Privacy Law Update: New California Privacy Rights Act Further Expands California’s Privacy Law Amid the Evolving Privacy Landscape
Consumer privacy continues to be an ever evolving and active area of law. Right on the heels of the CCPA’s implementation earlier this year, California voters approved even more expansive consumer privacy rights (and corresponding business requirements) in the November 2020 election by passing Proposition 24. What does it mean for businesses and will the federal government and other states follow suit?
The New California Privacy Rights Act (CPRA)
After businesses in California had seemingly just recovered from exhaustive efforts to comply with the provisions of the brand new California Consumer Privacy Act (CCPA) that went into effect this year, California businesses may well be experiencing a feeling of whiplash after the election. On November 3, 2020, Californian voters approved Proposition 24, a ballot measure that created the California Privacy Rights Act of 2020 (CPRA), or what has been referred to as CCPA 2.0. The CPRA amends and expands the CCPA, further bolstering privacy regulations, imposing additional requirements and risks for businesses in California, and increasing the likely prevalence of regulatory enforcement by creating a new government agency to enforce the CPRA. The new privacy requirements will undoubtedly place a further burden on businesses to comply on the heels of the costs of compliance with the CCPA.
Although the CCPA was already widely regarded as one of the most robust consumer privacy statutory schemes in the United States, the creators and activists behind the original CCPA initiative in 2018 considered it to be merely a baseline for later expansion of additional rights for consumers. Moreover, the creators of the original CCPA were also persuaded to withdraw it as a ballot initiative in favor of passage through the state legislature, where significant amendments to the law were considered or passed. In contrast, the CPRA allows amendments only that are “consistent with and further the purpose and intent of [the] Act.” This effectively makes it very difficult procedurally for businesses to obtain relief from any of the new requirements through the legislative process.
The CPRA applies to all for-profit entities doing business in California that meet one of three thresholds largely unchanged from the CCPA: (1) $25M annual gross revenue measure as of January of the calendar year for the preceding calendar year; (2) annually buys, sells or shares the personal information of 100,000 or more consumers or households; OR (3) derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
The CPRA’s operative date is January 1, 2023. But some administrative provisions of the CPRA will go into effect immediately, on the fifth day after California certifies its election results, which include the creation of a new administrative agency, the California Privacy Protection Agency (“CPPA”) that will have the authority and jurisdiction to enforce the CPRA, and the establishment of the Consumer Privacy Fund. Also immediately effective are the CPRA’s extension of the employee and business-to-business exceptions of the CCPA until January 1, 2023. Note, however, that the implication is that after this date these will no longer be “exception” carve outs under the CPRA to its requirements, including for employee and business-to-business information.
CPRA’s substantive provisions that modify the CCPA and place obligations on businesses go into effect on January 1, 2023. However, the CPRA has a “look back” provision, so that once it is effective, it would apply to personal information collected by a business on or after January 1, 2022, with the exception of the right to access. There remains a significant amount of uncertainty, and many of the CPRA’s details will still need to be clarified through regulation. The final date for the new Privacy Protection Agency to adopt regulations is July 1, 2022. Enforcement of new CPRA provisions is not scheduled to begin until July 1, 2023, and can only apply to violations occurring after that date.
Below are some of the more significant changes that the CPRA will bring to enforcement, consumer rights, and the obligations of covered businesses:
New and expanded definitions and terms –
- CPRA expands the type of data and business covered by broadening the term “sold” to “sold or shared.” Defined, “share”, “shared” or “sharing” is “[S]haring, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” The definition removes the carve-out for sharing personal information with a service provider (this applicability is instead specifically addressed by the Act’s definition of “third party.”)
- Clarifies that a business “collecting information” is whenever a business “controls the collection” of information.
- Introduces new requirements to qualify as a “service provider” and adds a new definition of a “contractor” that mirrors the definition of a service provider.
New category of “sensitive personal information” - includes, among others, government identifiers (such as Social Security numbers); precise geolocation; content of nonpublic communications, health information, race and ethnicity, and genetic data. The CPRA imposes separate requirements and restrictions on sensitive personal information for disclosure requirements, opt-out requirements for use and disclosure, and opt-in consent standard for use and disclosure, and limits the purposes for which the sensitive information can be used. Businesses must disclose and provide notice of the collection and purpose for sensitive personal information.
