InfoLawGroup LLP

View Original

CPRA: Get Ready, It Passed! Part 1: What Do I Need to Know Now?


By Justine Young Gottshall and Antonia Dumas

It passed! The California Privacy Rights Act (CPRA) was passed on November 3, 2020, through a ballot initiative (Proposition 24), with a slim majority voting in favor (56.1% in favor over 43.9% against). The CPRA once again changes the landscape of data privacy in California. Once it is fully in effect, it will replace the CCPA. And although the CPRA will not be enforceable until July 1, 2023, obligations are triggered as of January 1, 2022 (under the 12 month look-back period). For the time being, businesses are required to remain compliant with the CCPA and, in the coming months and years, will need to determine how they will navigate the shift from CCPA to CPRA compliance.

While most companies are still working to fully implement the CCPA, and the Attorney General Regulations continue to be amended, we now have a new statute that will add additional compliance obligations. The key question for many companies is going to be: if I am CCPA compliant, what changes? Although much of the CPRA will need to be interpreted alongside implementing regulations that will be issued by the new California Privacy Protective Agency, there is much we do already know and companies can and should start preparing - and budgeting - for the additional compliance obligations.

CPRA - Key Updates to CCPA

The CPRA substantially changes privacy law in CA, adding significantly more to the protections and obligations of the CCPA:

  1. Consumer Rights: Expanded rights for consumer protection, including fuller access rights, rights to correction, and expanding opt-out choices

  2. Sensitive Personal Information: A new category of PI to manage

  3. New Business Obligations: Changes to operations triggered by new requirements, which include minimizing data collection, limiting data use, deleting data, and additional disclosures to consumers

  4. New Enforcement Body: Increased risk/liability for non-compliance

  5. Changes to Applicability (Threshold) Requirements: If you didn’t have to comply with CCPA, the CPRA may not apply to your business (but it depends) – and additional obligations are now put on companies that control the collection of PI (not just those who do the collecting)

We provide insight into these key considerations below.


1. Consumer Rights: Expanded Rights for Consumer Protection

The CPRA both establishes new consumer rights and changes aspects of the existing consumer rights under the CCPA. Businesses need to prepare and adjust existing processes and procedures to ensure they have the capability to adequately respond to and implement consumer requests, including those that will require additional technical and/or administrative resources (e.g., restricting/limiting the collection/use of Sensitive PI at the direction of the individual, providing information regarding PI (and Sensitive PI you collect), correcting inaccurate information throughout your systems (in addition to deleting PI upon request), identifying and opting individuals out of automated data processing activities/systems, etc.). Further, businesses will need to implement required changes in data processing and sharing (both internally and with third parties).

Changes to existing rights:

See this content in the original post

New rights to prepare for:

See this content in the original post

2. Sensitive Personal Information: A New Category of PI to Manage

The CRPA now separates out and gives additional protections to “sensitive personal information” (or Sensitive PI).

Sensitive PI is defined as:

  • PI that reveals a consumer's (i) social security, driver's license, state identification card or passport number, (ii) account log-in, financial account, debit card, or credit card number in combination with any security or access code, password, or credentials allowing access to an account, (iii) precise geolocation (newly defined as any data derived from a device and used or intended to be used to locate a consumer within a 1,850-foot radius), and (iv) racial or ethnic origin, religious or philosophical beliefs, or union membership.

  • (i) the processing of biometric information, (ii) PI collected and analyzed concerning a consumer's health; and (iii) PI collected and analyzed concerning a consumer's sex life or sexual orientation.

This will require special attention to determine what Sensitive PI you collect, use, and share, and to identify data processing activities that involve sensitive PI and trigger additional protections. If you have not already identified PI through data mapping or audits, you will need to review all of your systems to identify where sensitive PI is stored and how it is processed. Any Sensitive PI will trigger additional protections such as keeping sensitive PI separate from non-sensitive PI and other information stored in your systems (i.e., data silos) as well as requiring third parties to do the same).


