CALIFORNIA’S CCPA TO BE STRENGTHENED WITH GDPR-TYPE REQUIREMENTS.
On 24 June, the California Secretary of State certified the California Privacy Rights Act (CPRA). The reader can be excused for thinking “CPRA??…. What is that?…. a new privacy law?…. we already have one — the CCPA — don’t we??”
Well, yes. Californians do indeed have the California Consumer Privacy Act (CCPA). However, “The measure was supposed to provide consumers more transparency about their data. It’s looking more like a muddle” said a Washingtron Post news article back in January this year.
News heralding the coming of the CCPA began with:
The California Consumer Privacy Act, which took effect Jan 1 after being adopted in 2018, was hailed by privacy advocates as a great leap forward in holding companies accountable for how they handle personal data, one that would give U.S. consumers their first real glimpse at how they are being monitored and profited from online.
The story continued:
But disclosure in the first few weeks under the law has run the gamut. Some companies have incorrect information on their websites about how the law affects them and consumers. Most companies acknowledge requests with emails or text messages, while other requests seem to disappear once filed. And once obtained, the volumes of data create a new burden for consumers — how to manage it.
First in the Race for Privacy Compliance
California may have been first off the starting blocks to push through a state-level privacy law. Unfortunately, as soon as the last of the celebratory champagne had been consumed, it was evident there may be trouble ahead, and many would have to ‘face the music and dance’.
Despite being heralded as the strictest data privacy law in U.S. history, the CCPA has been fraught with ambiguities, such as its incredibly broad view of “persona data” …causing frustration and confusion for businesses — not only based in California — but for just about every organization on the planet, that does business in California .
Another problem that businesses didn’t appreciate was the potential impact of the private right of action available under the CCPA. We could mention several other areas of exasperation, but there simply isn’t enough space in this post to go through them all.
These were not the biggest problems presented by the CCPA. It can be argued that the biggest issue was the inconvenience of change. California’s new legislation was rapidly passed and was not vetted. This caused a huge backlash within industry — one that would not go away.
Since it became law on July 1, 2020, after a 6-month ‘period of grace’, prominent consumer privacy advocates across the nation have repeatedly voiced their deep frustration with the California legislature’s efforts to amend the CCPA in 2019 (at the behest of the business community). Finally, a more robust and comprehensive privacy law, even more closely aligned with the European Union’s General Data Protection Regulation (GDPR).
Enter the California Privacy Rights Act
On June 24, the California Privacy Rights Act (CPRA) was certified by the California Secretary of State, to be included on the November 2020 ballot, having gained the requisite number of signatures.
Polling (Pre-pandemic) has revealed the CPRA to have overwhelming support, ranging as high as 90 percent), and it is widely expected to be duly approved this coming fall.
Described by some analysts as having “a bit of a delayed fuse”, the biggest impact of the new law will not come into effect until January 1, 2023, and will apply — apparently with the exception of the right to data access — only to personal data collected after January 1, 2022.
This should provide ample time for covered organizations to prepare for the CPRA, which appears to broaden and strengthen the CCPA significantly. Therefore, assuming there are no delays in the CPRA being voted in, it is highly likely to ignite a copycat effect among other states that are pondering over broad privacy legislation.
Moreover, it’s also likely to cause lawmakers and congressmen and women to spring into action with urgent efforts to agree a comprehensive federal privacy law to — to preempt the expanding mishmash of conflicting state-level laws.
Whichever way you look at it, the implications of the CPRA go further then what was being referred to as ‘CCPA 2.0’. There is a lot to digest with the CPRA. And there is no doubt that businesses across the state will need to take a deep breath before comparing the work they’ve already done to comply withe the CCPA, with the upgraded requirements and responsibilities enshrined in the new law.
With this in mind, we include a brief summary (courtesy of Cyber Law Monitor) of the CPRA’s main innovations and revisions of the CCPA:
Where CCPA applies to for-profit businesses that process the personal information of 50,000 or more California consumers or households, CPRA raises this threshold to 100,000. (CCPA’s alternative tests for applicability – $25 million in annual revenues or realization of 50% or more of annual revenues from the sale of personal information – remain in place.)
In addition to the right to know categories and specific pieces of personal information that a covered business has regarding a consumer, the right to have personal information deleted, and the right to opt-out of sales of personal information (all granted under CCPA), CPRA introduces a new right for data subjects to correct inaccurate personal data held by a business.
