The California Consumer Privacy Act (CCPA) created groundbreaking new rules for how businesses must handle California consumers’ personal data and spurred proposals for similar legislation across the country. Among the rights the CCPA granted to consumers, which took effect Jan. 1, 2020, were (1) the right to notice before a business collects their personal data, (2) the right to know what has been collected, sold or disclosed, (3) the right to opt out of such sale, (4) the right to request deletion, and (5) the right to nondiscrimination for exercising these rights.
Less than one year later, on Nov. 3, 2020, California voters approved Proposition 24, which passed an amendment to the CCPA dubbed the California Privacy Rights Act of 2020 (CPRA) (full text available here). Proponents of the CPRA argue that it is intended to protect Californians’ privacy rights from legislative amendments and close loopholes that were being exploited by data companies.
Notable Changes to Existing Law
Notable changes implemented by the CPRA include:
- Restrictions on Information Sharing. Under the CCPA, some businesses sought to avoid complying with the existing law because they do not “sell” consumer data to third parties for valuable consideration under the strictest interpretation of the word. The CPRA now gives consumers the right to direct businesses not to sell or share their personal information. Businesses that sell or share personal information must update their opt-out links accordingly. The term “share” is qualified, however, and applies only to “cross-context behavioral advertising” between third parties.
- Scope of Protected Information. Although the definition of “personal information” under the existing law is expansive, the CPRA creates a new sub-category of “Sensitive Personal Information” that includes government identifiers, account and login information, precise geolocation data, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail, email, and text messages, genetic data, sexual orientation, and health or biometric information. Sensitive Personal Information is subject to greater protection under the CPRA, with more restrictions on how businesses can collect, process and share it. Consumers may also demand that a business limit how it uses their Sensitive Personal Information internally, regardless of whether the business shares it with third parties.
- Scope of Businesses Covered. The CPRA retains enforcement over businesses that derive more than 50% of their annual revenue from sharing the personal information of California consumers. But it exempts some small businesses from enforcement under the existing law by raising the threshold for determining covered businesses: from those who buy, sell or share personal information linked to more than 50,000 consumer devices (phones, laptops, etc.) to those who buy, sell or share personal information linked to more than 100,000 consumers or households (devices no longer count).
- Error Correction. Under the CPRA, consumers now have the right to correct inaccurate personal information, in addition to the existing right under the CCPA to have that information deleted, with limited exceptions. Businesses must use “commercially reasonable efforts” to correct any inaccurate personal information identified by the consumer in its records.
- Retention and Reporting Periods. The CPRA adds a new requirement that consumers be notified of the length of time a business intends to retain each category of personal information, and that it may not be held “for longer than is reasonably necessary for that disclosed purpose.” The CPRA also expands the time period for a business to report what types of information it has previously collected about consumers, from the types of information it collected in the previous 12 months (required under the existing law) to all types of information it collected after Jan. 1, 2022, indefinitely.
- Use of Artificial Intelligence and Machine Learning. The CPRA directs the attorney general to issue regulations governing a consumer’s right to access, and opt out of, the use of automated decision-making while processing their information. The effect of this provision will remain unclear until the regulations issue, but it may impact how businesses use artificial intelligence or machine learning (collectively, AI) to profile Similar restrictions have been placed on the use of AI under the European Union’s General Data Protection Regulation (GDPR), and California regulators may look to GDPR regulators for guidance.
- Dedicated Enforcement Agency. The CPRA created a California Privacy Protection Agency (Agency) charged with administering, implementing and enforcing the legislation. The Agency is charged with developing and adopting rules to implement the CPRA, informing consumers of their rights, and guiding businesses on their responsibilities. This change broadens enforcement, as the attorney general’s office admitted it could only prosecute a few cases per year under the existing law.
- Stronger Protections for Minors. The CPRA also triples the fines for violations involving minors under the age of 16, and requires that minors under 16 affirmatively “opt in” before a business can sell or share their personal data.
- Loyalty Programs. Businesses cannot discriminate against consumers for exercising their privacy rights under existing law or the CPRA, but may offer differential pricing for digital services if the pricing is “reasonably related to the value provided to the business by the consumer’s data.” The CPRA clarified that this anti-discrimination provision “does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs.” Detractors claim this clarification harms lower-income individuals and threatens to make privacy a luxury available only to privileged consumers.
Businesses Should Prepare for New Compliance Deadlines
With the creation of the Agency, which is funded in part by the fines it collects, businesses should expect greater scrutiny of their compliance with California’s privacy laws. Although the CPRA does not take full effect until Jan. 1, 2023, the existing law under the CCPA will be enforced until then.
Companies should be mindful of the timeline of important dates for the CPRA: