On Tuesday, November 3, 2020, California voters passed Proposition 24 which calls for the adoption of the California Privacy Rights Act (“CPRA”), a statute protecting the personal information of California residents. The CPRA adds stronger privacy protections to California’s existing law, the California Consumer Privacy Act (“CCPA”), and will bring California privacy law more in line with the European Union’s General Data Protection Regulation (GDPR). The California Privacy Protection Agency (“CPPA”) will be created to replace the California attorney general’s office as the statute’s enforcer.
Who is Covered by the CPRA? – The CPRA will apply to any for-profit entity that processes or controls the processing of consumers’ personal information, does business in California, and meets any one of the following conditions: (i) has annual gross revenues over $25 million, (ii) annually buys, sells or shares personal information of 100,000 or more California residents, or (iii) derives fifty percent (50%) or more of its annual revenues from selling or sharing California residents’ personal information.
Even if a business is not “covered” by the CPRA because it does not meet one of the above conditions, it may still be impacted by the law because, as described below, covered businesses that outsource the processing of personal information to business partners must ensure that those partners provide the same level of privacy protection as is required by the CPRA. This means that businesses that process personal information for covered businesses will have to comply with certain requirements of the CPRA even though they are otherwise exempt from the law.
Effective Date – Although the CPRA will not take effect until January 1, 2023, the provisions that apply to the collection of personal information will apply to such information collected on or after January 1, 2022.
New Consumer Rights in the CPRA– In addition to the rights currently existing under the CCPA, consumers will enjoy these additional rights under the new law:
- Correction – The right to correct inaccurate personal information held by a covered business.
- Automated Processing Opt-Out – The right to opt-out of the use of personal information for certain automated decision-making processes including profiling.
- Sharing Opt-Out – The right to opt-out of the sharing of personal information with third parties for cross-context behavioral advertising, which is advertising that is targeted to a consumer based on a profile of the consumer’s personal information and activity over time and across platforms.
- Sensitive Personal Information – The right to limit the use and sharing of “sensitive personal information,” a new category of information that includes financial information, certain identification numbers (e.g., Social Security number), precise geolocation, racial and ethnic information, information about one’s sex life or sexual orientation, and genetic, biometric or health data.
- Private Action – The right to bring a lawsuit against a covered business will be expanded.
New Business Requirements in the CPRA – In addition, the following requirements will be imposed upon businesses:
- Implementation of Security Measures – Businesses will be required to implement reasonable security procedures and practices to protect personal information from data breaches.
- Use of Personal Information – Personal information can only be collected, used, and shared to achieve the purposes for which it was collected. The consumer must be notified if the information is to be used in a manner incompatible with those purposes.
- Retention Periods – Businesses cannot retain personal information for longer than necessary based on the purpose for which it was collected. Businesses must adopt data retention periods and notify consumers of them.
- Audits – Under certain circumstances, businesses will be subject to audit by the CCPA for compliance with the law.
- High Risk Processing – In respect to certain higher risk data processing, businesses will have to undergo independent cybersecurity audits and submit risk assessments about such data processing to the CPPA.
- Business Partner Contracts – Contracts with business partners who have access to personal information will have to include certain provisions to ensure that such partners provide the same level of protection as is required by the CPRA.
The process of adopting regulations for the new law will begin in 2021. These regulations will provide further clarification regarding the consumer rights and business requirements described above.
We hope you find this overview helpful. If you have any questions about the CCPA, California’s existing privacy law, or the CRPA, California’s new more expansive law, please feel free to reach out to us.