The California Privacy Rights Act (CPRA) Will Change the Privacy Landscape Again If Approved in November

On June 24, 2020, it was announced that the California Privacy Rights Act (the “CPRA”) garnered enough signatures to appear on the November 3, 2020 California ballot. The CPRA would amend the California Consumer Privacy Act of 2018 (the “CCPA”). Because of its significant expansion of the CCPA obligations, the CPRA has been deemed “CCPA 2.0.”

The CPRA will become law if approved by a simple majority of California voters. Early polling from late 2019 conducted by the ballot initiative’s sponsor, Californians for Consumer Privacy, indicates that 88% of Californians support passage of the CPRA. If California voters approve the ballot initiative, the substantive provisions of the CPRA—many of which could have significant impacts on covered businesses—would take effect on January 1, 2023. Some of those changes include:

1. Creation of a New Enforcement Agency, the California Privacy Protection Agency, with Broad Auditing Powers

The CPRA establishes a new California agency, the California Privacy Protection Agency (the “CPPA”), that would have full rulemaking and enforcement power of the CPRA instead of the California Attorney General. This new agency would have the power to audit the privacy practices of covered businesses and issue additional regulations.

2. CPRA Would Provide Additional Rights for California Consumers  

• Right to Correct Personal Information. One of the new rights granted by the CPRA includes a California consumer’s right to correct inaccurate personal information held by a business. Upon receiving a request to correct personal information, a business must use “commercially reasonable efforts” to correct the inaccurate personal information, as directed by the consumer. This provision aligns with the European General Data Protection Regulation (“GDPR”), which already provides EU individuals with a right to correct their personal data.
• Right to Limit Use and Disclosure of Sensitive Personal Information. In addition to creating a new category of “sensitive personal information,” the CPRA would provide California consumers with the right to direct a business to limit the use and disclosure of sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services. A business that receives such a request would be prohibited from using or disclosing sensitive personal information for any other purpose unless the consumer provides consent. The CPRA’s definition of sensitive personal information is broad, including government-issued identifiers such as Social Security numbers and driver’s license numbers, debit/credit card numbers, financial account information, account log-in credentials, financial account information, precise geolocation, contents of certain types of messages, genetic information, racial or ethnic origin, religious beliefs, biometrics, health information, and information concerning sex life or sexual orientation.
• Right to Opt-Out of Interest-Based Advertising. Under the CCPA, a business that “sells” California consumers’ personal information must provide consumers with certain disclosures and the right to opt out of such sales, including by posting a link titled “Do Not Sell My Personal Information” on internet websites. The CPRA significantly expands this right by providing California consumers with the right to opt out of the “sharing” of personal information with third parties, which is defined as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating…personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” Under the CPRA, a business that engages in interest-based advertising would be required to post a new link titled “Do Not Sell or Share My Personal Information” on internet websites and allow consumers to opt-out of the sharing of their personal information with advertising partners for cross-context behavioral advertising purposes.
• Right to Information About Automated Decision-Making. The CPRA would require the adoption of regulations governing consumers’ access and opt-out rights relating to a business’s use of automated decision-making technology.
• Expanded Right to Access Personal Information. Currently, a business that receives a request for information or specific pieces of personal information from a California consumer must provide information relating to the preceding 12 months. The CPRA expands this obligation, requiring a business to provide access to information beyond the 12-month period unless doing so “proves impossible or would involve a disproportionate effort.”
• Expanded Right to Delete Personal Information. Under the CCPA, upon receiving a request to delete personal information, a business must delete the relevant personal information and direct service providers to do the same. The CPRA also requires a business to notify all third parties to whom the business has sold or shared such personal information to delete the California consumer’s personal information.

3. Narrowed Scope of a Covered “Business,” New Voluntary Certification Category

Currently, the CCPA includes three thresholds that determine when certain for-profit entities qualify as a covered “business” under the CCPA: a company that (1) has annual gross revenues in excess of $25 million, (2) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more California consumers, households, or devices, or (3) derives 50% or more of annual revenues from selling California consumers’ personal information.

