The nation awoke the morning after Election Day 2020 with much still unresolved. By early morning Pacific Time, however, it was called by various media outlets that California voters approved a ballot measure, Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA).
Referred to by some as CCPA 2.0, the CPRA amends certain provisions of the paradigm shifting 2018 California Consumer Privacy Act (CCPA), which went into effect in January 2020 and became subject to enforcement in July 2020. Moreover, the CPRA will introduce a number of new provisions and concepts to a law that regulators are still fleshing out and businesses are struggling to understand. Like the CCPA, the CPRA will be supplemented by future regulations to be issued by a new privacy protection agency; however, the nature and the extent of the CPRA’s regulatory mandates far exceed those of the CCPA.
As discussed below, while most of the CPRA is not effective and will not be enforced until July 2023, the two-year extension of the current stay on certain CCPA provisions (covering business-to-business (B2B) communications and human resources (HR) data) will be effective immediately. In addition, the forthcoming privacy agency is set to begin rulemaking to elaborate on the CPRA’s requirements as early as next summer, superseding CCPA rulemaking authority of the California attorney general (AG). Accordingly, organizations subject to the CPRA will need to begin monitoring the status of the regulations and preparing for CPRA compliance beginning in about seven months.
Some of the more significant provisions in the CPRA are summarized below.
Enforcement and Timing
- Establishment of a new data protection agency, the California Privacy Protection Agency (the Agency) – tasked along with the AG with enforcement of the CPRA – will take over all rulemaking responsibilities. The Agency is apportioned a sizable budget that must be increased by the legislature “as may be necessary to carry out the provisions of this title.” Administrative fines collected by the Agency will be used to reimburse the state courts and the AG for costs related to CPRA enforcement, with a small portion of the proceeds going to the Agency itself.
- Any “person” – any individual or organization – has the ability to bring a CPRA complaint to the Agency. This means that consumers, competitors, vendors, customers, consumer advocacy groups and other parties have standing to bring complaints about a business’s privacy practices.
- The Agency may also investigate possible violations on its own initiative, and will have discretion “not to investigate or decide to provide a business with a time-period to cure the alleged violation.” There is a five-year statute of limitations for the Agency’s administrative actions, which can be tolled if violations were fraudulently concealed.
- Although both the AG and the Agency will have enforcement authority, the AG has the power to require the Agency to stay any administrative investigation or action. The AG, however, cannot bring a civil action based on a violation that has been the subject of an Agency administrative decision or order.
- Effective immediately upon passage, the CPRA will:
- Extend the CCPA’s HR and B2B exemptions through the end of 2022.
- Establish and appropriate a budget to fund the Agency.
- As early as July 2021, the Agency will assume the AG’s rulemaking authority. However, the CCPA’s enforcement provisions (including the 30-day cure period) and the AG’s enforcement authority thereunder remain in effect through July 1, 2023.
- The CPRA becomes operative Jan. 1, 2023 (excluding some provisions that have immediate effect, as mentioned above). However, the Agency must adopt final CPRA regulations by July 1, 2022.
- Enforcement of the CPRA by the Agency, via a prescriptive administrative procedure, will begin July 1, 2023, but will apply only to violations that occur on or after that date.
- As with the CCPA, the CPRA does not provide a private right of action, except in relation to security breaches. The CPRA specifies, however, that remedial measures following a security breach do not constitute a “cure” that would preclude a consumer lawsuit.
Scope of Application and New Concepts and Definitions
- Definition of “personal information” (PI):
- “Publicly available” information, which under the CCPA is not treated as PI, will be amended to include also “lawfully obtained truthful information of public concern.” Further, “publicly available” was expanded from lawfully available government records to also information a business has a reasonable basis to believe was made available to the general public by the consumer, or the “widely distributed media,” or is otherwise obtained from a person to whom the consumer disclosed the information without having restricted it to a specific audience. This provision would seem to exclude from the definition of PI information published by the press, provided to a platform or service that is then publicly posted on the platform or service, such as public reviews, comments, and social media posts, and directory listings and similar publications, and thus excludes that data from the scope of the obligations on businesses and third parties and the rights of consumers, including the rights to know, delete, opt-out of sale and the new rights created by the CPRA.
- Categories of “sensitive personal information,” including “precise geolocation” (which is now a defined term), have been added to the definition of PI, with consumers having the ability to limit the processing of sensitive PI (discussed further below).
