CPRA Passes, Further Bolstering Privacy Regulations and Requirements in California

The CPRA, also referred to as CCPA 2.0, is a more robust version of the CCPA. The original drafter of the CCPA put CPRA on the ballot to amend and bolster key provisions in the CCPA.

A summary of notable updates that businesses will be required to comply with under the CPRA are covered below:

Privacy Policy Updates

Businesses will have to update their privacy policies with the following:

  • Sensitive Personal Information. Businesses that collect “sensitive personal information,” defined further below, must disclose the categories of sensitive personal information collected, the purposes for which the information is collected or used, and whether such information is sold or shared.
  • Retention Period. Businesses must disclose the length of time they intend to retain each category of personal information. If this is not possible, then businesses must disclose the criteria used to determine retention periods. As many businesses currently use language such as “information is retained for as long as necessary for the purpose for which it was collected,” it remains to be seen if this more general language will continue to be sufficient or whether more detailed disclosure about the retention criteria will need to be disclosed.

Purpose & Use Limitations

  • Necessary and Proportionate. Businesses must consider whether their collection, use, retention, and sharing of personal information is “reasonably necessary and proportionate” for the purposes for which the personal information was collected and the purposes disclosed in the privacy policy. For businesses already complying with Europe’s General Data Protection Regulation (GDPR), this may be akin to a legitimate interest analysis process.
  • Use Limited to Disclosed Purposes. Businesses must not further handle the personal information in a manner that is incompatible with disclosed purposes.

Contractual Requirements

  • Agreements with Third Parties. The CPRA more explicitly requires that businesses that share or sell personal information with a third party must have appropriate contractual provisions in place. For example, the agreement must limit selling or sharing of data for limited and specified purposes, provide privacy protection for the data, and third parties must grant businesses the right to take steps to stop and remediate unauthorized use of personal information.
  • Service Provider Support. The CPRA repeatedly clarifies that service providers are obligated to support businesses in their compliance with the CPRA, including assistance with processing data subject requests. Contracts may also permit businesses to monitor service providers’ compliance with contractual provisions through means such as ongoing manual reviews, automated scans, regular assessments and audits, or other testing at least once every 12 months.

New Rights and Methods to Exercise Rights
In addition to the existing CCPA rights, the CPRA creates several new rights for California residents.

  • Right to Correct Inaccurate Personal Information. The CPRA creates a new right for California residents to correct inaccurate personal information. Further clarification on this right is forthcoming in regulations.
  • Right to Limit Use and Disclosure of Sensitive Personal Information. California residents have the right to direct businesses to limit use of sensitive personal information to what is necessary to perform services or provide goods. In order for businesses to use or disclose sensitive personal information for any other purpose, businesses must receive subsequent consent for the additional purposes.
  • Right to Opt-Out of Sale or Sharing. The CPRA provides a new right to opt-out of sharing of personal information. Sharing (a new term under CPRA, defined below) refers to providing personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. Note, short-term transient use of personal information limited to non-personalized advertising shown as part of a current interaction with the business and not disclosed to another third party is considered a “business purpose,” and not subject to the opt-out right. This means that personal information used for advertisements for shoes on a site selling shoes or a third party advertisement in a blog are acceptable business purposes where the personal information isn’t shared with a third party, is not used to build a profile about the user, is limited to the user’s current interaction with the business, and does not alter advertisements outside the current interaction. This carve-out from the definition of a “sale” was provided in similar form under CCPA and now, under CPRA, has been slightly clarified to apply to “non-personalized advertising.”
  • Rights to Opt-Out of Automated Decision-Making and Profiling. The CPRA states that regulations governing access and opt-out rights for automated decision-making and profiling (defined below) will be forthcoming. This will include requiring businesses’ response to access requests to include meaningful information about the logic involved in such automated decision-making, as well as descriptions of the likely outcome of the process.
  • Website Data Subject Request Submissions. If businesses have an online website, the website must be available for California residents to submit data subject requests. Based on previous versions of the CCPA, this likely means that online websites must provide a webform, although this may be clarified in the coming regulations. On a related note, this also involves an update to required links on websites. For example, “Do Not Sell My Personal Information” links must be updated to “Do Not Sell or Share My Personal Information” that leads to a webpage that enables opt-out of sale or sharing of personal information for cross-context behavioral advertising. Additionally, for those that collect sensitive personal information, they must have a link on their homepage titled, “Limit the Use of My Sensitive Personal Information.” As an alternative, instead of these two aforementioned separate links, businesses are allowed to utilize a single, clearly-labeled link if such link  allows the users (i) to opt-out of the sale or sharing of personal information and (ii) to limit the use or disclosure of sensitive personal information. That said, businesses may avoid the requirement to use these links (or compiled link) if their sites are designed to permit the opt-out of sale or sharing and limitation on use of sensitive personal information through an opt-out preference signal sent by a platform, technology, or mechanisms.
  • Right to Request Information Beyond 12 Months. Requests for information are expanded to now permit California residents to request that businesses provide information beyond the previous 12-month period preceding the request. Businesses may decline to provide information beyond a 12-month look-back period if it proves impossible or would involve a disproportionate effort. This applies to information collected on or after January 1, 2022.  

Enforcement & Penalties

  • California Privacy Protection Agency. The CPRA establishes the California Privacy Protection Agency (Agency) to enforce the CCPA and CPRA. The Agency will be composed of a five-member board, including a Chair. These appointments will be made among Californians with expertise in privacy, technology, and consumer rights. The appointments must be made within 90 days of the passage of the CPRA (i.e., February 2021). When the Agency determines there is probable cause for believing there has been a violation, it shall hold a hearing in accordance with the Administrative Procedure Act. Further information on the Agency will be forthcoming.
  • Increased Fines for Mishandling Personal Information of Those Under 16 Years of Age. There is a continued $2,500 fine for each CPRA violation or $7,500 for each intentional violation. However, violations involving the personal information of those under 16 years of age will also cost $7,500 per intentional violation. Notably, the CPRA does not keep the 30-day cure period provided to businesses under the CCPA for a violation; this dramatically increases compliance risks for businesses.

Coming Regulations

  • Further Clarification Through Regulations. The CPRA provides for further regulations on a lengthened list of issues. This includes regulations on establishing how often a consumer may request correction, establishing a standard to govern a business’s determination that providing information beyond the 12-month period is impossible or would require a disproportionate effort, and issuing regulations requiring businesses to perform a cybersecurity audit on an annual basis where processing of personal information presents significant risk.
  • Expected Regulation Dates. The Agency may adopt regulations on and after the earlier of July 1, 2021 or within six months of providing notice that it is ready to assume its rulemaking responsibilities.

New and Revised Definitions

There are several new and revised terms in the CPRA. A few of the significant updated terms are below. Other defined terms also include the following: intentionally interacts, non-personalized advertising, precise geolocation, security and integrity, vehicle information, and ownership information.

  • “Advertising and marketing”: “[A] communication by a business or a person acting on the business’s behalf in any medium intended to induce a consumer to obtain goods, services, or employment.”
  • “Business”: One of the thresholds for the definition of “business” that applied to businesses that annually handle the personal information of 50,000 or more consumers, households or devices is raised to the following: “Alone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumers or households.
  • “Business Purpose”: The definition of “business purpose” now includes, “Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer, provided that for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers which the service provider or contractor receives from or on behalf of the business with personal information which the service provider or contractor receives from or on behalf of another person or persons, or collects from its own interaction with consumers.”
  • “Consent”: “[A]ny freely given, specific, informed and unambiguous indication of the consumer’s wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.”
  • “Contractor”: This is a similar term as “service provider” and refers to a person to whom the business makes personal information available for a business purpose pursuant to a written contract, where the written contract must prohibit the contractor from selling or sharing the personal information, using the personal information outside the business relationship between the contractor and business, and combining the using the personal information for a commercial purpose other than the business purposes.
  • “Cross-context behavioral advertising”: “[T]he targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
  • “Dark Pattern”: “[A] user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.”
  • “Household”: “[A] group, however identified, of consumers who cohabitate with one another at the same residential address and share use of common device(s) or service(s).”
  • “Profiling”: “[A]ny form of automated processing of personal information… to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
  • “Sensitive Personal Information”: “[P]ersonal information that reveals (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (2)(A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.”
  • “Share,” “shared,” or “sharing”: “[S]haring, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”

What to Do?

The passage of the CPRA is another reminder that privacy regulations are continuously evolving and sure to increase in prevalence with the growth of the digital economy. Businesses should take notice and take this opportunity to build privacy programs that are robust and flexible enough to handle this quickly changing regulatory environment. In particular, businesses should take care to ensure compliance by the effective date, as a new enforcement body is created under this new law with more resources and aggressive enforcement capability, due to the eliminated 30-day cure period.

Continue Reading