CCPA’s Sequel Complicates Matters for U.S. Businesses

On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA), which amends the previously enacted California Consumer Privacy Act of 2018 (CCPA). As with the CCPA, businesses physically located outside of California may be subject to the CPRA if they do business in California.

The CPRA expands on the already vigorous privacy protections afforded California residents, creating new rights for consumers and additional obligations for companies that collect, use or sell consumers’ “personal information,” and complicating businesses’ ability to develop data protection plans. Conversely, the amended legislation may exclude more small businesses from having to comply. Finally, businesses must update their existing privacy policy disclosures to refer to these new rights afforded by the CPRA.

1. CCPA remains in effect until the CPRA supersedes it on January 1, 2023. In the wake of its enactment and prior to its effective date, businesses should first consider whether, under the revised threshold requirements, they are subject to CPRA. If so, Evaluate the business’ data practices and whether adjustments to those practices need to be made under the expanded scope of the CPRA;
2. Amend the business’ privacy notices to reflect new consumer rights and disclosure requirements;
3. Undertake early monitoring and compliance initiatives, including review of third-party vendor arrangements, to avoid penalties in the future.

Changes to Which Businesses Must Meet California Privacy Standards

The CPRA still covers businesses located outside of California if they do business in California but the amendment modified the three thresholds set out by the CCPA to determine which businesses are subject to the Act.

With respect to the first threshold, requiring annual gross revenues over $25 million, the CPRA clarifies that revenues are calculated by looking at the “preceding calendar year.” Thus, businesses not operating on a calendar-year basis may need to adjust how they operate or undergo additional accounting to determine if they fall within this statutory threshold.

The CPRA increases the second threshold from 50,000 to 100,000 for the number of consumers or households whose personal information, alone or in combination, is bought, sold, or shared annually. The heightening of this threshold likely will exclude more small businesses from the scope of the CPRA.

Finally, with respect to the third threshold, the CPRA amends its application to businesses that derive at least 50% of their annual revenue from sharing or selling the personal information of California consumers. The addition of “sharing” to this threshold requirement expands the scope of the CPRA.

Expansion of Personal Information

The CPRA adopts the expansive definition of “personal information,” including “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” as established in the CCPA. However, the CPRA expands on this already broad definition of protected information by adding a new category of data called “sensitive personal information.” This subcategory of the CPRA’s “personal information” includes such things as government-issued identifiers, financial information, biometric data, health status, union membership, precise geolocation, contents of mail, emails or text messages, and race or ethnic origin and will impose additional obligations on businesses in regard to those categories when it comes into effect.

New Consumer Rights

The CPRA will expand consumers’ rights to restrict the use and disclosure of “sensitive personal information” as they have the right to do with “personal information” under the CCPA. In this regard, consumers may limit the use of their “sensitive personal information” to only that which is necessary to perform services that are “reasonably expected by an average consumer.” These changes expand the scope of businesses’ obligations to comply with consumers’ requests.

The CPRA will also expand consumers’ rights to restrict the use of their “sensitive personal information” to exclude the “sharing” of personal information, even if the information is not exchanged for “monetary or other valuable consideration.” This expands on the rights, created in the CCPA, that allowed consumers to opt out of “selling” of “personal information,” by allowing consumers to opt-out of any sharing of their personal information, whether or not there has been a “sale” and may restrict data use to that which is necessary to provide the services or goods for which it was originally supplied. This amendment closes a significant loophole in the CCPA.

Under the CPRA, data collected from January 1, 2022, onward will fall under an expanded “request to know” obligation. Currently, consumers can only request that a business provide information on how their data has been used in the prior 12 months. The CPRA removes the 12-month limitation, so, conceivably, businesses may have to conduct extensive searches in response to future “requests to know.” At the same time, the CPRA will require businesses to inform consumers of the length of time it intends to maintain sensitive personal information and to limit that retention to only what is reasonably necessary for the disclosed purpose of collection. Businesses will be prohibited from retaining the data beyond the time it is needed to complete the purpose of its collection. As such, businesses may eventually no longer have years of stored data that they need to review in response to consumer requests.

Additional Exemptions Provided

While the CPRA expands the categories of protected information, it also expands some of the exemptions set forth in the CCPA. For instance, just as in the CCPA, “sensitive personal information”, as a subcategory of “personal information”, that has been “de-identified” or “aggregated” is excepted from the consumer right to know and deletion requirements.

The CPRA also expands the scope of the exemption for “publicly available information,” including “lawfully obtained, truthful information that is a matter of public concern”, and information that a business “has a reasonable basis to believe” is lawfully made available to the general public “by the consumer or from widely distributed media.” These new exemptions will give businesses some additional relief from the obligations of the CPRA when the information is public.

Other Key Changes under the CPRA

The CPRA is a massive piece of legislation which makes numerous changes to the CPPA. Some other noteworthy changes include:

• Expansion of Private Right of Action. The CPRA expands the private right of action for consumers to bring claims against a business, to include the unauthorized access or disclosure of the combination of (i) an email address and password; or (ii) security question and answer that would permit access to an account.
• Creation of Privacy Protection Agency. The CPRA creates the California Privacy Protection Agency (CPPA), which will replace the Attorney General’s office as the agency dedicated to enforce the CCPA and CPRA and issue related regulations. The CPPA has been given an initial budget of $10 million to fund its investigation and enforcement activities.
• New Requirements for Service Providers, Contractors and Third Parties. The CPRA requires businesses that send personal information to service providers, contractors or third parties to enter into an agreement binding the recipient to the same level of privacy protection as provided by the CPRA. The agreement must further provide that the third party, service provider or contractor must notify the business if they cannot meet their obligations under the CPRA, and that the business has “the right, upon notice…to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.”
• Removal of the 30-Day Cure Period. The CPRA removes the existing 30-day period businesses have to cure most alleged violations of the statute and avoid potentially hefty fines. The CPPA will have discretion to allow business to cure alleged violations, but the elimination of a guaranteed right-to-cure makes early monitoring and compliance much more critical.
• Extension of Exemption for Employee and Business-to-Business Data. CPRA extends the CCPA’s existing partial exemptions for information relating to businesses’ employees and job applicants, as well as information collected from consumers in a “business to business” context, until at least January 1, 2023.

What’s Next

CPRA has a long roll out, before it becomes effective on January 1, 2023 and is subject to enforcement no earlier than July 1, 2023. However, regulations are expected to be introduced by July 1, 2022, which covered businesses should also monitor. There is a lesson learned from the CCPA’s rollout: The businesses that used that time to evaluate and amend their privacy policies and practices benefited the most. However, it is important to note that the CCPA is still in effect, and it will remain so until 2023, and while businesses must prepare to comply with the CPRA, they must currently comply with the CCPA and its current definitions, rights, exemptions and obligations.

For assistance with interpreting either the CCPA or the CPRA, or any other privacy law, please contact your attorney.