[{"innerBlocks":[],"name":"core\/freeform","postId":1248,"blockType":{"name":"core\/freeform","keywords":[],"attributes":{"content":{"type":"string","source":"html"},"lock":{"type":"object"}},"providesContext":[],"usesContext":[],"supports":{"className":false,"customClassName":false,"reusable":false},"styles":[],"variations":[],"apiVersion":2,"title":"Classic","description":"Use the classic WordPress editor.","category":"text"},"originalContent":" $\"\"$ \n\nThe nation awoke the morning after Election Day 2020 with much still unresolved.\u00a0 By early morning Pacific Time, however, it was called by various media outlets that California voters approved a ballot measure, Proposition 24, known as the California Privacy Rights Act of 2020 <\/a>(CPRA).\n\nReferred to by some as CCPA 2.0, the CPRA amends certain provisions of the paradigm shifting 2018 California Consumer Privacy Act (CCPA), which went into effect in January 2020 and became subject to enforcement in July 2020<\/a>. Moreover, the CPRA will introduce a number of new provisions and concepts to a law that regulators are still fleshing out<\/a> and businesses are struggling to understand. Like the CCPA, the CPRA will be supplemented by future regulations to be issued by a new privacy protection agency; however, the nature and the extent of the CPRA\u2019s regulatory mandates far exceed those of the CCPA.\n\nAs discussed below, while most of the CPRA is not effective and will not be enforced until July 2023, the two-year extension of the current stay on certain CCPA provisions (covering business-to-business (B2B) communications and human resources (HR) data) will be effective immediately. In addition, the forthcoming privacy agency is set to begin rulemaking to elaborate on the CPRA\u2019s requirements as early as next summer, superseding CCPA rulemaking authority of the California attorney general (AG). Accordingly, organizations subject to the CPRA will need to begin monitoring the status of the regulations and preparing for CPRA compliance beginning in about seven months.\n\nSome of the more significant provisions in the CPRA are summarized below.\n\nEnforcement and Timing<\/u><\/strong>\n\nEnforcement:<\/u>\n
\n \t
Establishment of a new data protection agency, the California Privacy Protection Agency (the Agency) \u2013 tasked along with the AG with enforcement of the CPRA \u2013 will take over all rulemaking responsibilities. The Agency is apportioned a sizable budget that must be increased by the legislature \u201cas may be necessary to carry out the provisions of this title.\u201d Administrative fines collected by the Agency will be used to reimburse the state courts and the AG for costs related to CPRA enforcement, with a small portion of the proceeds going to the Agency itself.<\/li>\n \t
Any \u201cperson\u201d \u2013 any individual or organization \u2013 has the ability to bring a CPRA complaint to the Agency. This means that consumers, competitors, vendors, customers, consumer advocacy groups and other parties have standing to bring complaints about a business\u2019s privacy practices.<\/li>\n \t
The Agency may also investigate possible violations on its own initiative, and will have discretion \u201cnot to investigate or decide to provide a business with a time-period to cure the alleged violation.\u201d There is a five-year statute of limitations for the Agency\u2019s administrative actions, which can be tolled if violations were fraudulently concealed.<\/li>\n \t
Although both the AG and the Agency will have enforcement authority, the AG has the power to require the Agency to stay any administrative investigation or action. The AG, however, cannot bring a civil action based on a violation that has been the subject of an Agency administrative decision or order.<\/li>\n<\/ul>\nTiming:<\/u>\n
\n \t
Effective immediately upon passage, the CPRA will:\n
\n \t
Extend the CCPA\u2019s HR and B2B exemptions through the end of 2022.<\/li>\n \t
Establish and appropriate a budget to fund the Agency.<\/li>\n<\/ul>\n<\/li>\n \t
As early as July 2021, the Agency will assume the AG\u2019s rulemaking authority. However, the CCPA\u2019s enforcement provisions (including the 30-day cure period) and the AG\u2019s enforcement authority thereunder remain in effect through July 1, 2023.<\/li>\n \t
The CPRA becomes operative Jan. 1, 2023 (excluding some provisions that have immediate effect, as mentioned above). However, the Agency must adopt final CPRA regulations by July 1, 2022.<\/li>\n \t
Enforcement of the CPRA by the Agency, via a prescriptive administrative procedure, will begin July 1, 2023, but will apply only to violations that occur on or after that date.<\/li>\n \t
As with the CCPA, the CPRA does not provide a private right of action, except in relation to security breaches. The CPRA specifies, however, that remedial measures following a security breach do not constitute a \u201ccure\u201d that would preclude a consumer lawsuit.<\/li>\n<\/ul>\nScope of Application and New Concepts and Definitions<\/u><\/strong>\n
\n \t
Definition of \u201cpersonal information\u201d (PI)<\/u>:\n
\n \t
\u201cPublicly available\u201d information, which under the CCPA is not treated as PI, will be amended to include also \u201clawfully obtained truthful information of public concern.\u201d Further, \u201cpublicly available\u201d was expanded from lawfully available government records to also information a business has a reasonable basis to believe was made available to the general public by the consumer, or the \u201cwidely distributed media,\u201d or is otherwise obtained from a person to whom the consumer disclosed the information without having restricted it to a specific audience.\u00a0 This provision would seem to exclude from the definition of PI information published by the press, provided to a platform or service that is then publicly posted on the platform or service, such as public reviews, comments, and social media posts, and directory listings and similar publications, and thus excludes that data from the scope of the obligations on businesses and third parties and the rights of consumers, including the rights to know, delete, opt-out of sale and the new rights created by the CPRA.<\/li>\n \t
Categories of \u201csensitive personal information,\u201d including \u201cprecise geolocation\u201d (which is now a defined term), have been added to the definition of PI, with consumers having the ability to limit the processing of sensitive PI (discussed further below).<\/li>\n<\/ul>\n<\/li>\n \t
