Other than the US presidential election result, on November 3, 2020, California voters approved Proposition 24 (the California Privacy Rights Act or “CPRA”).The CPRA is an overhaul of the preexisting California Consumer privacy Act, already deemed the most comprehensive U.S. data privacy law. The C
Other than the US presidential election result, on November 3, 2020, California voters approved Proposition 24 (the California Privacy Rights Act or “CPRA”).
The CPRA is an overhaul of the preexisting California Consumer privacy Act, already deemed the most comprehensive U.S. data privacy law. The CPRA amends key portions of the 2018 California Consumer Privacy Act (CCPA), which went into effect earlier this year. In addition to revising some of the definitions that are fundamental to commercial relationships under the CCPA, the CPRA provides additional consumer rights, incorporates data minimization and certain other principles from the General Data Protection Regulation, and establishes a new California Privacy Protection Agency to replace the attorney general’s office as the statute’s enforcer.
Please refer to the following summary of the key provisions of the CPRA:
AGENCY
The CPRA transfers all funding, rulemaking, and enforcement authority from the Attorney General to the new California Privacy Protection Agency (PPA). Primary enforcement responsibilities remain vested with the state agency (rather than in a private right of action), with minor but significant changes. Specifically, the CPRA triples penalties for violations regarding minors under the age of 16 and removes the 30-day cure period that businesses can currently utilize under the CCPA.
CONSUMER PRIVACY RIGHTS
The CPRA added several new consumer privacy rights and protections:
1. Right to Correct Inaccurate Information
Consumers have the right to correct inaccurate personal information the business holds about them.
2. Expanded Right to Opt-out of Data “Sharing”
Consumers have a right to opt-out of the use of their personal information for automated decision making, which includes “profiling” in connection with evaluations or decisions about a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. The CPRA also expands this opt-out right to include both “sale” and “sharing,” including disclosing personal information to third parties “for cross-context behavioral advertising,” a clarification that brings greater certainty regarding how California law regulates online ad networks.
3. Right to Restrict Use of Sensitive Personal Information
The CPRA contains a new consumer right to limit the use and disclosure of sensitive personal data, including information concerning race and ethnicity, sexual orientation, precise geolocation, and certain health data outside the context of HIPAA. Upon consumers’ request, entities must not only stop selling or sharing sensitive information but also limit any internal uses or “secondary” purposes of such information.
4. Data Minimization and Purpose Limitation
The CPRA establishes a new general obligation (1798.100) that a business’s collection, use, retention, and sharing of a consumer’s personal information “shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed In a manner that is incompatible with those purposes.”
In sum, the CPRA retains the same basic structure as the CCPA, with minor changes to the kinds of regulated businesses. Companies will need to review their service provider/contractor terms to determine whether they include the requisite contractual terms and their services’ scope to ensure they do not provide marketing and advertising behaviors that may violate the CPRA. Many businesses will likely need to implement new processes to accommodate these new consumer rights.
Finally, the CPRA provides that all civil and administrative enforcement by the new Agency of the provisions in the CPRA shall not commence until January 1, 2023, and shall only apply to violations occurring on or after that date. In the meantime, businesses must comply with the CCPA and its implementing regulations.