance, businesses should go back to their data maps to make sure they have a handle on where sensitive personal information is kept, how it is used, and how it is shared. Businesses will also need to update their privacy policies to describe the new rights available to consumers under the CPRA and to provide the new notices about data retention and the categories of sensitive personal information collected. Businesses may also need to put in place a new menu of options for California consumers (such as limiting the use of sensitive personal information and opting-out of the sharing of personal information for behavioral advertising). They also will need a mechanism for submitting and processing requests to correct personal information.
Compliance for many businesses will be a significant undertaking, but as discussed above, there is some time built in to get the work done. The overall good news for businesses is that much of the heavy lifting involved in CCPA compliance—from mapping consumer data, to establishing service provider relationships, to implementing an opt-out from sales—will remain of use for CPRA. Businesses that are in compliance with the CCPA should have a good base from which to address the CPRA, though there are many nuances to the new law that deserve special attention.