It’s not uncommon for Hollywood sequels to refine main characters and introduce new ones, but few sequels do it well. Whether the “sequel” to the California Consumer Privacy Act (CCPA) — the California Privacy Rights Act (CPRA) — will be as popular as The Empire Strikes Back is yet to be determined, but the CPRA does follow Hollywood’s formula by tweaking the existing cast and adding new roles. It also heightens the drama by staging a somewhat convoluted premiere schedule.
Approved by California voters Nov. 3, 2020, the CPRA substantially revises the consumer rights and business obligations created by the CCPA. But unlike most movie sequels, the CPRA’s release arrives in the same year as the CCPA’s debut.
Given the number of modifications, I’ll first address questions concerning the CPRA’s applicability: What’s covered? Who’s affected? When does it go into effect? Subsequent installments will dive into CPRA rights, notices, obligations, and enforcement.
A long time ago (January, to be precise) and far, far away (at least to those of us on the East Coast), the CCPA’s expansive definition of “personal information” kicked in, with many decrying the shear breadth of the definition.
Internet browsing history. Olfactory information. Inferences drawn to create a profile. Yes, all of that and more.
Indeed, any “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
For better or worse, the definition of personal information remains essentially the same in the CPRA, with a few notable exceptions.
First, it expands the universe of personal information (yes, apparently there was room in the galaxy for expansion) to include a new subset, called “sensitive personal information” (SPI).
SPI covers the kind of information you’d expect to be sensitive — such as social security numbers, financial accounts, health data, race, religion, and sexual orientation — along with at least one item that most Americans would not consider to be particularly sensitive, i.e., union membership. Those familiar with the EU’s General Data Protection Regulation, however, will recognize the GDPR’s fingerprints on that item, since trade union membership is a “special category” of personal data under the GDPR.
The GDPR’s special categories are not lifted wholesale into the CPRA, however: The definition of SPI curiously fails to mention “political opinions.” But the rest of the GDPR items are included.
The CPRA’s definition also goes a bit further than the GDPR by including the “contents of a consumer’s mail, email and text messages” (unless the business is the intended recipient of the communication), as well as a consumer’s “precise geolocation.”
And with an exactitude that would make Vader proud, the CPRA defines precise geolocation as any data able to locate a consumer “within a geographic area that is equal to or less than the area of a circle with a radius of one thousand, eight hundred and fifty (1,850) feet.”
Now that’s precise!
The CPRA also expands the scope of the exemption for “publicly available information,” clarifying that it may include “lawfully obtained, truthful information that is a matter of public concern.” In a boon for businesses, it also creates a somewhat large loophole to include information that a business “has a reasonable basis to believe” is lawfully made available to the general public “by the consumer or from widely distributed media.”
To enlarge the image, click here.
Speaking of businesses, while the CPRA still uses the term “business,” businesses look a little different in the CCPA reboot, not unlike Luke Skywalker in the Star Wars sequel.
The CPRA slightly modifies each of CCPA’s threshold factors to determine whether an entity is a “business” covered by the law. The first threshold — requiring annual gross revenues in excess of $25 million — is amended to clarify that revenues are calculated by looking at the “preceding calendar year.” So businesses not operating on a calendar-year basis may need to adjust their accounting to determine if they still fall within the statutory threshold.
The second threshold increases to 100,000 the number of consumers or households whose personal information, alone or in combination, is bought, sold, or shared annually by the business. The CCPA’s threshold was 50,000, and it factored “devices” (along with consumers and households) into the calculation. The CPRA deletes “devices” but still manages to expand the scope by adding “sharing.”
“Sharing” is likewise added to the third threshold — the one addressing 50% or more of annual revenues derived from selling (and now sharing) consumers’ personal information.
“Sharing” is a new concept in the CPRA. It refers to the transfer of personal information in the context of behavioral advertising “whether or not for monetary or other valuable consideration.” More specifically, it applies to “cross-context behavioral advertising,” which means the targeting of advertising based on personal information obtained from the consumer’s activity “across businesses, distinctly-branded websites, applications, or services” other than the ones with whom the consumer “intentionally interacts.”
In other words, the cornerstone of the internet economy.
And for those who thought the CCPA’s concept of “selling” was broad, the CPRA makes transfers of personal information even broader by amending each instance of “selling” with “selling or sharing.”
The CPRA also adds two new types of businesses to its coverage: (1) a joint venture or partnership comprised of “businesses” in which each business has at least a 40% interest, and (2) any entity that “voluntarily certifies” to the yet-to-be-formed enforcement authority — the California Privacy Protection Agency (CPPA) — that it is in compliance with, and agrees to be bound by, the law.
