CPRA: Get Ready, It Passed! Part 1: What Do I Need to Know Now?
By Justine Young Gottshall and Antonia Dumas
It passed! The California Privacy Rights Act (CPRA) was passed on November 3, 2020, through a ballot initiative (Proposition 24), with a slim majority voting in favor (56.1% in favor over 43.9% against). The CPRA once again changes the landscape of data privacy in California. Once it is fully in effect, it will replace the CCPA. And although the CPRA will not be enforceable until July 1, 2023, obligations are triggered as of January 1, 2022 (under the 12 month look-back period). For the time being, businesses are required to remain compliant with the CCPA and, in the coming months and years, will need to determine how they will navigate the shift from CCPA to CPRA compliance.
While most companies are still working to fully implement the CCPA, and the Attorney General Regulations continue to be amended, we now have a new statute that will add additional compliance obligations. The key question for many companies is going to be: if I am CCPA compliant, what changes? Although much of the CPRA will need to be interpreted alongside implementing regulations that will be issued by the new California Privacy Protective Agency, there is much we do already know and companies can and should start preparing - and budgeting - for the additional compliance obligations.
CPRA - Key Updates to CCPA
The CPRA substantially changes privacy law in CA, adding significantly more to the protections and obligations of the CCPA:
Consumer Rights: Expanded rights for consumer protection, including fuller access rights, rights to correction, and expanding opt-out choices
Sensitive Personal Information: A new category of PI to manage
New Business Obligations: Changes to operations triggered by new requirements, which include minimizing data collection, limiting data use, deleting data, and additional disclosures to consumers
New Enforcement Body: Increased risk/liability for non-compliance
Changes to Applicability (Threshold) Requirements: If you didn’t have to comply with CCPA, the CPRA may not apply to your business (but it depends) – and additional obligations are now put on companies that control the collection of PI (not just those who do the collecting)
We provide insight into these key considerations below.
1. Consumer Rights: Expanded Rights for Consumer Protection
The CPRA both establishes new consumer rights and changes aspects of the existing consumer rights under the CCPA. Businesses need to prepare and adjust existing processes and procedures to ensure they have the capability to adequately respond to and implement consumer requests, including those that will require additional technical and/or administrative resources (e.g., restricting/limiting the collection/use of Sensitive PI at the direction of the individual, providing information regarding PI (and Sensitive PI you collect), correcting inaccurate information throughout your systems (in addition to deleting PI upon request), identifying and opting individuals out of automated data processing activities/systems, etc.). Further, businesses will need to implement required changes in data processing and sharing (both internally and with third parties).
Changes to existing rights:
| Current Right to Know/Access | CPRA: There is no 12-month limit on the look-back period, meaning a consumer will have a right to see all the PI held by the business – which may require it to provide more information upon request. |
| Current Right to Know PI That is Sold | CPRA: Now the right is much broader – it includes the right to know all PI that is shared (not just sold) |
| Current Right to Opt-Out | CPRA: Also much broader – consumers now have right to opt-out of sale or sharing of PI. |
New rights to prepare for:
| Right to correct inaccurate information | This requires the business to know where its data is located in order to implement requested changes to PI and further ensure that data is accurate throughout all systems. |
| Right to access information about automated decision making (for example, in employment recruiting) | This requires a business to understand its automated processing activities and be in a position to disclose such information. For example, profiling is a type of automated processing of PI used “to evaluate certain personal aspects relating to a natural person…” This includes using PI to analyze or predict aspects of a person (such as work performance, behavior, personal preferences, interests, etc.) and is often used for online advertising and in connection with employment/hiring. |
| Right to opt out of automated decision-making technology | Beyond just sharing information about automated decision-making activities, an opt-out of automated decision-making request requires the business to remove a consumer’s PI from these processes and ensure that changes are implemented throughout all systems. This means a business will have to first understand if and how automated/algorithm-driven decision-making is used for data processing and to develop a method to allow a California consumer to opt-out. |
| Right to limit use and disclosure of sensitive personal information (i.e., restrict processing) | This is a significant addition as it gives the consumer the right, at any time, to direct the business to limit its use of the consumer’s Sensitive PI (a new category of PI as defined below) to what is necessary to perform the service or provide the goods. And, if a business does receive such a direction, then it is prohibited from using or disclosing the Sensitive PI as directed (for at least 12 months) before requesting new consent. |
2. Sensitive Personal Information: A New Category of PI to Manage
The CRPA now separates out and gives additional protections to “sensitive personal information” (or Sensitive PI).
