On November 3, 2020, California voters passed the California Privacy Rights Act (CPRA) election initiative with a little less than 60% of the vote to approve the measure (as of publication). The election initiative, submitted by the architects of the California Consumer Privacy Act of 2018 (CCPA), had previously garnered 900,000 signatures – far more than the roughly 625,000 required to certify the 2020 ballot.
The CPRA amends the CCPA, adds new consumer rights, clarifies definitions and creates comprehensive data protection and data security obligations for the processing and protection of personal data. These significant changes require companies to reassess their privacy and data security programs to comply with legal requirements.
Effective date and schedule for enforcement
The CPRA changes come into effect on January 1, 2023, and applies to personal data collected by companies on or after January 1, 2022 (except for a consumer’s right to access their personal data). Enforcement of the CPRA changes is only just beginning July 1, 2023.
The CCPA’s existing exemptions for business contacts, employees, applicants, owners, directors, officers, medical workers and independent contractors will remain in effect until they become effective December 31, 2022.
The newly created California Data Protection Agency (“Agency”) must finalize the rules by July 1, 2022. For more information about the agency and its role in enforcing the amended CCPA, see our previous article.
The adoption of the CPRA has no impact on the enforceability of the currently implemented CCPA.
New rights under the CPRA
In addition to the CCPA’s rights to know, delete, and disable the sale of personal information, the CPRA creates the following new rights for California consumers:
- The right to correct personal data
- The right to restrict the use of sensitive personal data
- The right to deactivate the transfer of personal data
These rights are explained in more detail in our previous article.
New compliance obligations for companies subject to the CPRA?
The CPRA creates new obligations that are similar to the principles of data processing in the General Data Protection Regulation (GDPR) of the European Union. These responsibilities include:
- Transparency: Businesses need to be specific and clear about how they collect and use personal data and how to exercise their rights and choices.
- Purpose Limitation: Businesses may only collect, use, or disclose consumer’s personal information for specific, explicit, and legitimate disclosed purposes for reasons incompatible with those purposes.
- Data minimization: Companies may only collect personal data from consumers insofar as they are relevant and necessary for the purposes for which they are collected, used and passed on.
- Consumer Rights: Businesses need to provide easily accessible means for consumers to obtain, erase or correct their personal information, disable sales and sharing between business platforms, services, businesses and devices, and limit the use of their sensitive information; and
- Security: Organizations must take reasonable precautions to protect consumers’ personal information from a security breach.
The agency’s rulemaking will also include a number of new requirements, including:
- A requirement that companies whose processing of consumer personal data presents a significant risk to consumer privacy or safety must do the following: (i) annual cybersecurity review; and (ii) regularly provide the Agency with a risk assessment regarding its processing of personal data;
- A requirement that companies grant access and opt-out rights in relation to the use of automated decision-making technologies, including profiling, and that a company’s response to access requests contain meaningful information about the logic involved in that decision-making process; and
- The requirements and technical specifications for an opt-out preference signal have been expanded to indicate a consumer’s intention to refuse to sell or share personal information, or to restrict the use or disclosure of sensitive personal information of the consumer.
Additional obligations are described in more detail in our previous article.
Do companies need to cancel their CCPA compliance programs and start over with a new CPRA compliance program?
Absolutely not. An existing CCPA compliance program will be an important and necessary foundation for CPRA compliance. However, companies subject to CPRA will need to expand their existing compliance programs to include, for example, updates to privacy notices (including their privacy policies and pickup notices), procedures for additional consumer rights, updates to service provider and contractor agreements. new requirements for the keeping of records and assessments of cybersecurity.
What should companies do now?
Although the changes to the CPRA will not be enforceable until 2023, we recommend companies:
- Review the revised definition of “business” to see if the amended CCPA continues to apply to your business. The proposed changes: (i) increase the threshold for buying, selling or exchanging personal information from 50,000 consumers or households to 100,000 consumers or households; (ii) limit the Common Branding Applicability test to include only common branded companies with whom a company shares consumer personal information; (iii) include joint ventures or partnerships in which the companies involved hold at least 40%; and (iv) bring into the scope all transactions that voluntarily certify to the Agency that they comply with and agree to legal requirements.
- Think about how the company documents and maps the use of sensitive personal information to meet consumer demands and limit the use of sensitive personal information.
- Determine whether the new commitments and requirements apply only to California consumers, or whether it would be easier for the company to implement these commitments and requirements for all consumers, whether or not they live in California.
- Consider and plan the budget and resources you may need to bring your current CCPA program into line with the CPRA changes.
Are further changes to California’s privacy law expected?
Since the CPRA can be changed by California lawmakers as part of normal legislative process, we recommend that you continue to monitor developments and change preparations accordingly.