California's Prop 24 Expands Privacy Protections—Enforcement Agency to be Established
On November 3, Californians overwhelmingly passed Proposition 24, a ballot initiative that will require businesses to comply with some of the most expansive consumer privacy laws in the country. The proposition, also known as the California Privacy Rights and Enforcement Act of 2020 (CPRA), gives California residents additional control over personal information collected by businesses, imposes new compliance obligations for some businesses, and creates a new state agency to enforce consumer privacy laws.
Passage of the CPRA comes less than a year after the California Consumer Privacy Act (CCPA) took effect and gave state residents increased control over their personal information collected by businesses. The CPRA expands on rights currently offered under the CCPA. Please see our previous article for the CCPA summary.
Proposition 24 was spearheaded by the original proponents of the CCPA and reflected their frustration with what they see as the state legislature’s efforts to weaken the CCPA. Proposition 24 also includes a provision that limits legislative amendments to the act without voter approval.
Notably, the CPRA requires the formation of a new agency, the California Privacy Protection Agency (CalPPA), which will be tasked with adopting regulations as well as investigating and enforcing the CPRA.
The CPRA does not take effect until January 1, 2023, but will apply to personal information collected after January 1, 2022.
Additional Category of “Sensitive Personal Information”
The CPRA creates a new category of “sensitive personal information” and limits the use of that information by businesses to what is necessary to perform the requested services or provide the requested goods. Sensitive personal information includes identifiers like a consumer’s Social Security number, driver’s license number, passport number, and account information. It also includes the following:
The contents of personal communications like emails or text messages
Biometric or health information
Precise geolocation data
Racial or ethnic origin
Sex life or sexual orientation
Religious or philosophical beliefs
Consumers also have the right to require a business to limit its use and disclosure of sensitive personal information for purposes other than those otherwise authorized by the CPRA.
Finally, the CPRA gives consumers a new right to correct inaccurate personal information that has been collected. Businesses covered under the CPRA must disclose to consumers their new rights and make reasonable efforts to correct personal information when it receives a verified request from a consumer.
New Thresholds for Businesses Covered Under the CPRA
The CPRA modifies the existing CCPA’s thresholds to exempt some small- and medium-sized businesses operating in California from the act. Under CPRA’s new thresholds, businesses will be subject if they do the following:
Buy, sell, or “share” personal information of 100,000 or more consumers or households will be subject to the act. Under the CCPA, this threshold was 50,000 consumers.
Produce annual gross revenues of $25M or more in prior calendar year.
Derive 50% or more of their annual revenue from selling or sharing consumers’ personal information. The CCPA did not include any restrictions on “shared” information.
Additionally, the CPRA changes the types of business entities that must comply with the law, including:
Clarifying that parents and subsidiaries are brought under the act’s scope only if their affiliated company-in-question shares personal information with them. Previously under the CCPA, entities that share common branding were automatically required to comply.
Extending obligations to a joint venture or partnerships comprising of business in which each business has a 40 percent interest.
Providing that a company or entity doing business in California files voluntary certification of CPRA compliance with the CalPPA and agrees to be bound by the CPRA.
Clarifying the Publicly Available Data Exception Under CCPA
The CCPA did not apply to information that was “publicly available.” It defined publicly available information as information that could be legally obtained from public records.
The CPRA expands this definition by including information that a business believes the consumer made available to the general public or was obtained from widely distributed media. It also includes information that the consumer disclosed to another party without restricting it to a specific audience. Additionally, the CPRA excludes any lawfully obtained, truthful information that is a matter of public concern.
New Obligations for Covered Businesses
The CPRA imposes additional obligations on businesses covered under the act, including:
Regulation of Cross-Context Behavior. Extending the existing opt-out right to include both the sale and sharing of personal information to third parties for cross-context behavior advertising. In essence, companies that share personal information with third parties for such purposes, even if not in exchange for money or other consideration, must now permit consumers to opt-out of such sharing. Practically, covered businesses will now need to revise their opt-out link to reference the sharing. For example, “Do Not Sell or Share My Personal Information.”
Right to Opt-Out of Automated Decision-Making Technology. Requiring businesses to honor consumer opt-out and access requests related to personal information processing by automated decision-making, including “profiling” consumers. The CPRA defines “profiling” as the automated processing of certain personal information, including to analyze or predict an individual’s health, location, economic situation, behavior, movements, work performance, reliability, or personal preferences. The act requires regulations that govern consumer opt-out rights and access to businesses’ automated decision-making technology.
Right to Correct. Right for consumers to request businesses to correct inaccurate information.
Audit Obligations. CPRA authorizes regulations requiring businesses to conduct annual and regular privacy audits and risk assessments for “high risk” activities. Businesses must provide such assessments to CalPPA.
