Hot on the heels of the California Attorney General's rulemaking process for the California Consumer Privacy Act ("CCPA"), California voters have passed a ballot initiative to expand and create new privacy rights for consumers. Most of the California Privacy Rights Act ("CPRA") will not take effect until January 1, 2023, giving weary businesses some lead time for their compliance efforts. In this client alert, we set out the key changes for businesses to be aware of as they look forward to meeting their obligations under the CPRA.
Background on the CPRA
Describing the CCPA as a great baseline, one of the CCPA's original proponents filed the CPRA ballot initiative (or Proposition 24) to further enhance consumer privacy in California. To preserve the full strength of the CPRA, the ballot initiative included a provision limiting legislative amendments that might weaken its provisions. California voters elected to pass Proposition 24 at the ballot, paving the way for the CPRA to become effective on January 1, 2023. In the meantime, only the administrative provisions of the CPRA, which establish the California Privacy Protection Agency and call for new regulations, will become immediately effective.
The CPRA contains a detailed rulemaking process, which directs the California Attorney General to begin issuing regulations until the California Privacy Protection Agency is established and is able to assume rulemaking responsibility. Much like the CCPA, the CPRA leaves the determination of many of its definitional and procedural nuances to a long rulemaking process. With final regulations required under the CPRA by July 1, 2022, many specificities will be left in flux until then. While businesses will not need to start from scratch to comply with the CPRA, more granular data-mapping will likely be required and businesses may need to reassess a number of choices made in their initial CCPA compliance efforts.
CPRA's Changes to the CCPA
In its 52 pages, the CPRA makes significant changes to the compliance burden imposed on businesses by the CCPA. We set out below a summary of the key additions and modifications to the CCPA's existing requirements.
- Establishes the California Privacy Protection Agency. The CPRA establishes the California Privacy Protection Agency (the "Agency") to take responsibility for promulgating rules and enforcing the amended CCPA via administrative proceedings and fines of between $2,500 and $7,500 per violation. Once it has been stood-set up, but by no later than July 1, 2021, the Agency must assume the rulemaking responsibilities under the CPRA. Notably, the Agency will have the power to conduct audits of businesses to ensure compliance with the CPRA.
- Eliminates the 30-Day Cure Period for Violations of the CPRA. Under the CCPA, businesses were given 30 days to cure alleged violations before any administrative enforcement by the California Attorney General. The CPRA eliminates that 30-day cure period permitted under the CCPA. Now, at most, the Agency has the discretionary power to provide the business with a time period to cure. However, it must do so with an eye to the intent of the business to violate the title and voluntary efforts it took to cure the alleged violation. In addition, the CPRA clarifies the scope of the right to cure available for personal information security breaches, noting, "implementation and maintenance of reasonable security . . . following a breach does not constitute a cure with respect to that breach."
- Requires the Implementation of Reasonable Security Procedures & Practices. The CPRA includes an affirmative requirement for businesses that collect consumers' personal information to implement reasonable security procedures and practices. Businesses must identify and implement procedures and practices that are appropriate to the nature of the personal information processed and the potential risks. Importantly, this affirmative obligation means businesses may face administrative fines (even in the absence of a data breach) where they fail to maintain reasonable security to protect consumers' personal information.
- Limits the Scope of the CCPA. The CPRA increases one of the threshold requirements to qualify as a "business" under the CCPA. To fall within the scope of the title, for-profit entities must process the personal information of 100,000 or more consumers or households, rather than 50,000 or more, as was the case under the CCPA.
- Imposes Data Minimization & Storage Limitation Requirements. The CPRA limits the collection, use, retention and sharing of personal information to that which is "reasonably necessary" to achieve the specified purposes of processing. Businesses will likely need to revisit their data-retention policies to ensure compliance with this addition.
- Requiring Businesses to Perform Cybersecurity Audits and Risk Assessments. Subject to the eventual regulations issued under the CPRA, businesses "whose processing of consumers' personal information presents a significant risk to consumers' privacy or security," must perform annual cybersecurity audits and submit risk assessments to the Agency on a regular basis. The CPRA does not define processing that may result in a significant risk to the consumer, but requires a consideration of the size and complexity of the business and the nature and scope of the processing. Risk assessments will require businesses to weigh the benefits of the processing activities against the potential risk to consumers' rights associated with such processing. The goal of these risk assessments is to restrict or prohibit certain processing activities—where the risks of those activities outweigh the benefits to the business, consumers and other stakeholders.
- Enhanced Requirements for Vendor Agreements. The CCPA identified specific requirements and limitations that should be present in an agreement between a business and its service provider in order for transfers of personal information required under that contract to be excluded from the broad definition of "sale." The CPRA formalizes these relationships by mandating agreements when a business sells personal information to, or shares it with, third parties, contractors and service providers. As such, businesses may need to conduct a full audit and review of their data-sharing agreements to ensure they contain the provisions required under the CPRA. Additionally, service providers, contractors and third parties will also need to ensure they have adequate processes in place to comply with these required provisions.
- Creates a New Category of Sensitive Personal Information. The CPRA adds a new category of personal information, termed "sensitive personal information," and imposes additional restrictions on its collection, use and disclosure. Sensitive personal information includes data elements, such as government identification numbers, financial information, precise geolocation, racial and ethnic origin, the contents of certain communications and genetic data.
- Expands Consumer Rights. The CPRA expands the Consumer Rights provided by the CCPA in a number of ways. These include:
- Right to Correction. The CPRA adds a new consumer right by requiring businesses to use all commercially reasonable efforts to correct inaccurate personal information in response to a verifiable consumer request.
- Right of Deletion. The CPRA modifies the deletion right by requiring service providers, contractors and third parties to cooperate with the business to delete personal information pursuant to a consumer request.
- Right to Opt Out of Sharing for Cross-Contextual Behavioral Advertising. The CPRA expands the right to opt out by requiring businesses to provide consumers with the ability to opt out of sharing personal information for the purposes of cross-contextual behavioral advertising. This change aims to ensure that consumers can opt out of this sharing even where it is not in exchange for valuable consideration.
- Right to Limit the Use & Disclosure of Sensitive Personal Information. The CPRA adds a new consumer right that allows a consumer to direct a business to limit its use and disclosure of the consumer's sensitive personal information for purposes other than those that are commercially necessary or as otherwise authorized by the CPRA.
Although the new and modified obligations under the CPRA will not enter into force until January 1, 2023, businesses will need to be in a position to comply with obligations relating to personal information collected by businesses on or after January 1, 2022. Given the limitation on the power of the legislature to amend the ballot initiative, in all likelihood, today's language will be that which becomes enforceable in 2023. Despite the long lead time, businesses would be well-advised to begin the more detailed data-mapping processes, evaluations and establishment of cybersecurity programs and vendor agreement reviews that will be required by the CPRA at their earliest convenience to ensure they are not caught out once the deadline arrives. We will continue to provide updates and analysis of the CPRA's detailed requirements. Please do not hesitate to reach out, as our Data, Privacy & Cybersecurity Practice group is happy to take any questions about the new requirements under the CPRA and to assist your business in revisiting or implementing your compliance plans as January 1, 2023, approaches.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP