The November 2020 California general election brought major changes to the State’s privacy regime that will require substantial compliance efforts by covered businesses over the next 12-24 months. The new CPRA was approved by voters in the November general election and officially became law on December 16, 2020, five days after election results were certified. The CPRA substantially amends and amplifies the requirements of the CCPA, bringing California privacy law closer, in many respects, to Europe’s GDPR. The main provisions of the CCPA will continue in full force and effect. However, until the CPRA becomes fully operative on January 1, 2023, and there are rolling series of implementation dates between now and then that will impact the compliance efforts of CPRA-covered businesses.
The CPRA is an amended and amplified version of the CCPA – in fact, some have referred to it colloquially as “CCPA 2.0”. The CPRA slightly raises the threshold for determining what is a covered “business”. This means that until January 1, 2023, a company doing business in California is covered by the existing requirements of the CCPA where it (1) has $25M in annual gross revenues, or (2) collects for a commercial purpose the personal information of 50,000 or more California consumers, households or devices, or (3) derives from 50% or more of its revenues from selling personal information.
As of January 1, 2023, the “original” version of the CCPA goes away, and businesses will only be covered by the surviving CPRA to the extent they (1) had $25M in annual gross revenues as of January 1 in the preceding calendar year, or (2) buy, sell or share the personal information of 100,000 California consumers or households, or (3) derives from 50% or more of its revenues from selling or sharing personal information. In light of this revised test, most companies that triggered the coverage threshold based on annual revenues likely will continue to be covered, but many businesses that were covered by the CCPA merely because they collected the personal information of 50,000 devices (a threshold not difficult to trip for many online businesses), for example, will now fall outside the scope of the CPRA.
The CPRA also provides for the creation of the California Privacy Protection Agency (Agency), further detailed below, to be responsible for enforcement of California’s consumer data privacy laws, shifting this responsibility from the California Attorney General as of July 1, 2021. The Agency will have a five-member board, with the Chair and an additional seat appointed by the Governor and the Attorney General, Senate Rules Committee, and Speaker of the Assembly each appointing one seat.
In addition to changing who is covered by the law, some of the CPRA’s most noteworthy changes include:
- Sunsetting the CCPA’s exception for employee personal information and B2B personal information on January 1, 2023 – this means that California employers and traditional B2B businesses that are “covered businesses” under the CPRA will need to take substantial steps between now and January 1, 2023, to roll out a CPRA compliance program in respect of their HR-related and B2B-related personal information.
Introducing an explicit, overarching purpose limitation obligation, in which collection and use of personal information must be bounded by principles of necessity, proportionality, and compatibility.In particular, a business’ collection, use, retention, and sharing of a personal information must be:
- Reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context of the collection; and
- Not further processed in a manner incompatible with those purposes.
Establishing several new consumer rights like the right to correction, creating a new category “sensitive personal information” more in line with the GDPR’s definition and substantially increasing compliance requirements in respect of this kind of information. The definition of sensitive personal information, includes:
- Personal information that reveals a consumer’s SSN, driver’s license number, or passport number, account credentials, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, personal information concerning a consumer’s health or sex life or sexual orientation, as well as contents of a consumer’s mail, email and text messages.
- Streamlining and eliminating potentially overly broad exceptions available for the CCPA’s existing right to delete.
- Adding a new consumer right to correct inaccurate personal information.
- Expanding the “Do Not Sell” opt-out requirement to mere “sharing” of personal information for purposes of cross-context (or third party) advertising
- Requiring businesses to affirmatively respect a consumer’s opt-out preference signal – see 1798.135I.
- Implementing a new set of vendor flowdown requirements that will require covered businesses to revisit contracts they likely already revised for the CCPA.
Adding an independent and explicit duty for businesses handling consumers’ personal information to implement reasonable security procedures and practices:
- “A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure[.]”
Requiring enactment of regulations to direct businesses that process personal information in a manner that presents “significant risk” to consumers’ privacy or security to:
- Perform annual (“thorough”and “independent”) cybersecurity audits; and
- Submit to the newly formed Agency on a regular basis a risk assessment with respect to their processing of personal information, including identifying and weighing the business benefits of processing the information against the potential risks to consumer rights. Factors to consider in determining whether processing is “significant risk” includes size and complexity of the business and the nature and scope of the processing activities.
Much like the CCPA, key details of the CPRA will be further fleshed out by regulations, including right of correction rules, technical requirements for opt-outs, and data use agreements for service providers and the newly defined “contractor” entities. The CPRA imposes July 1, 2022, as the deadline for adopting final regulations, so the new Agency will have its work cut out for it in the next 18 months to allow time for comment, revision and adoption.
For a list of immediate action items that companies doing business in California can do now, see our latest update: Top 10 Action Items for 2021: The California Privacy Rights Act (CPRA).