Expanded Right to Delete. CPRA requires businesses to pass on consumer deletion requests to third parties, like service providers and contractors, who received the data. Such third parties are required to cooperate with businesses to delete consumer personal information, subject to some exceptions.
Expanded Data Portability Right. CPRA mandates that businesses provide the specific pieces of personal information they have obtained from the consumer and present it in a format that can be easily understood by the average consumer. To the extent it is technically feasible, the information must also be provided in a commonly used, machine-readable format that may be transmitted to another entity at the consumer’s request.
Expanded Right to Know. A consumer may request personal information that is older than the 12-month look-back period in the CCPA so long as it is possible to do so and does not involve a disproportionate effort if collected after January 1, 2022.
Data Retention Requirements and Increased Transparency
The CPRA imposes certain data obligations similar to those adopted by the European Union in its General Data Protection Regulation (GDPR).
A business is only permitted to collect, use, retain, and share personal consumer information to the extent that the data is reasonably necessary and proportionate for the disclosed purpose for which it was collected, used, or shared.
A business may not retain consumers’ personal information for longer than is reasonably necessary for the disclosed purpose. Businesses must tell consumers how long they will retain the data when it is collected or, if it is not possible to disclose how long the data will be retained at the time it is collected, how the business will determine the retention period.
Businesses will need to develop and implement data retention policies for each category of personal information and disclose at time of collection such retention policies.
Requirements for Service Providers and Contractors
The CPRA expands definition of “service provider” and adds “contractors” as a new category of third parties who receive personal information. The CPRA requires businesses to enter into written agreements with service providers and contractors to address the handling and processing of personal information.
The CPRA imposes the following obligations on service providers and contractors:
Using or disclosing personal consumer information for any purpose other than those outlined in the contract
Combining the personal information received from businesses with personal information received through other means, with certain exceptions
Must cooperate with businesses in responding to privacy rights requests
Must notify businesses when engaging any subcontractor or sub-service provider and bind such parties to same terms as written agreement
B2B and Employee Exemption
The CCPA provided exemptions related to business-to-business (B2B) transactions and employee information that were scheduled to expire on January 1, 2021. The CPRA pushed back the expiration date for the exemptions until January 1, 2023.
Under the current B2B exemption, businesses are not required to provide certain notices or extend consumer rights to their business contracts. The exemption applies to written or verbal communications or transactions between a business and an employee or contractor of another organization when the business is either:
Conducting due diligence on that organization; or
Providing or receiving a product or services from the organization
The partial employee exemption applies to personal information a business collects about job applicants, employees, officers, directors, owners, or medical staff solely for use in the context of employment. It also applies to information provided for emergency contacts and to administer employee benefits. However, when the information is collected, the business must disclose the purpose for which the data is being collected and how it will be used.
CPRA Increased Enforcement and Potential Business Liability
In addition to creating the CalPPA, the CPRA included the following provisions regarding enforcement and business liability:
Expanded private right to action to data breaches that compromise a consumer’s email addresses combined with passwords or other security information that would allow access to the email account.
Placed limits on a business’s ability to claim as a defense in a private right of action that the implementation of reasonable security procedures following a data breach constitutes a cure.
Increased the penalty for violations related to the personal information of a minor to $7,500 when the business has actual knowledge the child is under 16.
CPRA Implementation Timeline
Next Steps for Businesses Collecting Personal Consumer Information in California
While the significant changes the CPRA made to California’s consumer privacy laws do not take effect until January 1, 2023, businesses collecting data on consumers in the state should begin taking steps now to ensure that they are prepared.
Specifically, businesses should take the following steps:
Determine whether it meets threshold to be subject to CCPA (as well as analyze whether it will be subject to CPRA once it takes effect).
Businesses subject to CPRA and those that routinely collect sensitive personal information (even if not subject to CCPA or CPRA) should do the following:
Perform data mapping to understand types of data collected, purpose, third parties with access to data and how such data is protected.
Prepare or update internal policies and procedures to address, among other things, how data is retained, secured, disclosed and how to address consumer request responses.
Review existing privacy policies to determine whether changes are needed to comply with CCPA and CPRA. Businesses exempted from the acts should still consider whether they wish to offer consumers certain privacy rights.
Draft and enter into data privacy addendums with service providers, contractors and third parties.
Businesses subject to CPRA should start doing the following:
Consider engaging independent cybersecurity firms to audit “high risk” processing activities.
Conduct privacy impact assessments to determine risks associated with processing of personal information. If needed, consider adopting additional measures to adequately protect personal information.
DISCLAIMER: The subject matter discussed above is constantly evolving and may change on a frequent basis. The information contained in this post is for general education and informational purposes only. It should not be construed as legal advice or as creating an attorney-client relationship between the reader and TKN Law.