California voters approved Proposition 24, also known as the California Privacy Rights Act (CPRA), in November 2020. The ballot initiative, which passed with approximately 56% support from voters, expands the California Consumer Privacy Act (CCPA), establishes a new privacy regulatory agency, provides new rights for consumers and imposes new obligations on businesses. The CPRA’s enforcement date is January 1, 2023, but because businesses will need to disclose their data processing activities over the previous year, the practical impact of the CPRA begins on January 1, 2022. Therefore, most companies would be wise to start preparing for the CPRA now.
We have identified the 10 most significant changes introduced by the CPRA, in priority ranking, and a corresponding “task list” for privacy leaders to consider for the rest of 2021:
- A New Enforcement Agency: The CPRA creates the first state privacy agency in the U.S., called the “California Privacy Protection Agency.” Under this new agency, with designated funding, we can expect to see more active enforcement of the CCPA/CPRA than would have been expected by the California Attorney General. The agency will be governed by a five-member board. The governor, the attorney general, the Senate Rules Committee and the speaker of the assembly shall each appoint one member, with the governor appointing one additional and important member — the chair. The members will serve at the pleasure of their appointing authority but not longer than eight consecutive years. The agency will have authority to administer, implement and enforce the CPRA through administrative actions. The agency will also issue regulations on a host of issues and have an adjudicative function with authority to issue administrative fines of up to $2,500 for each violation, or up to $7,500 for each intentional violation or violation involving the personal information of minors. The agency also will include the power to audit businesses for compliance with the law. § 1798.199.10(a).
- Automated Decision-Making Disclosures: The CPRA instructs the new California Privacy Protection Agency to issue regulations about artificial intelligence, notice obligations, and consumers’ ability to opt in or opt out of technology that could make decisions about them automatically. Businesses will need to provide “meaningful information” about the logic of their automated decision-making processes and the likely outcome for the consumer. In short, businesses should prepare to publicly disclose more information about their algorithms and explain the logic of a specific algorithm to a potentially affected consumer. § 1798.185(a)(16).
- Broader Notification Obligations: The “Just in Time” notice that is required to be provided to consumers, at or before the point of collection, now must include much more nuanced information than under the CCPA. For example, it must describe how long a business intends to retain information (see #4 below), or at least the criteria that will determine the retention period. The notice also must describe the categories of “sensitive personal information” to be collected (if at all), as well as the purpose for the collection and use of such information. § 1798.100(a).
"Sensitive personal information” means personal information that reveals:
- Government identification numbers
- Financial account information along with access codes
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs or union memberships
- Content of email or text messages
- Genetic data
- Certain biometric information
- Certain health information
- Certain information concerning a consumer’s sex life or sexual orientation
§ 1798.140(ae). Any notice obligations will now apply to the business that controls the collection of personal information — similar to a GDPR “data controller” — not the company that collects the information itself. These notice requirements are in addition to the now-explicit requirement that such notices describe whether the information is shared or sold. § 1798.100(a).
- Data Minimization and Storage Limits: The CPRA imposes a new data minimization requirement with respect to the collection, use, retention and sharing of personal information. Businesses may only collect, use, retain and share personal information reasonably necessary to achieve the purpose for which the information was collected or processed. § 1798.100(c). Notably, businesses must also inform consumers of “the length of time the business intendeds to retain each category of personal information.” § 1798.100(a)(2). This will require businesses to assign retention periods to some data for the first time or refresh and publish some portion of their internal data-retention policies.
- Do-Not-Track is Back: In keeping with earlier CCPA regulations, the CPRA doubles down on a requirement that businesses honor consumer choices not to share their personal information with third parties, as signaled through a global privacy control (i.e., a browser Do-Not-Track setting). The new agency is instructed to issue regulations defining technical specifications for a “platform, technology, or mechanism” regarding a consumer’s intent to opt out of the sale or sharing of personal information. § 1798.185(a)(19)(A).
- Data “Sharing” Now Regulated: The CPRA removed any doubt that “sale” means “share.” Consumers will have the right to opt out of the “[s]ale or [s]haring” of their personal information, which explicitly includes “cross-context behavior advertising” by definition. §§ 1798.120 and 1798.140(ah).
- The CPRA defines “cross-context behavioral advertising” as targeted advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity outside the business, distinctly branded website applications or services with which the consumer intentionally interacts. § 1798.140(k). Notably, this definition is tech-agnostic and does not mention “third-party cookies.” Therefore, the law will apply to exchanges of personal information for advertising purposes even as the internet moves away from third-party cookies.
- The CPRA allows consumers to consent to third-party tracking, but such consent cannot be obtained via “dark pattern” techniques. § 1798.140(h). The CPRA defines a “dark pattern” as a user interface that subverts or impairs user autonomy, decision-making or choice as further defined by regulation. § 1798.140(l). In short, this provision is meant to combat efforts aimed at undermining knowledgeable consent from consumers.
Together, the Do-Not-Track provision and the new “sharing” definition mean that the CPRA will likely have a significant impact on the entire ad-tech ecosystem that currently tracks user behavior and preferences across most modern web sites, social media and physical stores.
- Enhanced Consumer Rights: The CPRA enhances existing consumer rights under the CCPA and creates new rights to correct inaccurate personal information (i.e., a right to rectification) and restrict “sensitive personal information."
Consumers will have the right to correct inaccurate personal information, and businesses will be required to use commercially reasonable efforts to correct any mistakes. New regulations will determine the all-important question regarding what is “inaccurate.” § 1798.106.