- Definition of Business:
- The CPRA has made a notable distinction regarding a business that “controls the collection of personal information” in the pre-collection notice provisions in Section .100.
- The common branding provision now requires that “the business shares consumers’ personal information” with the commonly branded entity. This might exclude commonly branded parent and sister companies to the extent that data is not shared between and among them and otherwise does not meet the threshold criteria for being a business.
- The $25 million revenue threshold will be measured as of Jan. 1 of the calendar year (i.e., to address companies that hit the threshold in the middle of the year).
- The collection threshold now requires that the entity “[a]lone or in combination, annually buys or sells, [sic] or shares the personal information of 100,000 or more consumers or households” (“devices” has been removed). The threshold under CCPA is 50,000, and included “devices,” which did not require a California residency nexus. Because the new definition of “household” limits that term to a collection of consumers, and the definition of consumers includes the California residency requirement, the question of whether only Californians are to be counted in calculating this threshold number is resolved in the affirmative by the CPRA.
- New joint venture/partnership concept. Where each business has at least a 40 percent interest, the joint venture/partnership is its own business, and each business remains a separate business. It is not clear how this interrelates with the common branding provision. Moreover, it is not clear to what extent “joint venture” (JV) and “partnership” are used loosely and are meant to refer to any entity in which two entities have an interest or are used as terms of art. There is a prohibition on sharing among the JV businesses that was likely intended to instead designate the sharing as a sale rather than imposing an outright prohibition.
- Definition of Contractor. The CPRA has added a defined category of party called “contractor” that is similar to the undefined party carved out of the definition of third party in CCPA Section .140(w)(2) (sometimes called the non-third party or exempt third party), which required contractual “certification” of CCPA compliance. The differences and similarities between the new contractor designation and service providers are discussed further below.
- Definition of Cross-Context Behavioral Advertising. The term is defined as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly-branded website, application or service with which the consumer intentionally interacts.” This definition clearly covers traditional interest-based advertising activities and is directly invoked in the new concept of “sharing,” discussed immediately below.
- “Sharing.” The concept of sharing has been introduced and includes the same transfer activities in the definition of sale (e.g., “making available”), but applies only in the context of cross-context behavioral advertising. There is no requirement for consideration for a transfer of PI to be considered to have been “shared.” Arguably, by creating a distinct regulated activity rather than clarifying that this activity is type of “sale”, many cross-context behavioral activities (i.e., those without valuable consideration provided directly in exchange for the data disclosure), would now be excluded from the definition of “sale” and implicate only sharing and not sales.
- “Profiling.” With details largely left to be determined by the regs, including the possibility of an opt-out right, the CPRA defines profiling as “any form of automated processing of personal information … to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
- Disclosure of Trade Secrets. While much is left to be fleshed out in the regs, there is very clear statutory intent to exclude trade secrets from any of the CPRA’s consumer rights provisions. This is more affirmatively stated than is the case currently under the CCPA.
- Concept of Third-Party Controller. The CPRA introduces the concept of a third party controlling the collection of PI. The third-party controller can meet its pre-collection notice obligations by providing the required information prominently and conspicuously on the homepage of its Internet website (similar to how data brokers would meet their obligations, but no registration is required).
Consumer Rights/Business Obligations
- New Consumer Rights:
- Right to correction of inaccurate information.
- Right to opt out of sharing in the context of “cross-context behavioral advertising”:
- Businesses are required to have a button or link that states “Do not Sell or Share My Personal Information,” but the CPRA seems to also provide the option of stating only “Do Not Share My Personal Information” if the business does not also sell PI.
- “Limit the Use of My Sensitive Personal Information” – Consumers have the right to limit businesses’ use of sensitive PI to certain processing activities (certain internal business purposes, and expressly excluding advertising and marketing).
- Control over Profiling. Because many profiling activities will potentially overlap with cross-context behavioral advertising sharing activities, the to-be-determined profiling opt out will likely interplay with the “Do Not Share” right discussed below.
- While the definition of share is limited to a cross-context behavioral advertising use case and does not require consideration, the CPRA does not resolve the debate between the differing positions offered by the Internet Advertising Bureau (IAB) and the Digital Advertising Alliance (DAA) as to whether publishers or adtech companies are responsible for the corresponding opt out in an adtech context (i.e., who does the collection and when the sale/sharing occurs). Both the IAB’s and DAA’s positions, however, arguably remain viable under the CPRA.
