California voters passed the California Privacy Rights Act (CPRA) ballot initiative during the November 2020 election, amending and expanding the existing California Consumer Privacy Act (CCPA). The new California state privacy law clarifies existing provisions of the CCPA, creates new consumer rights, imposes additional obligations on businesses that collect personal information from California consumers, and creates a new enforcement agency called the California Privacy Protection Agency.
Prepare for the CPRA
|
Download our CPRA Infographic
|
|
The CPRA becomes fully operative in 2023; however, there are a number of provisions that take effect before then, so companies should start taking steps now to prepare. For a summary of key dates, please see our CPRA timeline.
Our Privacy & Security attorneys have an in-depth knowledge of U.S. and international privacy laws and routinely help clients develop data governance programs that speak to broad-based privacy legislation, such as the General Data Protection Regulation and CCPA. Our team is well-versed in the changes the CPRA makes to California privacy law and can provide guidance on the steps your company should take, whether you are creating a privacy program for the first time or adapting an existing framework.
|
CPRA Resources
What You Need to Know
New and Expanded Rights for California Consumers
The CPRA expands the rights granted to California consumers under the CCPA and introduces some new privacy rights, including:
- The right to opt out of sharing of personal information. “Sharing” is defined as “sharing…or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration,” which essentially refers to interest-based advertising.
- The right to opt out of certain uses and disclosures of “sensitive personal information,” which refers to personal information that reveals: a consumer’s Social Security number, driver’s license, state ID card, or passport number; a consumer’s account log-in, financial account, debit card, or credit card number in combination with a security or access code, password or credentials; a consumer’s precise geolocation; a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s email and text messages, unless the business is the intended recipient of the communications; a consumer’s genetic data; a consumer’s biometric data, in certain circumstances; a consumer’s health data; and data concerning a consumer’s sex life or sexual orientation.
- The right to correct inaccurate personal information.
- The right to enhanced transparency about a business’s information practices, including information about data retention periods.
- New rights with respect to the use of automated decision-making technology, including for profiling.
Clarified and Increased Obligations on Businesses
Like the CCPA, the CPRA applies to for-profit entities that do business in California, collect personal information from California consumers, and meet certain threshold criteria. Note that these threshold requirements have changed under the CPRA, so it will be important for companies to assess whether they satisfy the new thresholds, which include:
- As of January 1 of the calendar year, the company exceeded $25 million in gross revenue in the preceding calendar year.
- The company buys, sells, or shares the personal information of 100,000 or more consumers or households.
- The company derives 50% or more of its annual revenue from selling or sharing consumers' personal information.
If any of the criteria above are satisfied, the company will be a “business” under the CPRA.
The CPRA also imposes new obligations on businesses, including requirements related to data retention, data minimization, and purpose limitation, as well as to pass deletion requests not only to service providers but also to contractors and third parties to which the businesses have sold or shared information. The law also mandates additional provisions that businesses must include in their contracts with service providers, contractors, and other third parties. Regulations issued under the law are likely to increase auditing requirements, such as performing cybersecurity audits on an annual basis and providing the new enforcement agency with regular risk assessments.
The CPRA also clarifies the law’s impact on loyalty programs given the anti-discrimination provisions and extends the CCPA’s sunset provisions involving the employee exception and business-to-business (B2B) exception to January 1, 2023.
Rulemaking, Enforcement, and Penalties
The CPRA creates and transfers all rulemaking and enforcement authority from the California attorney general to the new state agency, the California Privacy Protection Agency. Under the CPRA, this agency is authorized to begin exercising rulemaking authority as soon as July 1, 2021, or six months after the agency gives notice to the California attorney general that the agency will commence rulemaking. The CPRA is subject to 22 different categories of regulations, many with subparts, and final regulations must be adopted by July 1, 2022.
The CPRA tightens enforcement, removing the mandatory 30-day cure period that businesses currently enjoy under the CCPA and tripling penalties for violations that involve minors under the age of 16. The law also expands the types of data breaches that are considered within the scope of the data breach private right of action to include breaches of a username or email address, in combination with a password or security question and answer that would permit access to an online account.
The CPRA may be enforced beginning on July 1, 2023, and only as to violations that occur on or after that date. Given ongoing rulemaking activity, businesses need to remain flexible to be able to shift their compliance strategies accordingly.