In addition, consumers will have a new right to limit the use and disclosure of sensitive personal information. Specifically, consumers will have the right to tell a business to use sensitive personal information only to perform the services or provide the goods requested § 1798.121.
- Extended Employee and B2B Exemptions: The CPRA extends the business-to-business communication and employee information exemptions. §§ 1798.145 (m)(1) and (n)(1). New exemptions were added as well:
- Consumers cannot exercise their Do-Not-Sell rights to block the exchange of information between a new motor vehicle dealer and the vehicle manufacturer if the information is shared to cover a vehicle repair under a warranty or recall. § 1798.145(g).
- The CPRA also exempts data collected pursuant to the Federal Farm Credit Act of 1971 on top of previous CCPA exemptions for data covered by other statutes (HIPAA, GLBA, etc). § 1798.145(e).
- Narrower Coverage: The CPRA changes the range of covered “businesses” under the statute. The CCPA covered those companies that collect information from 50,000 consumers, households or devices, but the CPRA raised that threshold to 100,000 consumers or households. The CPRA also clarifies that the revenue threshold of $25 million applies to revenue from the “preceding calendar year.” § 1798.140(d)(1)(A) and (B).
- Restriction on Legislature to Amend: Finally, in response to critics who alleged that the original CCPA became “watered down” by the legislative process, the CPRA limits the power of the state legislature to change the law. The California Legislature may only pass amendments to the statute that “are consistent with and further [its] purpose and intent.” CPRA Section 25.
Tasks for 2021
- Updating Links and Policies: As noted above, the CPRA includes new rights to correct and to limit the use of newly defined “sensitive personal information” and regulates the sharing (not just selling) of personal information. As a result, businesses will need to update their “Do Not Sell My Personal Information” links to read “Do Not Sell or Share My Personal Information,” and include a separate link titled “Limit the Use of My Sensitive Personal Information” where such information is collected. Note that the CPRA does permit a single link if it leads to a webpage allowing the consumer to both opt out of the sale/sharing of personal information and limit the use of sensitive personal information. Importantly, a business will not need to provide such links if it complies with automated opt-out signals sent from browsers or other extensions.
- Updating Vendor Contracts: The CPRA requires businesses to impose broader duties on their service providers and contractors to protect information, comply with audit requests, and assist businesses in responding to consumer requests or other CCPA obligations.
- Even More Data Mapping: For those who love to find data squirreled away in their companies, the CPRA will offer a new opportunity to go digging. If they have not done so previously, businesses will need to identify any information that is shared, not just sold. Also, businesses will need to catalog and disclose the sensitive personal information they collect or use. To meet the CPRA’s data minimization requirements, businesses also will need to fill in a blank on many U.S. data maps — the column or field labeled “Retention Period.” Finally, data mappers will need to study their company’s use of artificial intelligence to determine where, how and why complex algorithms are at work.
- Expanding Responses to Data Subject Access Requests: The CPRA now requires businesses to use commercially reasonable efforts to correct inaccurate personal information in response to a verifiable consumer request. In addition, while the CPRA imposes a one-year lookback on disclosures of processing activity, the CPRA will eventually lift that one-year lookback on consumers’ requests for all categories of personal information. January 1, 2022 will serve as a stake in the ground for consumer requests, but by 2024 or 2025, businesses will need respond to access requests covering years of activity, not just the current 12-month lookback under the CCPA. Thus, businesses will have to adjust their response procedures — or be ready to explain why they cannot meet a consumer request because “doing so proves impossible or would involve a disproportionate effort.” Businesses also will need to determine when they can legitimately reject a deletion request under the CPRA, because the data is reasonably necessary for business operations or security, or because service providers or contractors need the consumer’s personal information to fulfill terms of a written warranty or product recall.
Businesses also should consider how they will respond to California consumers who exercise their new privacy rights. Responding to do-not-share requests will be broader and more complex than responding to do-not-sell requests. Businesses also will need to field new requests to correct information or limit the use of sensitive data. Finally, with more privacy laws looming, many U.S. businesses will need to consider whether they should take a national approach to privacy requests or remain focused on California residents. Multinational businesses likewise may need to consider whether to take a “global” privacy approach or adopt a jurisdiction-specific U.K./European/Brazilian/Chinese/Californian/etc. model.
- Double-Checking the Law’s Applicability: A limited number of businesses may want to check with counsel about the applicability of the CCPA/CPRA overall. With the CPRA’s clarification of the revenue threshold and the increase in the number of consumers or households served (minus devices), some smaller businesses may find that they have escaped the burden of the CCPA/CPRA altogether. Such businesses may want to temper their glee, however, because the push toward tighter privacy and cybersecurity regulations will continue apace, across the United States and around the world.
- Potentially Assessing High-Risk Activities: The CPRA directs the California Attorney General to issue regulations requiring businesses whose processing presents significant risks to consumer privacy and security. These “high-risk” businesses will then need to perform annual security audits and submit regular risk assessments to the new California Privacy Protection Agency. In light of these coming duties, companies that collect large volumes of sensitive data would be wise to build out their internal audit programs.
- Advertising After Do-Not-Track: Perhaps most daunting, businesses will need to anticipate what advertising looks like with fewer cookies, tags and pixels. Businesses will need to recognize and start reacting to Do-Not-Track signals and may need to adopt new opt-in marketing strategies.
For any business that has substantial contact with California consumers, the CPRA presents many challenges. Because a one-year lookback will apply to any privacy policies and/or notices, companies would do well not to wait until 2023 to commence their compliance efforts. They can and should start on those efforts now.