Sensitive PI is defined as:
PI that reveals a consumer's (i) social security, driver's license, state identification card or passport number, (ii) account log-in, financial account, debit card, or credit card number in combination with any security or access code, password, or credentials allowing access to an account, (iii) precise geolocation (newly defined as any data derived from a device and used or intended to be used to locate a consumer within a 1,850-foot radius), and (iv) racial or ethnic origin, religious or philosophical beliefs, or union membership.
(i) the processing of biometric information, (ii) PI collected and analyzed concerning a consumer's health; and (iii) PI collected and analyzed concerning a consumer's sex life or sexual orientation.
This will require special attention to determine what Sensitive PI you collect, use, and share, and to identify data processing activities that involve sensitive PI and trigger additional protections. If you have not already identified PI through data mapping or audits, you will need to review all of your systems to identify where sensitive PI is stored and how it is processed. Any Sensitive PI will trigger additional protections such as keeping sensitive PI separate from non-sensitive PI and other information stored in your systems (i.e., data silos) as well as requiring third parties to do the same).
3. New Business Obligations: Changes to Operations
Obligations for businesses under the CPRA will be more extensive than the CCPA and echo heightened data privacy and security requirements set forth under the GDPR (including meeting certain privacy principles and providing additional disclosures and opt-outs). This may require a large operational lift, including dedicating substantial time and resources to develop a strategy and processes to take on these new requirements.
Must Meet New Privacy Principles
Another significant addition under the CPRA is that a business that controls the collection of consumers’ PI (not just collects) now must adhere to limitations (similar to those under the GDPR) – data minimization, purpose limitation, and storage limitation (i.e., only collect the data you need, for the intended and disclosed purpose for which it was obtained, and only keep it for the disclosed retention period).
| Data minimization (i.e., only collect the PI you need) | The collection/use/retention/sharing of consumer PI must be “reasonably necessary and proportionate to achieve the purposes.” This means the business will only be able to collect what it actually needs (and that will require an understanding of what data is specifically needed for particular features and services). |
| Purpose limitation (i.e., only use PI for the intended and disclosed purpose for which it was obtained) | You must only use data for purposes disclosed at the time of collection, and must be able to disclose the categories of PI (and Sensitive PI) collected, the purposes for which PI is collected or used, and whether such information is sold or shared. This means you will need to have a clear understanding why you are collecting/using data, whether your use of data is actually limited to that original purpose, whether you collect and use data for multiple purposes, whether you sell and/or even “share,” etc. |
| Storage limitation (i.e., only keep PI for the disclosed data-retention period) | You must be able to (1) disclose the length of time the business intends to retain PI (or at a minimum, criteria you will use to determine retention periods), and (2) must not retain PI “for longer than is reasonably necessary for that disclosed purpose.” This means that the longer you keep data, the higher the risk. You will need to establish, implement, and maintain clear data-retention policies (including data-retention periods) and procedures to securely destroy PI when no longer needed. |
In order to meet the new privacy principles under the CPRA and adequately process consumer requests, you will need to implement and maintain data mapping and tracking mechanisms (such as maintaining an up-to-date inventory and classification process), as well as data-retention policies and procedures. You are likely to be required to complete periodic risk assessments as well (to be determined and clarified in the new agency’s regulations).
Further, a business will be required to have reasonable security procedures and practices “appropriate to the nature of the personal information.” With the new type of PI, Sensitive PI, heightened security will be required.
Must Provide Additional Disclosures
A business will be required to meet additional disclosure requirements (at the time/point of data collection), including the following:
| Privacy Policies | You will have to include the categories of Sensitive PI that are collected, in addition to categories of PI. You will also have to ensure you include not only data that is sold, but also PI and Sensitive PI that is shared. |
| Opt-Out Links | Now you will have to include two opt-out links (with some exceptions):
1. The required “Do Not Sell” opt-out link must include the sharing of data as well and must say “Do Not Sell or Share My Personal Information”; and 2. A separate opt-out link will be required for sensitive personal information and must display as “Limit the Use of My Sensitive Personal Information.” |
4. New Enforcement Body: Increased Risk/Liability for Non-Compliance
The biggest addition under the CPRA is the creation of the California Privacy Protective Agency (with funding to back it), a separate regulatory body that will have the power to enforce the CPRA. This agency (governed by an appointed five-member board) will be the driving force for providing clarification on how to interpret the CPRA and provide guidance on how the CPRA will be enforced. We will be at the edge of seats, but may not get clear guidance until the agency adopts final regulations in July 2022.