• The CPRA narrows the scope of a business that must comply with the CCPA based on the second threshold to companies that “alone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumer or households.” This change would exempt certain business that do not otherwise need to comply with the CCPA.
• The CPRA also includes a new category of a “business”: entities that voluntarily certify to the California Privacy Protection Agency, the CPRA’s new enforcement agency, that it is in compliance with and agrees to be bound by the law.

4. Additional Requirements for “Sensitive Personal Information”

Businesses that collect sensitive personal information would be required to comply heightened disclosure obligations and restrictions, including honoring consumers’ right to restrict the use and disclosure of their sensitive personal information.

5. Private Right of Action for Additional Data Breaches

Under the CCPA, a business that notifies consumers of the unauthorized acquisition of the consumer’s email address in combination with a password or security question and answer that would permit access to the account would now be subject to the CCPA’s private right of action for data breaches, which includes statutory damages up to $750 per consumer. The CPRA expands this private right of action and provides for statutory damages for any legally-defined “breach” under California law.

6. Changes to Privacy Policy Requirements

A business that revised its privacy policy for compliance with the CCPA may have additional changes to make in order to comply with the CPRA, which requires a business to provide additional disclosures, including those relating to sensitive personal information and retention periods.

7. Additional Contractual Requirements for Service Providers and Other Entities

The CCPA currently requires a business to impose certain contractual obligations on service providers. Under the CPRA, a business that sells personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose would additionally be required to enter into agreements with service providers, third parties, and contractors that:

(a) specify that the personal information is sold or disclosed by the business for limited and specified purposes;

(b) obligates the third party, service provider, or contractor to comply with applicable obligations under the CPRA and provide the same level of privacy protections as are required by the CPRA;

(c) grants the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses personal information in a manner consistent with the CPRA’s requirements;

(d) requires notification if the third party, service provider, or contractor can no longer meet its obligations under the CPRA; and

(e) grants the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

8. Heightened Penalties for Children’s Information

The CPRA imposes fines of $7,500 for each violation of the CPRA involving personal information of consumers under the age of 16. Under the CCPA, children’s personal information is not treated separately, and violations are subject to fines of only $2,500—the same as violations involving adults’ personal information.

9. Exemption for B2B and Employee Personal Information Extended until January 1, 2023

Amendments to the CCPA passed in late 2019 imposed a one-year moratorium on certain requirements related to personal information belonging to business contacts and employees until January 1, 2021.  The CPRA would extend this exemption until January 1, 2023.

10. CCPA Exceptions Clarified and Expanded

The CCPA currently includes a number of exceptions to the definition of “personal information” under the law, including certain information protected by federal sectoral laws, de-identified information, and information made publicly available in government records. Notably, the CPRA expands the public information exception and provides that personal information “does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern.” In addition to information made available in government records, the CPRA’s exception for public information would also include certain information that is made available to the general public by the consumer or from widely distributed media, or which a consumer has disclosed without audience restrictions (such as on a public social platform).

If the CPRA is Approved, What Then?

Regardless of voter outcome in November, the CCPA in its current form will continue to be the governing privacy law in California until January 1, 2023. If the CPRA is approved by a simple majority of California voters in November, the substantive provisions of the CPRA would take effect on January 1, 2023, and, except for the right to access personal information, the CPRA would apply only to personal information collected after January 1, 2022.

If passed, five days after the Secretary of State certifies the election results the California Privacy Protection Agency will be created and funded. The CPRA would require that the CPPA starts a rulemaking process for new regulations on July 1, 2021, with final regulations implementing the provisions of the act to be promulgated by July 1, 2022. Enforcement of the obligations added or modified by the CPRA would begin on July 1, 2023.

In short, November 3, 2020 will be a pivotal day for privacy law in California, the US more broadly, and, arguably, the global privacy landscape. If you have questions about how the CCPA or the CPRA might impact your business operations, contact Chris Achatz or Erin Locker.