Creates new or modified consumer rights:
- Right to correction – consumers may request a correction of their information held by a business if the information is not accurate.
- Right to Restrict or Limit Uses of Sensitive Personal information - Consumers may limit the use and disclosure of sensitive PI for certain secondary purposes, including prohibiting businesses from disclosing sensitive PI to third parties, subject to certain exemptions.
- Rights Related to Automated Decision Making Technology – The CPRA introduced the concept of “profiling” allowing consumers to opt out of the use of automated decision making technology in connection with decisions related to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. The CPRA also authorizes regulations allowing consumers to make access requests seeking meaningful information about the logic involved in the decision making processes and a description of the likely outcome based on that process.
- Modified Right to Delete - Businesses are now required to notify third parties, service providers, and contractors with whom the business has sold or shared personal information to delete the requesting consumer’s personal information (subject to some exceptions).
- Expanded Right to Know and Access – Consumers can now request and be provided with categories of personal information collected by companies indefinitely, beginning January 1, 2022, instead of the preceding 12-month limit in the CCPA.
- Expanded Right to Opt Out – The CCPA already grants consumers the right to opt out of the sale of their information, but the CPRA expands this to include both “sale” and “sharing” of personal information, including disclosures to third parties for cross-context behavioral advertising (i.e. targeted advertising).
- Strengthened Opt-In Rights for Minors - Extends the opt-in right to explicitly include the sharing of personal information for behavioral advertising purposes.
- Expanded Right to Data Portability - Under the CPRA, consumers may request that the business transmit specific pieces of personal information to another entity, to the extent it is technically feasible.
- Additional Notification Obligations — In addition to informing consumers of the categories of personal information collected, covered businesses that collect information must also inform consumers of the categories of sensitive personal information collected; the length of time the businesses intend to keep each category of information (data retention periods).
Requires governing agreements for information sharing – The CPRA now requires businesses to enter into an agreement with any entity to which it discloses information, including third parties, service providers, or contractors, that specify the limited and specific purposes for which personal information is disclosed.
Provides data minimization requirements – The CPRA establishes a general obligation that promotes the European Union GDPR’s principles of data minimization, purpose limitation, and the duty to avoid secondary use. A business’ collection, use, retention and sharing of personal information must be minimized to what is reasonably necessary and proportionate to achieve the purpose of collecting that information, a business cannot collect or use information for incompatible purposes of what has been disclosed, and businesses may not retain personal information for longer than is reasonably necessary.
Creates a dedicated enforcement agency – The CPRA sets up the new California Privacy Protection Agency, which will have broad investigative, enforcement, and rulemaking powers. Businesses could face administrative or civil fines of up to $2,500 for each violation or $7,500 if a violation is deemed intentional or involves minors. The CPRA does not specify whether a violation could be deemed to be “per consumer,” making compliance even more important.
Eliminates automatic 30-day violation cure period for enforcement actions – Under the CCPA, businesses were given 30 days to cure alleged violations before any administrative enforcement by the Attorney General. The CPRA eliminates that automatic cure period, limiting any time period to cure to the discretion of the Protection Privacy Agency based on a violating business’ intent to violate and voluntary efforts to cure before being contacted by the Agency.
Private right of action – Fortunately, the CPRA does not create a new private right of action. However, the CPRA does add consumer login credentials (email/password/security questions) to the list of data types that can be actionable under the law if breached. The CPRA retains the CCPA 30 day cure provision for private actions, but now specifies that the implementation and maintenance of reasonable security procedures and practices after a breach does not constitute a cure.
Audit Obligations - The CPRA authorizes regulations that will require mandatory risk assessments and cybersecurity audits for high-risk activities (processing of information that presents a significant risk to consumers’ privacy or security), which must be submitted to the Privacy Protection Agency.
Even businesses that are currently compliant with the CCPA will need to take further steps to bring them into compliance with the CPRA, including at the very least updating notices and privacy policies. Even though business have a couple of years to ramp up for the CPRA and regulations still need to be promulgated that would hopefully provide clarity to the enhanced requirements, businesses would be well-advised to begin taking action well before to be in a position to comply with obligations relating to personal information collected on or after January 1, 2022. It is never too early to detail your organization’s data-mapping processes, establish cybersecurity and data protection programs, evaluate and adopt a comprehensive data retention policy, create mechanisms for responding to consumer requests, and review vendor and third party agreements to be ready for compliance by January 1, 2023.
What About the CCPA?
Until the CPRA takes effect in January 2023, the CCPA is still effective in full force and businesses must comply with its requirements. The Attorney General’s enforcement of the CCPA began on July 1, 2020. With the pandemic and delay in finalizing the regulations, it was unclear how or when enforcement by the Attorney General would actually begin. However, in a July keynote presentation with the International Association of Privacy Professionals, California’s Supervising Attorney General Stacey Schesser stated that the Attorney General sent initial compliance letters on the first day of enforcement that targeted noncompliant businesses in multiple industries and business sectors. The content of the letters are confidential, but Schesser acknowledged that the first round of letters focused on businesses that operated online and were missing key privacy disclosures or a necessary opt-out option, and the targets were in part chosen based on consumer complaints, including on social media.
Under the CCPA, any businesses that received a letter would have 30 days to cure any alleged violation before the Attorney General may decide to open an investigation. Schesser also noted that going forward the Attorney General could utilize a variety of laws in his arsenal, including the California Online Privacy Protection Act, and California’s Unfair Competition Law, and that an investigation initiated pursuant to a CCPA complaint would not necessarily be limited to CCPA compliance. The fresh out -of-the-gate approach indicates that the Attorney General is intent on robust enforcement of the CCPA and businesses should be prepared for more rigorous enforcement proceedings in the future. Businesses should make sure they have taken steps to be in compliance with the CCPA and contact counsel if they receive any letter of noncompliance from the Attorney General.
Litigation under the private right of action has also been increasing, which has included class actions. Moreover, although the private right of action under the CCPA is supposed to limit private plaintiffs to data breaches, the cases filed that cite CCPA violations have not been limited to breach allegations (although there have been plenty of data breach cases as well). Plaintiffs’ attorneys have been stretching the applicability of the failure to abide by CCPA provisions as the basis to assert claims under the Unfair Competition Law (Cal. Bus. & Prof. Code § 17200). Plaintiffs have been creative in other ways too. For example, although no specific data breach had occurred, in In Re: Zoom Video Communications, Inc. Privacy Litigation, No. 5:20cv2155 (N.D. Cal. 2020), the plaintiffs’ claims alleged that Zoom violated the CCPA through its collection of personal data and sharing of that data with third party operators such as Facebook without notifying consumers or giving them the right to opt out. Plaintiffs used the CCPA to hook claims under the California common law invasion of privacy, but in the related case of Buxbaum v. Zoom, plaintiff previously characterized these Zoom practices as a data breach or “exfiltration,” alleging that “[b]y allowing user name and password to be exfiltrated, Zoom violated the CCPA” thereby falling under the private right of action under the CCPA. Private litigation will undoubtedly continue to multiply, so businesses would do well to ensure they are in compliance with the CCPA to mitigate their risk.
Is A Federal Consumer Privacy Law On The Horizon?
In the United States, the CPRA could have an influence on other states’ privacy laws, and may energize efforts to pass federal privacy legislation. If your company does business in multiple states, it may have to abide by a slowly increasing number of state privacy acts that have been proposed if they are passed by state legislatures. For example, in Washington the proposed Washington Privacy Act of 2021 has revised previous bills and will make a third attempt to pass the legislature.
A federal consumer privacy law would be useful in alleviating patchwork privacy requirements. The United States has a patchwork of sector-specific privacy laws and regulations for certain industries, but currently there is no comprehensive federal law that governs data privacy in the United States, and the likelihood of comprehensive privacy legislation being passed by Congress remains uncertain. That is not to say that the issue has not already been raised. Members of both sides of the aisle have increasingly started to recognize consumer privacy as an issue and, even though debate continues around a private right of action and state preemption, both parties have been progressing and promoting draft privacy bills and proposals. It increasingly seems that it may not be a matter of “if,” but rather “when” Congress acts to pass robust federal consumer privacy legislation. Some privacy experts are optimistic that under President Biden’s administration the discussion and push towards a process for federal legislation would become a more pressing priority. We will have to wait and see.
If you have any privacy related questions, contact the authors and the other attorneys in the Data Security and Privacy team at Atkinson Andelson Loya Ruud & Romo to help you navigate any potential actions. If your business is faced with a lawsuit or regulatory enforcement action, AALRR has a team of data privacy litigators well-versed in the CCPA and related law ready to step in and defend you.