Insight

California Approves Even Tougher Privacy Laws

MORGAN LEWIS PRACTICAL ADVICE ON PRIVACY: GUIDE TO THE CCPA

November 10, 2020

A majority of California voters approved the California Privacy Rights Act of 2020 (CPRA) on November 3. The CPRA expands provisions of the California Consumer Privacy Act (CCPA), creates new consumer privacy rights, establishes the California Privacy Protection Agency as California’s privacy regulator, and removes the ability of businesses to fix violations before being penalized for violations. The CPRA becomes effective on January 1, 2023, with enforcement commencing on July 1, 2023. This article summarizes a few notable aspects of the CPRA and highlights practical steps that businesses should take to ensure compliance.

The CPRA refines and expands the scope of the CCPA, California’s landmark privacy law. Under the current CCPA, consumers have the right to know what personal information businesses collect about them, the right to delete that personal information, and the right to opt out of the sale of their personal information.

The CPRA was a ballot measure created by Californians for Consumer Privacy, which is the same nonprofit group led by businessman Alastair Mactaggart that proposed a similar ballot initiative in 2018 that ultimately led to the California state Legislature’s passage of the CCPA in 2019. Following the enactment of the CCPA, Californians for Consumer Privacy drafted a new ballot measure, Proposition 24, to address perceived deficiencies in the privacy law and to further align California privacy protections with those available under the European Union’s General Data Protection Regulation (GDPR).

HOW DOES THE CPRA CHANGE THE CCPA?

The CPRA adds numerous provisions that strengthen consumer privacy protections, but also includes some modifications that should be well-received by businesses.

  • Definition of a “business”: The CPRA amends one of three thresholds that must be satisfied as part of the CCPA’s definition of a “business” subject to the law. A covered business will include an entity that processes the personal information of 100,000 or more consumers or households per year (up from 50,000). This modification will result in some smaller businesses no longer being subject to the CCPA.[1]
  • Advertising opt out: While the CCPA grants consumers the right to opt out of the sale of their personal information, the CPRA takes this one step further by providing consumers with the right to opt out of the sharing of their personal information for cross-context behavioral advertising purposes. Significantly, a consumer may opt out of a business’s sharing of personal information for cross-context behavioral advertising purposes even where no money is exchanged between the business and the third party.[2] The CPRA defines the new term “cross-context behavioral advertising” as advertising targeting a consumer based on personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, except for consumer’s activity across the entity with which the consumer intentionally interacts.[3] Cross-context behavioral advertising is explicitly excluded as a “business purpose” that can be performed by a service provider.[4] These provisions resolve some of the uncertainty regarding how the CCPA applies to the online advertising industry but open questions remain, such as whether the advertising opt out must be delivered by publishers or ad technology companies.
  • Opt out signals: A business is not required to post an opt out link if it allows consumers to communicate their Do Not Sell/Do Not Share preferences through signals or preferences that are set “with the consumer’s consent by a platform, technology or mechanism based on technical specifications set forth in regulations.”[5]
  • Extends requests to know: Currently, if a consumer submits a request to know what personal information a business has collected about them, the disclosure under the CCPA is limited to the 12 months before the request was received. Under the CPRA, consumers will have the right to make a request to know what information was collected on or after January 1, 2022, that extends even earlier than 12 months preceding the request. A business must comply unless doing so “proves impossible or would involve a disproportionate effort.”[6]
  • Extends employee and business-to-business exemptions: The CPRA extends the CCPA’s limited exemptions for personal information collected from employees, applicants, officers, directors, contractors, and business representatives through January 1, 2023.[7]

WHAT NEW PRIVACY RIGHTS ARE IN THE CPRA?

Sensitive personal information: The CPRA creates a new category of “sensitive personal information” that is entitled to additional protections.[8] Sensitive personal information includes account and login information, precise geolocation data, contents of mail, email and text messages, genetic data, and certain sexual orientation, health, and biometric information. Under the CPRA, consumers may opt out of a business’s sale of sensitive personal information, and may also opt out of the mere use of sensitive personal information.

Expanded breach liability: The CCPA provides for a limited private right of action for breaches of non-encrypted, non-redacted personal information. The CPRA expands the events giving rise to the private right of action to include unauthorized access or disclosure of an email address in combination with a password or security question that would permit access to an account if the business failed to maintain reasonable security.[9] Importantly, the CPRA does not add a broad private right of action for any other violation of either the CCPA or the CPRA.

New right of correction: Consumers have a right under the CPRA to have inaccurate personal information corrected.[10] If a business receives a verifiable consumer request to correct inaccurate personal information, the CPRA requires that the business must use “commercially reasonable efforts” to make the correction.[11]

Expanded right of deletion: Businesses will be required to pass on consumer deletion requests to service providers, and also to third parties to which the business has shared or sold information (unless it proves impossible or involves disproportionate effort).[12] Service providers must also pass on deletion requests to their subcontractors.

New data retention requirement: The CPRA imposes new data retention requirements on businesses. At or before the time that personal information is collected, a business must disclose to the consumer the length of time the business intends to retain each category of collected personal information, including sensitive personal information.[13] Significantly, the CPRA provides that a business shall not retain a consumer’s personal information “for longer than is reasonably necessary for that disclosed purpose.”[14]

New proportionality requirement: Similar to the GDPR, the CPRA requires that the collection, use, retention, and sharing of personal information by businesses must be proportional to the purpose for which the personal information was collected or processed. Personal information may not be processed in a manner that is incompatible with the context and purpose for which the information was collected.[15]

New requirements for service providers: Service providers must notify businesses of the identities of their subcontractors.[16] Contracts with service providers must also prohibit the service provider from (1) selling or sharing the business’s personal information, (2) retaining, using, or disclosing personal information outside of the direct business relationship between the service provider and the business, and (3) combining personal information received from one business with information received from another business.[17]

New requirements for “contractors”: Businesses will need to enter into a contract with any entity to which they disclose personal information, including third parties to which they sell personal information. This requirement extends beyond current CCPA requirements for service provider agreements. The contract must include certain provisions, including (1) limiting use to limited and specified purposes, and (2) providing the same level of privacy protections as required by the CCPA.[18]

ENFORCEMENT BY THE CALIFORNIA PRIVACY PROTECTION AGENCY

The CCPA is currently enforced by the California attorney general.[19] The passage of the CPRA establishes a new state regulator—the California Privacy Protection Agency (the Agency)—to administer, enforce, and implement consumer privacy laws and impose fines.[20] The Agency will assume the California attorney general’s responsibility for interpreting and enforcing the CCPA and CPRA.

The Agency will consist of a five-member board. The governor is authorized to appoint the chair and one member. For the remaining two seats, the California attorney general, Senate Rules Committee, and speaker of the Assembly may each appoint one member. The CPRA instructs that the appointments to the Agency shall be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.

Functions of the Agency will include the implementation and enforcement of the CPRA, rulemaking authority, providing guidance to businesses and consumers regarding the CPRA, and issuing orders requiring violators to pay administrative fines and penalties. While businesses currently enjoy a 30-day cure period under the CCPA to remedy a violation following a formal notice of alleged noncompliance, the CPRA eliminates this cure period.[21] Under the CPRA, the maximum penalty for violations concerning consumers under the age of 16 is tripled to $7,500 per violation.[22]

LOOKING AHEAD

Most of the CPRA’s provisions will become operative on January 1, 2023 and will apply to personal information collected by businesses on or after January 1, 2022.[23] The CPRA will be enforced beginning July 1, 2023.[24] Some technical provisions of the CPRA, including the creation of the Agency and exemptions for employment-related and business-to-business personal information, will take effect within days after the CPRA’s passage is certified by the California Secretary of State.

Because the CPRA adds entirely new privacy rights and introduces a new regulatory agency to administer California’s privacy laws, businesses subject to the CCPA will need to review their CCPA compliance programs to ensure compliance in California’s rapidly evolving privacy regulatory landscape. The CPRA’s new obligations regarding sensitive personal information and extending the time period applicable to requests are likely to cause businesses to revisit their data mapping efforts.

CONTACTS

The Morgan Lewis privacy team is providing practical privacy advice to more than 100 businesses on compliance with the CCPA, the proposed regulations, and how to ensure compliance. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:

San Francisco
Reece Hirsch
Carla Oakley
Michelle Park Chiu
Kevin Benedicto

Los Angeles
Joseph Duffy

Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis
Julian Williams

New York
Martin Hirschprung

Washington, DC
Ronald Del Sesto
Dr. Axel Spies


[1] CPRA, Section 14, Cal. Civ. Code § 1798.140(d)(1)(B).

[2] CPRA, Section 14, Cal. Civ. Code § 1798.140(ah); Section 9, Cal. Civ. Code § 1798.120(a).

[3] CPRA, Section 14, Cal. Civ. Code § 1798.140(k).

[4] CPRA, Section 14, Cal. Civ. Code § 1798.140(e)(6).

[5] CPRA, Section 13, Cal. Civ. Code § 1798.135(b).

[6] CPRA, Section 12, Cal. Civ. Code § 1798.130(a)(2)(B).

[7] CPRA, Section 15, Cal. Civ. Code §§ 1798.145(m), (n).

[8] CPRA, Section 10, Cal. Civ. Code § 1798.121(a).

[9] CPRA, Section 16, Cal. Civ. Code § 1798.150(a).

[10] CPRA, Section 6, Cal. Civ. Code § 1798.106.

[11] CPRA, Section 6, Cal. Civ. Code § 1798.106.

[12] CPRA, Section 5, Cal. Civ. Code § 1798.105(c).

[13] CPRA, Section 4, Cal. Civ. Code § 1798.100(a)(3).

[14] CPRA, Section 4, Cal. Civ. Code § 1798.100(a)(3).

[15] CPRA, Section 4, Cal. Civ. Code § 1798.100(a)(2).

[16] CPRA, Section 14, Cal. Civ. Code § 1798.140(ag)(2).

[17] CPRA, Section 14, Cal. Civ. Code § 1798.140(ag).

[18] CPRA, Section 4, Cal. Civ. Code § 1798.100(d).

[19] Cal. Civ. Code §§ 1798.155, 1798.185.

[20] CPRA, Section 24.1, Cal. Civ. Code § 1798.199.10.

[21] CPRA, Section 17, Cal. Civ. Code § 1798.155(a).

[22] CPRA, Section 17, Cal. Civ. Code § 1798.155(a).

[23] CPRA, Section 31.

[24] CPRA, Section 21, Cal. Civ. Code § 1798.185(d).