This is the fourth installment in our series on the California Privacy Rights Act, which takes effect January 1, 2023.
As we have previously highlighted, the California Privacy Rights Act (CPRA) has created several new consumer rights that will require businesses to change existing California Consumer Privacy Act (CCPA) compliance programs. While various existing consumer CCPA rights will continue, such as access and deletion rights, those rights have been modified. The CPRA will also include new consumer rights to opt-out of the “sharing” of their personal information (PI) and limit the use and disclosure of sensitive PI, as well as a new right of correction. This installment of our practical series on the CPRA lays out key considerations for adapting CCPA consumer rights processes to align with the CPRA.
New Right to Correction
The CPRA gives consumers a new right to correct inaccurate PI maintained by businesses. Businesses will need to disclose the new right to consumers, provide a means to request a correction, and use “commercially reasonable efforts” to make corrections. These obligations also flow down to service providers and contractors, who must “correct inaccurate information” or “enable the business to do the same.”
CCPA-compliant businesses will need to implement new compliance procedures and consider technical or operational changes necessary to process correction requests. For example, businesses will need procedures to resolve discrepancies between a requested correction and information the business receives from other sources. Businesses can look to inspiration from other laws in the U.S. that provide consumers the ability to contest the accuracy of information, such as the Fair Credit Reporting Act (FCRA). Businesses will also need to consider how to handle correction requests for archived data and human resources records.
New Right to Opt-Out of the Use and Disclosure of Sensitive PI
The CPRA introduces a new right for consumers to limit the use of their sensitive PI. What constitutes sensitive PI is drawn from the definition of PI under California’s data breach notification law (e.g., Social Security numbers, various government IDs, and financial account information), European Union conceptions of sensitive categories of PI (e.g., racial or ethnic origin, religious beliefs, philosophical beliefs, union membership, biometric information when used as an identifier, sex life, and sexual orientation), and other categories of PI not generally seen to date other than in some more narrowly drawn or topic-specific privacy laws (e.g., precise geolocation, and the contents of communications unless the business is the intended recipient).
The CPRA provides that a consumer may direct a business to limit the use of the consumer’s sensitive personal information to a limited set of purposes expressly prescribed by the CPRA or implementing regulations. While some exceptions apply, businesses that will use sensitive PI for purposes other than as authorized by the CPRA are going to have to provide a “Limit the Use of My Sensitive Personal Information” link, a similar link combined with a sale opt-out link, or honor a relevant opt-out technology signal. We expect regulations to be issued that will elaborate on the requirements. Please see our prior blog post in this series on the CPRA and sensitive personal information for more details on CPRA consumer rights relating to sensitive PI.
New Right to Opt-Out of the Sharing of Personal Information
The CPRA includes opt-out rights for both the sale and “sharing” of PI. Some found it unclear whether the CCPA’s broad definitions of sale, which covered monetary and “other valuable consideration,” included ad targeting across multiple businesses, websites, applications, and services. While the broad definition of “sale” remains largely unchanged under the CPRA, the addition of “sharing” directly addresses this potential ambiguity. “Sharing” is defined as disclosing or making available PI to third parties for “cross-context behavioral advertising,” regardless of whether money is exchanged. The CPRA also excludes cross-context behavioral advertising from the business purposes for which a business may provide PI to a service provider or a contractor, a new classification for entities to whom PI is made available by a business for a business purpose pursuant to a contract (but are not “service providers” because they are not limited to processing PI only on behalf of the business).
Businesses who may have previously determined that they were not “selling” PI under the CCPA will need to implement technical measures and renegotiate existing agreements to accommodate the opt-out if their data transfers fall under the CPRA’s new definition of sharing. Businesses that have already implemented compliance measures for the right to opt-out of sales under the CCPA should also update their notices to address the new sharing opt-out and re-evaluate which additional data transfers will be affected.
Expanded Access Right
The CPRA expands the CCPA’s right to access by removing the existing 12-month lookback period. This means that consumers will be able to request access to their PI, or the specific pieces of PI that the businesses collected prior to the preceding 12 months. In other words, the baseline requirement is that businesses provide consumers with access to all of the PI they possess subject to the obligation being limited to personal information collected on or after January 1, 2022. Moreover, despite the access right’s expanded timeframe, businesses will not be required to provide information related to the earlier time period if doing so would “prove impossible” or involve a “disproportionate effort.” The expanded access right does not require businesses to keep PI for any specific period of time. Businesses should monitor any implementing regulations under the CPRA as some PI was exempted from the access right under the CCPA regulations.
Modified Right to Deletion
The CPRA modifies the CCPA’s right to deletion by extending the obligation to delete information to service providers, contractors, and—importantly—third parties. Under the CCPA, businesses’ obligation with respect to downstream parties was limited to directing service providers to honor a consumer’s deletion requests. Under the CPRA, businesses must notify service providers and contractors—who are required to cooperate with the business as well as inform their own service providers and contractors—of the consumer’s request to delete. In addition, businesses must notify third parties to whom the PI was sold or shared unless doing so would prove impossible or involve a disproportionate effort. In practice, businesses may wish to consider what contractual assurances are necessary to properly flow down deletion requests. In addition, businesses might consider whether the flow-down of deletion requests can be automated to reduce the burden of manually notifying downstream participants of deletion requests.
The CPRA also reframes businesses’ bases for denying deletion requests. Businesses will be able to deny a request if the personal information is “reasonably necessary” for certain processing activities, giving businesses more flexibility than under the CCPA’s “necessary” standard.
Requirements for submitting and handling requests remain unchanged
The CPRA largely incorporates the same methods for submitting and processing rights requests outlined in the California Attorney General’s CCPA implementing regulations. For example, covered businesses that operate exclusively online and have a direct relationship with a consumer only need to provide an email for submitting rights requests. Also, businesses will have 45 calendar days after receiving a consumer request, with the opportunity for an additional 45-day extension, to determine whether it is a verifiable consumer request and respond as under the CCPA. Stay tuned for one of our upcoming installments in our CPRA countdown series for information on how the CPRA will require updating public-facing notices and opt-out links.
Although the new rights and changes to existing rights will not enter into force until January 1, 2023, businesses will need to ensure that their consumer rights procedures and processes are aligned with the CPRA’s new requirements and that the necessary technical and operational changes are in place by the effective date. In addition, businesses should consider that requirements for complying with CCPA rights were substantially outlined through the California Attorney General’s regulations rather than the statute itself. Under the CPRA, the Attorney General, or the new California Privacy Protection Agency (CPPA) once it is prepared to begin rulemaking, enjoys similar authority to create new rules for CPRA consumer rights. Businesses can start to further assess the types of PI they handle and how they use and share it (including with service providers, contractors, and third parties) and the type of processes and policies they may need to effectuate the new and modified CPRA rights. However, businesses should also continue to monitor CPRA developments and should expect that the Attorney General or CPPA will issue additional operational obligations for complying with these consumer rights under the CPRA’s rulemaking authority.
To read the previous installment in our CPRA series on the new compliance obligations and challenges around “sensitive personal information,” click here.
To read our previously-published summary of the CPRA’s key provisions, click here.
For additional context we provided in June 2020 at the time the CPRA was certified to appear on the November 2020 ballot, click here.