In the privacy world, there is no rest for the weary. In California, while most companies were just getting their programs running to address the California Consumer Privacy Act (“CCPA“), including some last minute changes to address the final version of the regulations issued in late fall 2020, the California Privacy Rights Act (“CPRA”) was officially certified on December 16, 2020 following voter approval in another privacy referendum in the November 2020 elections. CPRA sharpens and expands many of the already strict requirements in CCPA. The full impact of CPRA has not yet come into clear focus, particularly given the complexity of certain CPRA requirements, the rapidly changing technologies that are driving business transformations across all industry verticals, and the anticipated regulatory clarifications and interpretations expected in the coming months. For reference, we outline below several core changes introduced by the CPRA vs. the CCPA, most of which are not to become operative until January 1, 2023, but all of which companies should begin to familiarize themselves with now:
- Applicability: Modifies the applicability of the CCPA to include organizations that do business in the state of California and:
- Have a gross annual revenue of over $25 million;
- Buy, sell, or share the personal information of 100,000 or more California residents or households; or
- Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.
- B2B and HR limited exemptions: Extends the existing and limited B2B and HR exemptions to January 1, 2023. Note, however, that all parts of the CCPA that currently apply to B2B and HR contacts continue to apply. Additionally, one point of the CPRA could be interpreted to mean that the expanded employee notice requirements under CPRA (i.e., those under §1798.100(a)) should apply with immediate effect the date on which the CPRA was certified (December 16, 2020). We consider such an interpretation would give rise to an irrational result (i.e., accelerating application of enhanced notice requirements to HR data immediately and well ahead of compliance deadlines for consumer data) and would conflict with the CPRA’s stated purpose and intent (see Section 3(8)) to extend the exemptions for employee and business to business communications until Jan. 1, 2023. It also remains to be seen how the Attorney General and/or the California Privacy Protection Agency will interpret this issue.
- Sensitive personal information: Introduces the concept of sensitive personal information, which includes information such as SSN, driver’s license number, precise geolocation, and biometric information, and new rights for consumers to limit the use and disclosure of such information.
- Sharing of information: Introduces the concept of sharing of personal information, defined as the sharing of personal information by a business with a third party for behavioral advertising, for the benefit of the business, where no money is exchanged.
- Necessity and Proportionality: Includes new obligations that the collection, use, retention, and sharing of a consumer’s personal information must be reasonably necessary and proportionate to achieve the purposes.
- New consumer rights: In addition to the existing CCPA rights (right to know/access, right to delete, right to opt-out of sale), the CPRA introduces the right to correct inaccurate personal information, right to opt-out of the sharing of one’s personal information, and the right to limit the use and disclosure of one’s sensitive personal information.
- ‘Limit the Use of My Sensitive Personal Information’: Requirement to provide a link on the business’ internet homepage (akin to the ‘Do Not Sell My Personal Information’ link) that enables a consumer to limit the use or disclosure of a consumer’s sensitive personal information.
- New notice requirements: Expands notice requirements to include additional information regarding the sharing of personal information, processing of sensitive personal information, and retention of all categories personal information, among others.
- Expanded private right of action: Expands the private right of action to breaches of email and password/security question that would allow access to the account.
- Automatic fine for violations involving the personal information of minors. Introduces an automatic $7,500 fine for violations involving the personal information of minors.
- New cybersecurity audit and risk assessment requirements. Introduces a new annual cybersecurity audit requirement, as well as periodic risk assessment requirement for businesses whose processing presents a significant risk to consumer privacy and security.
- Enforcement. Creates the California Privacy Protection Agency and eliminates the 30-day cure period for CCPA violations.
If you have any questions about this or any other privacy or data security law development, please do not hesitate to reach out to Brian Hengesbaugh, Michael Egan, or Harry Valetk.