3. New Business Obligations: Changes to Operations

Obligations for businesses under the CPRA will be more extensive than the CCPA and echo heightened data privacy and security requirements set forth under the GDPR (including meeting certain privacy principles and providing additional disclosures and opt-outs). This may require a large operational lift, including dedicating substantial time and resources to develop a strategy and processes to take on these new requirements.

Must Meet New Privacy Principles

Another significant addition under the CPRA is that a business that controls the collection of consumers’ PI (not just collects) now must adhere to limitations (similar to those under the GDPR) – data minimization, purpose limitation, and storage limitation (i.e., only collect the data you need, for the intended and disclosed purpose for which it was obtained, and only keep it for the disclosed retention period).

See this content in the original post

In order to meet the new privacy principles under the CPRA and adequately process consumer requests, you will need to implement and maintain data mapping and tracking mechanisms (such as maintaining an up-to-date inventory and classification process), as well as data-retention policies and procedures. You are likely to be required to complete periodic risk assessments as well (to be determined and clarified in the new agency’s regulations).

Further, a business will be required to have reasonable security procedures and practices “appropriate to the nature of the personal information.” With the new type of PI, Sensitive PI, heightened security will be required.

Must Provide Additional Disclosures

A business will be required to meet additional disclosure requirements (at the time/point of data collection), including the following:

See this content in the original post

4. New Enforcement Body: Increased Risk/Liability for Non-Compliance

The biggest addition under the CPRA is the creation of the California Privacy Protective Agency (with funding to back it), a separate regulatory body that will have the power to enforce the CPRA. This agency (governed by an appointed five-member board) will be the driving force for providing clarification on how to interpret the CPRA and provide guidance on how the CPRA will be enforced. We will be at the edge of seats, but may not get clear guidance until the agency adopts final regulations in July 2022.


5. Changes to Applicability (Threshold) Requirements - What if I Previously Did Not Have to Comply with CCPA?

In general, if you did not have to comply with the CCPA before because you did not collect, process, or sell enough consumer PI to meet the threshold requirements (i.e., the three-prong test), then you may not meet the threshold requirements under the CPRA (but it depends).

Not Just the Sale of PI – Also Sharing

The CPRA expands its reach to businesses that not only generate most of their income from selling information but also from sharing information. (Note, “share” is broadly defined to include the sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means.) So, a business that didn’t have to comply with CCPA because its data processing activities did not constitute a “sale” under the CCPA may have obligations under the CPRA if its data processing activities are considered “sharing” of PI (as defined).

Now Minimum Requirement is 100,000 Households

The CPRA has a higher threshold of affected consumers by requiring at least 100,000 consumers or households (versus the 50,000 under the CCPA). However, this requirement is now based on only consumer and households -- devices was removed and incorporated under the definition of household (defined as “a group, however defined, of consumers who cohabitate with one another in the same residential address and share use of common device(s) or service(s)”). This means that some small and medium size organizations that are required to comply with the CCPA may not meet the threshold requirements for the CPRA.

Other Parties Brought under CPRA

However, even if your business alone may not meet the threshold requirements to be considered a “business,” the CPRA also expands its reach to other parties.

In particular, it extends to joint ventures/partnerships (in which each business has at least 40% interest) and considers these as a single business. Also, the CPRA may apply if you control or are controlled by a business meeting the threshold requirements and share common branding (such that “the average consumer would understand that two or more entities are commonly owned”) with whom the business shares consumer PI. This means the structure of your business matters and you could be pulled under the CPRA based on your relationships with other businesses.

Also note, other parties may be brought under the CPRA when they control information as a third party, they receive information that is sold or shared by a business covered by the CPRA, or when they receive/access information to provide services. Other parties may be required to meet certain CPRA obligations under written contract with a business that is covered by the CPRA via required contractual provisions restricting the use of PI for limited and specified purposes, obligating CPRA compliance, and providing the "same level of privacy protection," as well as other requirements.


CPRA - Timeline

As you begin to take steps to prepare, be mindful of the following dates for when the CPRA will become fully operative and enforceable.

See this content in the original post