More on the CPPA below, but why would anyone voluntarily agree to be bound by the law? Wouldn’t that be akin to asking Darth Vader for an introduction to Emperor Palpatine?
Not necessarily. One could take another lesson from Star Wars by looking at Han Solo. Evolving from mere mercenary to rebel advocate, Solo arguably made himself more endearing to the audience in the sequel. Entities otherwise exempt from the California law may consider a similar “Han-volution” to generate goodwill — and yes, revenue — from California consumers.
Service Providers & Contractors
Service providers also reappear in the CPRA, but again with modifications. Unsurprisingly, service provider contracts must be amended to prohibit the “sharing” of personal information, but they must also prohibit “combining” personal information received from a given business with any personal information received from others. Of course, as always, certain conditions apply.
Service providers are also obliged to notify the business regarding their use of subcontractors, and those subcontractors must be contractually bound to the same terms as the service provider.
The CPRA also creates a new character — the “contractor” — who is very similar to the service provider. To the extent that service providers are akin to Jedi Knights (because they don’t sell personal information to the Dark Side), the contractor is undoubtedly Yoda (because the contractor is not only new, but also extra special).
Like a service provider, a contractor is bound by the terms of written contract that sets forth certain restrictions and prohibitions on the use of personal information (like not selling or sharing it), but unlike the service provider, the contractor includes a “certification” that it understands all of those restrictions and prohibitions and will comply with them.
In short, “Certification you must have!”
The CPRA greatly simplifies the definition of a third party by essentially stating it is none of the above: not a business, not a service provider, not a contractor. However, there’s a nuance to the updated definition, implying that a business may, under certain circumstances, also be a third party.
In pertinent part, the CCPA provides that a third party is not “the business that collects personal information from consumers under this title.” The CPRA, however, tweaks that definition to say that a third party is not “the business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer’s current interaction with the business.” [Emphasis added.]
So if a business collects personal information from a consumer who does not “intentionally interact” with the business — think of a consumer who inadvertently opens an advertisement while scrolling down a page on a mobile device, or think of a business that collects personal information from another business, such as a data broker — the CPRA would view such a business as a third party.
That classification doesn’t mean, however, that the so-called “third-party business” is exempt from business obligations. Rather, it clarifies that business obligations (such as the duty to facilitate consumer requests) applies to any entity satisfying the definition of a business, regardless of whether it collects personal information directly from the consumer.
In other words, yes, Skywalker may be Vader’s son, but that doesn’t mean he’s relieved of his obligation to save the galaxy.
Staging the Debut
So when will the CPRA brighten a screen near you?
Technically speaking, the CPRA goes into effect “on the fifth day after the Secretary of State files the statement of the vote for the election at which the measure is voted on” (Cal. Const. art. II, § 10(a)), which the Secretary must do by Dec. 11. So expect the CPRA to go into effect “officially” around mid-December.
That said, most of the CPRA won’t become “operative” until Jan. 1, 2023. A number of provisions, however, do kick in before that date.
To enlarge the image, click here.
Most notably, the provisions addressing two popular exemptions — the exemption for personal information collected in the employment context (first added to the CCPA in 2019 by AB 25) and the exemption for personal information collected in business-to-business transactions (created by AB 1355) — will go into effect this December. So businesses collecting personal information from employees need not comply with employee requests to delete, for example.
Both exemptions were originally set to expire on Jan. 1, 2021. An amendment passed in September of 2020 (AB 1281) extended the sunset to Jan. 1, 2022, but that amendment was provisional only; its operation was contingent upon voters not approving the CPRA, which has its own sunset date: Jan 1, 2023.
To clarify, then, the exemptions related to the personal information of employees and certain B2B communications will expire on the same day that the rest of CPRA comes to life. That means that businesses will need to respond to employee requests to delete.
Unless, of course, the moratorium is extended once again.
Other provisions becoming operational before 2023 include those relating to the creation of the new enforcement authority: the California Privacy Protection Agency (CPPA).
The CPPA itself will be governed by a five-member board, and appointments to the board must be made by mid-March 2021. By July 1, 2021, rulemaking authority transfers from the Attorney General to the CPPA, and the agency has until July 1, 2022, to adopt final regulations.
Moreover, with the exception of the right of access, the CPRA will only apply to personal information collected by a “business” on or after Jan. 1, 2022.
While enforcement of the CPRA will not begin until July 1, 2023, it’s important to remember that the CCPA is still very much in effect. And it will remain so until 2023.
To paraphrase Obi-Wan Kenobi: “California privacy law will be with you. Always.”
Bloomberg Law subscribers can find related content on our In Focus: CCPA page.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.