5. Changes to Applicability (Threshold) Requirements - What if I Previously Did Not Have to Comply with CCPA?
In general, if you did not have to comply with the CCPA before because you did not collect, process, or sell enough consumer PI to meet the threshold requirements (i.e., the three-prong test), then you may not meet the threshold requirements under the CPRA (but it depends).
Not Just the Sale of PI – Also Sharing
The CPRA expands its reach to businesses that not only generate most of their income from selling information but also from sharing information. (Note, “share” is broadly defined to include the sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means.) So, a business that didn’t have to comply with CCPA because its data processing activities did not constitute a “sale” under the CCPA may have obligations under the CPRA if its data processing activities are considered “sharing” of PI (as defined).
Now Minimum Requirement is 100,000 Households
The CPRA has a higher threshold of affected consumers by requiring at least 100,000 consumers or households (versus the 50,000 under the CCPA). However, this requirement is now based on only consumer and households -- devices was removed and incorporated under the definition of household (defined as “a group, however defined, of consumers who cohabitate with one another in the same residential address and share use of common device(s) or service(s)”). This means that some small and medium size organizations that are required to comply with the CCPA may not meet the threshold requirements for the CPRA.
Other Parties Brought under CPRA
However, even if your business alone may not meet the threshold requirements to be considered a “business,” the CPRA also expands its reach to other parties.
In particular, it extends to joint ventures/partnerships (in which each business has at least 40% interest) and considers these as a single business. Also, the CPRA may apply if you control or are controlled by a business meeting the threshold requirements and share common branding (such that “the average consumer would understand that two or more entities are commonly owned”) with whom the business shares consumer PI. This means the structure of your business matters and you could be pulled under the CPRA based on your relationships with other businesses.
Also note, other parties may be brought under the CPRA when they control information as a third party, they receive information that is sold or shared by a business covered by the CPRA, or when they receive/access information to provide services. Other parties may be required to meet certain CPRA obligations under written contract with a business that is covered by the CPRA via required contractual provisions restricting the use of PI for limited and specified purposes, obligating CPRA compliance, and providing the "same level of privacy protection," as well as other requirements.
CPRA - Timeline
As you begin to take steps to prepare, be mindful of the following dates for when the CPRA will become fully operative and enforceable.
| December 2020 (Estimated) | Initial Effective Date | The ballot initiative will take effect the fifth day after the Secretary of State certifies the elections results (projected to be December 11th).
However, only certain provisions will be effective immediately including those that: 1. Extend the employee and B2B exemptions (until January 1, 2023) (Section 1798.145(m) and (n)); 2. Create the "Consumer Privacy Fund" (Section 1798.160); 3. Create and establish the authority of the California Privacy Protection Agency (CPPA) (Section 1798.199.10 through 1798.199.40); 4. Mandate the CA AG to adopt regulations and a mechanism to transfer regulatory authority to CPPA (Section 1798.185); and 5. Designate funds for the CPPA (Section 1798.199.95). |
| July 1, 2021 (Estimated) | Transfer of Regulatory Authority | The transfer of regulatory authority from CA AG to new CPPA will occur on this date (or within 6 months of the CPPA providing the AG notice it is prepared to assume rulemaking responsibilities) |
| January 1, 2022 | Start of Look-Back Period | Except for the right to access (to which the 12 month look-back limit does not apply), obligations under the CPRA are triggered by personal information collected by the business on or after this date |
| July 1, 2022 | Adoption of Final Regulations | Deadline for the CPPA to adopt final regulations |
| January 1, 2023 | Full Operative Date | The remainder of the CPRA will become operative (i.e., new/expanded definitions, new category of Sensitive PI, notice/disclosure requirements, opt-out links, etc.) and the entire CPRA will be enforceable |
| July 1, 2023 | Full Enforcement Date | Civil and administrative enforcement begins |