California citizens continue to demand privacy. On November 3, 2020, a majority of California voters approved Proposition 24, (“the California Privacy Rights Act of 2020”) or (the “CPRA”), further expanding California’s existing California Consumer Privacy Act (“CCPA”). California’s new enforcement body, the California Privacy Protection Agency (“CPPA”) will begin the process of adopting revisions of the CPRA starting July 1, 2021, and concluding on July 1, 2022. The CPPA operates as an independent overseer of the CPRA and is tasked with both enforcement of the CPRA as well as information and outreach to ensure that both businesses and consumers are informed of both their rights and obligations. While the original enforcement arm of the CCPA was the California Attorney General, the CPPA augments that core function with the addition of an educational outreach program. (see “What is the California Privacy Protection Agency” at IAPP.org).
Additionally, each iteration of the CPRA will follow the normal agency process and will be subject to a comment period prior to adoption. The final CPRA version becomes enforceable on July 1, 2023. This two-year enforcement delay will provide affected businesses with valuable time to prepare for the new requirements imposed by the final CPRA. It is expected that the specifics of key provisions, to include, amongst others: opt-outs; the timing and frequency of consumer correction requests; and determining whether the look-back window extends beyond 12 months; will all be handled during the 2021 and 2022 timeframe under standard agency rulemaking procedures.
While businesses prepare for the CPRA enforcement date, it is important that those in charge of compliance keep in mind that CCPA will continue to govern California residents’ privacy rights in the interim. Accordingly, those affected businesses that are not yet compliant with the CCPA should begin their privacy compliance journey there as CCPA enforcement will likely ramp up. For instance, the California Attorney General’s office has been sending out CCPR “Notices to Cure” since mid-2020; any entity receiving such a notice has a 30-day window to remedy any claimed violation.
For those businesses that have CCPA privacy programs in place, their efforts have not been in vain since the CPRA is a revision and expansion of the existing CCPA framework. In sum, the CPRA is less revolutionary and instead, more evolutionary.
For businesses operating in California, no matter their current privacy posture, they should consider the following questions:
Will the CPRA affect your Business?
Obviously, the first step a business should take is to determine whether it subject to either the CCPA, CPRA, or both. If a company “does business in the State of California and a) has annual gross revenues of more than $25 million or b) alone or in combination, annually buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices, or c) derives 50% or more of its annual revenues from selling consumers’ personal information (“PI”), than the business is governed by the CCPA.
The CPRA, on the other hand, is more favorable to small business in that it amends section b) above by increasing the threshold for “consumers” or “households” to 100,000 and omits the “devices” category. The key point here is that small businesses currently governed by the CCPA may be freed from privacy compliance obligations when the CPRA goes into effect on July 1, 2023.
Does your Business tell your customers what data you are collecting from them?
The CPRA imposes an affirmative duty on a covered business to inform consumers “at or before the point of collection” of 1) the categories of personal data being collected on them; 2) the purpose for which the company will use this personal information; and 3) whether such personal information will be sold or shared. Also critical, should your business change or modify the use of any collected personal information, it must give notice to the affected individuals of this change.
Is your business seeking and obtaining lawful consent from your customers for the collection and use of their PII?
The issue of “consent” is somewhat ambiguous; the CPRA uses a GDPR definition of consent – “…freely given, specific, informed, and unambiguous indication of the consumer’s wishes…” The CPRA goes even further by expressly prohibiting the use of “broad terms” when requesting consent or assuming consent where a consumer simply hovers over a website consent button or merely closes a consent pop-up. Essentially, the consent requirements in the CPRA are largely analogous to those under Article 4 of the GDPR; however, regulations which outline how the CPRA will interpret “consent” is still fluid as the CPRA undergoes the rulemaking process throughout 2021.
Considering how the GDPR definitions have been historically interpreted, however, businesses can expect that “freely given” consent means the consumer must be given an actual choice. In other words, cookie walls or take-it-or-leave-it clickthroughs will likely not be sufficient. Furthermore, businesses must make the option of revoking previously given consent as simple as it was for the consumer to provide it. “Specific and Informed” means that entities must advise consumers of what data is being collected on them and how the business intends to use this data at a granular level. Finally, “unambiguous” consent requires an affirmative action by the consumer and cannot merely be some default or pre-selected items on a form. For now, it appears that the consumer must take an affirmative act to properly indicate her consent.
Does your business “share” personal information?
The CPRA expands California’s governance of PI to the sharing of personal information, not just selling it. The CPRA defines sharing as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
Under the CCPA, businesses sharing information in exchange for either money or other “valuable” consideration must only provide consumers with an opt-out notice. The CPRA goes further; business “sharing” PI must provide consumers with the means to opt-out of the share of their PI, whether the business derives financial benefits from the sharing of PI or not.
However, it is important to note that “sharing” does not include either service providers or contractors (many online advertisers, cookie providers, etc., fall within this category) and are not covered under this.
Will your business’s webpage be compliant with the CPRA?
The CCPA currently requires businesses to provide consumers with “two or more designated methods for submitting requests for information” about the data collected on them including a toll-free number. The CPRA expands consumer privacy requests to PI deletion and correction. If the business has a website, it must allow consumers the ability to submit information access request through its website. As further addressed below, the CPRA will expand the consumers right to control her data using company websites.
Does your Business Collect, Process, Sell, or Share Sensitive Personal Information?
The CPRA has an entirely new data classification: sensitive personal information, which includes passport numbers, driver’s license numbers, social security numbers; credit card numbers accompanied by secondary access codes (e.g., pins, or CSC); precise geolocation data; demographic information (such as religion, race, ethnicity, biometric, sexual orientation); and content data (mail, e-mail, SMS messages) where the business is not the intended recipient. Where a business does collect such sensitive personal information, it must post a “Limit the Use of My Sensitive Personal Information” link on its website giving consumers the right to limit the use of this data to the extent needed to perform the core services or goods purchased.
As indicated above, the CPRA is both a revision and expansion of the CCPA. While affected businesses have a two-year window to prepare for CPRA enforcement, they cannot forget the obligations and penalties associated with CCPA. For more information, please contact us at [email protected].