04 Nov California Privacy Rights Act Passed By California Voters
The votes are in and California’s citizens have spoken, the California Privacy Rights Act (“CPRA”) is now law. Known as CCPA 2.0, CPRA increases the privacy obligations of businesses already subject to the requirements of California’s 2018 California Consumer Privacy Act (“CCPA”). Though not nearly discussed as much outside of the data privacy industry, CPRA has profound implications for companies doing business in California.
CCPA created personal information privacy rights for California residents. Companies that transact business in California and collect, sell, transfer, and otherwise use the “personal information” of California residents must comply with a host of regulations. CCPA follows the European Union’s (“EU”) view that consumers own their personal information, and gives those consumers rights to (1) know what personal information is collected about them; (2) know to whom their personal information is disclosed; (3) access and review their personal information; (4) have the business delete that personal information; and (5) non‑discrimination in exercising their rights under CCPA.
CPRA significantly enhances CCPA’s current framework and adds additional rights and obligations to those who reside and conduct business in California, respectively. Readers can review the entire CPRA here, but here are the highlights:
- Effective date of 2023
CPRA does not take effect until January 1, 2023 and only applies to personal information—with an exception to the right to access—collected by businesses on or after January 1, 2022. Meaning, businesses now have one year to get their compliance programs in order and be cognizant of the personal information they are collecting.
- Removal of the 30-day cure period.
Under CCPA, enforcement actions can be brought by the California Attorney General’s Office 30 days after a business has been notified of its non-compliance with CCPA, and the business has not remedied the non-compliance. CPRA removes this 30‑day cure period and allows for enforcement immediately. CPRA retains the 30‑day cure period for private claims by consumers for data breaches, but stipulates that implementation and maintenance of reasonable security procedures and practices following a breach does not constitute a valid cure.
- Consumers can correct personal information
CCPA does not give consumers the opportunity to correct any inaccurate personal information held by businesses. CPRA creates this brand-new privacy right, further making California’s data privacy laws align with the EU’s General Data Protection Regulation (“GDPR”). Businesses will need to adjust its procedures for how consumers will be able to effectuate this right.
- Opting out of the sharing of personal information
CCPA gives consumers the right to prevent businesses from selling their personal information. CPRA now expands that right and allows consumers to stop businesses from otherwise sharing their personal information with a third party for behavioral advertising purposes, whether it is through a sale or not.
- Business-to-business exemption extension
Known as the “business-to-business exception,” CCPA does not require businesses to provide certain notices or extend particular data rights to consumers who are job applicants or are acting on behalf of another company, non-profit, or government agency in a business context. Although the California legislature recently extended the exemption to January 1, 2022, CPRA further extends its expiration date to January 1, 2023, coinciding with the law’s effective date.
- Addition of “sensitive personal information”
CPRA adds a new category of personal information called “sensitive personal information.” This new term encompasses a broad range of specific identifiers, such as social security numbers, racial or ethnic origin, biometric information, and sexual orientation. CPRA gives consumers the right to limit the use and disclosure of this type of information. Consumers may direct businesses to limit the use of sensitive personal information to that which is necessary for the businesses’ purposes unless consumers provide authorization for additional purposes.
- Expands breach liability
As discussed above, consumers have a private right of action for breaches of nonencrypted, nonredacted personal information under CCPA. CPRA now adds a private right of action for unauthorized access to or disclosure of an email address in combination with a password or a security question and answer that would permitted access to the account.
- New obligations for service providers
CPRA requires businesses to enter into binding agreements with service providers who receive personal information from the business for a business purpose. In pertinent part, these agreements must obligate the service providers to: (1) provide the same level of protection as required by CPRA; (2) allow the businesses to take reasonable steps to ensure that the service providers are using the personal information consistent with the business’s obligations under CPRA; (3) allow the business to take reasonably steps to stop and remedy any unauthorized uses of personal information; and (4) notify the businesses when it can no longer comply with CPRA.
CPRA further mandates that service providers are to cooperate and assist businesses in responding to verifiable consumer requests. These services providers must also notify any other service providers or third parties who may have accessed the relevant personal information sought to be deleted or corrected.
- Establishing a private enforcement authority
The CPRA creates a new, independent, state agency, the California Privacy Protection Agency (“CPPA”). The CPPA would operate like federal agencies and have investigative and enforcement powers, along with the ability to promulgate regulations. The CPPA supplants the California Attorney General’s Office as the controlling power overseeing CCPA and CPRA.
- CPRA cannot be repealed
Though not an actual provision, the method by which CPRA was promulgated is critical to the future of data privacy in California. Unlike CCPA, which is the product of the California legislature, CPRA’s promulgation is through a ballot initiative. Pursuant to the California Constitution, ballot initiatives become law as written and may only be fundamentally changed or repealed through subsequent voter action, unless the ballot initiative itself says otherwise. Per CPRA, the legislature may only amend the law if such amendments “are consistent with and further the purpose and intent” of CPRA. In other words, the legislature is limited in its amending power and prohibited from repealing CPRA absent another ballot initiative.
Although CPRA does not come into effect until 2023, affected businesses are now on the clock to make sure they are in compliance with this sweeping piece of law.