- Businesses are exempt from certain opt-out requirements if they allow “consumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal.” Conversely, it seems that the CPRA would allow businesses to ignore global opt-out signals sent by platforms or other mechanisms if they offer the traditional Do Not Sell/Share options on their online properties.
- The CPRA would make opting in to downstream sales/sharing more viable. Under the CCPA, disclosures are excluded from sale if the “consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title.” Under the CPRA, the prohibition against onward sales (and now also sharing) has been removed.
- Businesses now must notify all parties to whom personal information was disclosed regarding a deletion request (not just service providers, as in the CCPA), and service providers and contractors must pass that notice down to any service providers, contractors or third parties with which they have shared the information. The CPRA discusses exceptions for service providers’ and contractors’ deletion obligations after receiving a request from a business but is silent as to third parties’ deletion obligations.
- Access (Right to Know and Correction) Requests:
- The lookback period for access requests is to be extended beyond 12 months by regulation, as is already the case with deletion. However, the Agency is to issue regulations addressing the issue of whether providing beyond 12 months would be “impossible or would involve a disproportionate effort.”
- The definition of “specific pieces of information” is subject to refinement in the regs, including in order to “[minimize] the delivery of information to a consumer that would not be useful … such as system log information and other technical data.”
- The CPRA does not include provisions that significantly implicate verification of identity except to the extent that it clarifies the requirements will again be subject to the regulations.
- Service providers and contractors are explicitly required to assist in consumer requests under the CPRA. Under the CCPA, this was only explicitly required where negotiated in agreements with businesses and only implicitly provided for under the CCPA
- Proportionality Requirement. A business’ collection, use, retention and sharing of a consumer’s PI must be reasonably necessary and proportionate to achieve the purposes for which the PI was collected or processed or for another disclosed purpose that is compatible with the context in which the PI was collected and not further processed in a manner that is incompatible with those purposes.
- A business must disclose at collection its intended retention period for personal information, by category of PI, or if that is not possible the basis for determining such periods, and may not retain PI for longer than is necessary for the purposes disclosed at the time of collection.
Vendors and Contracting Requirements
- Under the CPRA, businesses are explicitly required to have agreements in place with parties to whom they disclose information, such as service providers and contractors, or third parties to which they sell or with which they share PI. Under the CCPA, it was implicit for service providers and contractors with the effect of not having a contract in place being that the disclosure is a sale, and there was not contracting requirement for third party sales. Now, without having a contract in place with a data recipient, businesses will be in violation of the CPRA and subject to enforcement.
- Service providers are more restricted on the face of the CPRA in their processing activities than those that are permitted under the CCPA, including with respect to the combination of PI of other customers. This is specifically said, however, to be subject to expansion in the regs. In particular, the Agency must issue regulations as to which “business purposes, including other notified purposes, for which service providers and contractors may use consumers’ personal information received pursuant to a written contract with a business, for the service provider or contractor’s own business purposes.”
- As mentioned above, the new vendor category of “contractor,” in addition to the existing “service provider,” has been added, though it reflects an undefined type of vendor articulated in the CCPA as not being a third party, and thus carved disclosures to this type of party out of the definition of sale. This was a source of much confusion. Creation of a defined term makes clear that there are two types of regulated vendors. While there remain subtle differences between the two classifications, it seems that for the majority of vendors, service provider will still be the proper classification, though businesses will have to determine how to classify their vendors on a case-by-case basis.
The CPRA is 52 pages long, half of which are either additions or revisions. Given the ballot initiative process, there will be no legislative history to inform rulemaking or judicial interpretation. There is a four-page statement of intent that provides some general guidance as to what the CPRA aims to accomplish, but on a 60,000-foot level. One positive statement of intent is that HR and B2B data subjects are intended to be treated differently than traditional consumers, leaving open the door for substantial revisions prior to the Jan. 1, 2023 sunset as to how those individuals’ “consumer” rights will be treated.
Look for future blog posts for more details on the nuances of the CPRA. For more information, please feel free to reach out to the authors or others in BakerHostetler’s Digital Assets and Data Management (DADM) Practice Group. For additional articles covering the CCPA, the CPRA or the recent Schrems II decision, visit BakerHostetler’s Data Counsel blog and our Consumer Privacy Resource Center.