CPRA defines a new category of “sensitive personal information,” which includes, among other things, government identifiers (such as Social Security number and driver’s license number), precise geolocation, racial and ethnic information and genetic data, and resembles the “special categories” of personal data for which the GDPR imposes more stringent limitations on collection and processing. CPRA allows consumers to limit the use and disclosure of sensitive personal information to essentially what is necessary to provide the goods or services requested by the consumer and other compatible purposes. A business would be required to clearly and conspicuously display a “Limit the Use of My Sensitive Information” link on its website unless it allows consumers to exercise this option via a preference signal (such as from a browser).
CPRA expands CCPA’s right to know obligations to include “sharing” and disclosure of personal information by a covered business and also expands the sale opt-out to sharing. “Sharing” is defined as transferring information for “cross-context” behavioral advertising (i.e., targeted behavioral advertising that is based on a consumer’s activity across different businesses or Internet properties), regardless of whether or not the transfer occurs in exchange for valuable consideration. A business would be required to clearly and conspicuously display a “Do Not Sell or Share My Personal Information” link on its website unless it allows consumers to opt out from both via a preference signal (such as from a browser).
CPRA extends a consumer’s right to know beyond the twelve-month lookback currently provided under CCPA.
CPRA increases CCPA’s administrative fines to up to $7,500 for an intentional violation or a violation involving the personal information of someone who, to the actual knowledge of the party committing the violation, is under 16 years of age.
CPRA expands CCPA’s private right of action for data breaches caused by a company’s failure to use reasonable security measures to additional types of personal information, specifically email address and either a password or a security question and answer that would permit access to an account
CPRA expands CCPA’s right to know and access the specific pieces of personal information a business has regarding a consumer to include a portability-type requirement reminiscent of GDPR. The business must provide the information in a format “easily understandable to an average consumer” and if technologically feasible in a “structured, commonly used, machine readable format.”
CPRA creates a new category of “contractor” alongside CCPA’s “service provider” category. As with service providers, covered businesses must have written contracts with contractors containing certain mandatory provisions, for example, restricting their processing of personal information on behalf of the covered business. There are also expanded requirements for what must appear in service provider contracts. Finally, CPRA directly subjects service providers and contractors to auditing by the businesses for which they process personal information.
CPRA will vest primary rulemaking, administrative and enforcement authority in a new agency to be established by the law, the California Privacy Protection Agency (CPPA), which will assume the authority currently held by the California Attorney-General under CCPA to issue regulations, bring enforcement proceedings and levy administrative fines. Under CPRA’s terms, substantial new regulations – well above and beyond those recently finalized by the California Attorney-General under CCPA – must be issued to further define and expand upon numerous areas of concern identified by the law’s drafters. Among the regulations to be issued would be ones (i) requiring companies deemed to be engaged in high-risk data processing to undergo annual audits as well as risk assessments, and (ii) providing for consumer access and opt-out rights with respect to automated profiling and decision-making (the GDPR provides similar rights to data subjects). The CPPA will be governed by a five-member board with expertise in privacy and technology and whose members will serve terms which may not exceed eight consecutive years.
Because CPRA will be enacted through the approval of the voters rather than the California legislature, the legislature is constrained from passing amendments that degrade the level of privacy protection extended to consumers.
If all goes well in November, and the CPRA gets the ‘thumbs-up’ by voters, covered businesses will do well to immediately start work on a thorough review of their present levels of compliance, make all necessary changes to their data privacy practices and procedures.
Since the CPRA will probably look like the identical twin-sister of Europe’s GDPR, the big question for corporate policy-makers is; should we simply extend CPRA protections to all U.S. residents?
Certainly, this would mean greater scalability of compliance efforts — as opposed to maintaining an increasing number of divergent privacy frameworks across multiple jurisdictions. There would also be a lower risk of breaching regulatory and legal requirements.
Naturally, every organization has its own business model, and potential risks will vary significantly. Therefore, businesses should take care to analyze and weigh all available options.
With the prospect of even stricter privacy laws looming large, it would be unwise to delay strategic decision-making where data privacy is concerned.
NOTE: This article is provided for informational purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy/data protection practitioner as well as legal counsel when preparing for compliance with data protection and privacy laws.