Get ready: The CCPA is now the CPRA
Ron Whyte, SVP and group executive, FIS and Elena A. Lovoy, chief regulatory counsel and privacy officer, CENTRL, Inc.
December 14, 2020
The California Privacy Rights Act (CPRA) was voted into law on November 3, 2020 by 56% of the Golden State’s voters. Although this was not the landslide victory predicted in earlier polling, 9 million Californians voted in favor of these new consumer privacy protections. The CPRA, which is frequently referred to as “CCPA 2.0,” amends, expands, and strengthens the CCPA. It closes certain CCPA loopholes while arming consumers with more control over the privacy of their personal information (PI). It will go into effect on January 1, 2023.
The CCPA was spearheaded by California real estate developer Alastair Mactaggart and the Californians for Consumer Privacy coalition as a ballot initiative for the November 2018 election. Mactaggart’s story starts with a conversation he had with a Google engineer who told Mactaggart that he would be "horrified" to know how much data Google collects on its users. He investigated and as a result, decided to take matters into his own hands by pushing for the enactment of a comprehensive consumer privacy law in California. Instead, the state legislature moved forward with the CCPA in 2018 because they wanted to take a pre-emptive strike and adopt a law over which they had some control. The CCPA went into effect on January 1, 2020 and businesses have been navigating compliance with this new law since that date.
Mactaggart and his group did not disappear. They drafted a new ballot initiative, the CPRA, to add even more privacy protections to California law. Although the requirements of the CPRA will be effective in about two years, all other provisions of the current law remain in place and enforceable. In fact, enforcement of the CCPA began on July 1, 2020 and the penalties for noncompliance can be quite costly.
Key components of CPRA
As mentioned, the CPRA will expand consumer privacy rights and includes the following new requirements on businesses:
- Prevents businesses from “sharing” the PI -of consumers with third parties if the consumer has opted-out of such sharing
- Limits the use of “sensitive PI” by businesses, including such information as precise geolocation, race, religion, sexual orientation, social security numbers, specified health information, and other categories of PI
- Prohibits the retention of PI by businesses for longer than reasonably necessary
- Triples the penalties for violations involving minors under 16
- Establishes a new “California Privacy Protection Agency”, which will take over rulemaking duties from the California Attorney General’s office and enforce the requirements of the CPRA
- Expands the private right of action for consumers
- Prescribes new regulations addressing, among other things, opt-out links, privacy risks assessments, and annual cybersecurity audits
Covered business modifications
The CPRA amended the definition of “business”. To be a business subject to the CPRA, one of the following must be present:
- At least 50% of annual revenue must come from the sharing or selling of PI of California consumers
- Have annual gross revenue over $25 million
- Buys, sells, or shares the PI of more than 100,000 California consumers/households.
The CPRA doubled the number of consumers/households from 50,000 under the current CCPA to 100,000. As such, some businesses may find themselves outside the scope of the CPRA. However, the current 50,000 threshold will still apply until 2023.
In addition to the changes noted above, new rules governing opt-out rights connected with use of automated decision-making technology will be released. Such practices include, but are not limited to, consumer/employee profiling tied to work performance, economic circumstances, health, location, and other factors.
What businesses will need to do to prepare
To get ready for the CPRA, companies will need to go back to the drawing board. Certain PI will need to be classified as sensitive PI and certain data that is being shared, but not sold, to third parties may be subject to the new right to prohibit the sharing of this data. All of these changes will require a fresh look at, and likely revisions to, the privacy notices that businesses provide to California residents. The same will be true for data subject access request (DSAR) portals. These will need to be revised to add all of the new consumer rights under the CPRA. In addition, companies will need to rely on their data mapping capabilities, privacy compliance expertise, and custom software options to automate these new processes.
Now that CPRA has passed, it may provide other states with a template to adopt similar comprehensive consumer privacy laws in 2021. The new Congress may also try to finally push a federal privacy law forward in 2021 which could preempt state laws. If companies and consumers have to navigate a patchwork of conflicting state-based legislation, this could tip the scales in favor of privacy action at the federal level.