Never before has a state gone so far to protect consumer data privacy: The California Privacy Rights Act (CPRA), a ballot initiative also known as Proposition 24, passed at the polls on Nov. 3, and amends the California Consumer Privacy Act of 2018 (CCPA) to create an omnibus privacy regulation in California.
The CPRA creates additional consumer rights, modifies existing CCPA rights, mandates a new category of consumer personal information with associated rules, and establishes a new privacy enforcement agency.
Businesses have only just noted the last set of proposed modifications to the CCPA regulations, and now they need to integrate the demands of the CPRA. Luckily, there is time before the CPRA takes effect on Jan. 1, 2023.
What’s Next for Business
To prepare for this next wave of privacy regulations, businesses should perform a new data mapping exercise to determine which elements of personal information they collect is “sensitive personal information.” Businesses should also evaluate their data retention policies internally, update their privacy statements with newly required disclosures, and implement a mechanism for allowing consumers to request data correction.
Businesses may also need to change the way they structure or modify data internally to allow for data correction on demand.
Finally, businesses should update their “Do Not Sell” mechanism to either include a second “Limit the Use of My Sensitive Personal Information” button, or bundle both mechanisms under one button. Businesses should update their “Do Not Sell My Personal Information” to read “Do Not Sell Or Share My Personal Information” and ensure that it covers sharing as well as sales.
Significant Requirements of the CPRA
Sensitive Personal Information. The CPRA requires businesses to track a new category of data called “sensitive personal information,” which is a subcategory of the CCPA’s “personal information.” Data under this subcategory includes government-issued identifiers, finance information, biometric data, health status, precise geolocation, contents of emails or texts, and race or ethnic origin.
As a subcategory of “personal information,” sensitive personal information is subject to the same de-identification or aggregation exception as for personal information under the CCPA. And consumers have the same rights to restrict the use and disclosure of this information. Consumers may, however, require businesses to limit the use of sensitive personal information to only that which is necessary to perform services “reasonably expected by an average consumer.” For example, consumers can restrict the use of sensitive personal information for advertising or marketing purposes. Businesses engaging in other uses or disclosures of this information must notify the consumer of the use, its purpose, and that the consumer has the right to restrict such use.
A “Sale” Now Explicitly Includes “Sharing.” Where businesses have had to grapple with the definition of “sale” under the CCPA (a term with a broader meaning than the traditional vernacular), the CPRA has made it easier by including “sharing” into a wider definition. Consumers may now restrict the “sharing” of personal information even if there is not an exchange of the information for “monetary or other valuable consideration.” Now, the CCPA requirements around “selling” also apply to “sharing”: Consumers may opt-out of any sharing of their personal information whether there has been a “sale,” which may close a perceived loophole in the CCPA.
Data Retention Disclosure Requirements. For each category of personal information that a business collects, including “sensitive personal information,” it must disclose by category the applicable retention periods. A business is prohibited from retaining personal information for longer than is “reasonably necessary” to perform each of the purposes for which the data was collected, and for each purpose disclosed to the consumer. If it is not possible to determine an intended length of retention, then the business must provide criteria under which the length of retention might be determined based on the purpose(s) for which it collected the data.
Consumer Right to Request Correction of Inaccurate Information. The CPRA provides a new right to consumers, in addition to those that currently exist under the CCPA. In addition to the right to request access and right to delete, consumers will have the right to request that a business correct inaccurate personal information.
Mandated “Reasonable Security Measures.” The CPRA adds a requirement that businesses implement security measures to protect personal information, which must be appropriate to the nature of the [protected] information that the business collects.
Establish a Privacy Enforcement Agency. The CCPA and privacy regulations in California are currently subject to enforcement actions by the California Attorney General. The CPRA will, however, create a dedicated agency to oversee enforcement of California privacy regulations. This agency will have the power to enforce both the CCPA and the CPRA, and will be empowered to issue related regulations.
The CPRA also includes more general modifications and obligations, which include:
- Generally limiting the “collection, use, retention, and sharing” of personal information to that which is “reasonably necessary and proportionate” to conduct disclosed purposes.
- Clarifying that the CCPA’s existing non-discrimination provisions do not prohibit a business’s ability to offer loyalty or rewards programs.
- Expanding the scope of the private right of action for personal information security breaches to include unauthorized disclosure of the combination of email and account password, or security question and answer that could permit account access.
- Extending the employee data exemption to Jan. 1, 2023.
- Adding an elevated $7,500 penalty for violations involving consumers under the age of 16.
Before the CPRA takes effect on Jan. 1, 2023, we expect to see another lengthy process of proposing, commenting on, and finalizing CPRA regulations, which the CPRA requires to be promulgated by July 1, 2022.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owner.
Cynthia Cole is special counsel at Baker Botts in Palo Alto, Calif. She acts as general counsel to public and private companies, particularly related to technology, corporate transactional and data privacy issues.
Matthew R. Baker is a litigation partner at Baker Botts in San Francisco. He focuses his practice on white collar defense and internal investigations. He is well-versed in domestic and international data privacy and information security practices.
Katherine Burgess is an associate in the San Francisco office of Baker Botts. Her practice focuses on patent prosecution, patent litigation, and post-grant review proceedings.