Definition of Business<\/u>:\n
\n \t
The CPRA has made a notable distinction regarding a business that \u201ccontrols the collection of personal information\u201d in the pre-collection notice provisions in Section .100.<\/li>\n \t
The common branding provision now requires that \u201cthe business shares consumers\u2019 personal information\u201d with the commonly branded entity. This might exclude commonly branded parent and sister companies to the extent that data is not shared between and among them and otherwise does not meet the threshold criteria for being a business.<\/li>\n \t
Thresholds:\n
\n \t
The $25 million revenue threshold will be measured as of Jan. 1 of the calendar year (i.e., to address companies that hit the threshold in the middle of the year).<\/li>\n \t
The collection threshold now requires that the entity \u201c[a]lone or in combination, annually buys or sells, [sic] or shares the personal information of 100,000 or more consumers or households\u201d (\u201cdevices\u201d has been removed). The threshold under CCPA is 50,000, and included \u201cdevices,\u201d which did not require a California residency nexus. Because the new definition of \u201chousehold\u201d limits that term to a collection of consumers, and the definition of consumers includes the California residency requirement, the question of whether only Californians are to be counted in calculating this threshold number is resolved in the affirmative by the CPRA.<\/li>\n<\/ul>\n<\/li>\n \t
New joint venture\/partnership concept. Where each business has at least a 40 percent interest, the joint venture\/partnership is its own business, and each business remains a separate business. It is not clear how this interrelates with the common branding provision. Moreover, it is not clear to what extent \u201cjoint venture\u201d (JV) and \u201cpartnership\u201d are used loosely and are meant to refer to any entity in which two entities have an interest or are used as terms of art. There is a prohibition on sharing among the JV businesses that was likely intended to instead designate the sharing as a sale rather than imposing an outright prohibition.<\/li>\n<\/ul>\n<\/li>\n \t
Definition of Contractor.<\/u> The CPRA has added a defined category of party called \u201ccontractor\u201d that is similar to the undefined party carved out of the definition of third party in CCPA Section .140(w)(2) (sometimes called the non-third party or exempt third party), which required contractual \u201ccertification\u201d of CCPA compliance. The differences and similarities between the new contractor designation and service providers are discussed further below.<\/li>\n \t
Definition of Cross-Context Behavioral Advertising.<\/u> The term is defined as \u201cthe targeting of advertising to a consumer based on the consumer\u2019s personal information obtained from the consumer\u2019s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly-branded website, application or service with which the consumer intentionally interacts.\u201d This definition clearly covers traditional interest-based advertising activities and is directly invoked in the new concept of \u201csharing,\u201d discussed immediately below.\n
\n \t
\u201cSharing.\u201d The concept of sharing has been introduced and includes the same transfer activities in the definition of sale (e.g., \u201cmaking available\u201d), but applies only in the context of cross-context behavioral advertising. There is no requirement for consideration for a transfer of PI to be considered to have been \u201cshared.\u201d Arguably, by creating a distinct regulated activity rather than clarifying that this activity is type of \u201csale\u201d, many cross-context behavioral activities (i.e., those without valuable consideration provided directly in exchange for the data disclosure), would now be excluded from the definition of \u201csale\u201d and implicate only sharing and not sales.<\/li>\n \t
\u201cProfiling.\u201d With details largely left to be determined by the regs, including the possibility of an opt-out right, the CPRA defines profiling as \u201cany form of automated processing of personal information \u2026 to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person\u2019s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.\u201d<\/li>\n<\/ul>\n<\/li>\n \t
Disclosure of Trade Secrets.<\/u> While much is left to be fleshed out in the regs, there is very clear statutory intent to exclude trade secrets from any of the CPRA\u2019s consumer rights provisions. This is more affirmatively stated than is the case currently under the CCPA.<\/li>\n \t
Concept of Third-Party Controller.<\/u> The CPRA introduces the concept of a third party controlling the collection of PI. The third-party controller can meet its pre-collection notice obligations by providing the required information prominently and conspicuously on the homepage of its Internet website (similar to how data brokers would meet their obligations, but no registration is required).<\/li>\n<\/ul>\nConsumer Rights\/Business Obligations<\/u>\n
\n \t
New Consumer Rights:\n
\n \t
Right to correction of inaccurate information.<\/li>\n \t
Right to opt out of sharing in the context of \u201ccross-context behavioral advertising\u201d:\n
\n \t
Businesses are required to have a button or link that states \u201cDo not Sell or Share My Personal Information,\u201d but the CPRA seems to also provide the option of stating only \u201cDo Not Share My Personal Information\u201d if the business does not also sell PI.<\/li>\n<\/ul>\n<\/li>\n \t
\u201cLimit the Use of My Sensitive Personal Information\u201d \u2013 Consumers have the right to limit businesses\u2019 use of sensitive PI to certain processing activities (certain internal business purposes, and expressly excluding advertising and marketing).<\/li>\n<\/ul>\n<\/li>\n \t
Control over Profiling. Because many profiling activities will potentially overlap with cross-context behavioral advertising sharing activities, the to-be-determined profiling opt out will likely interplay with the \u201cDo Not Share\u201d right discussed below.<\/li>\n \t
While the definition of share is limited to a cross-context behavioral advertising use case and does not require consideration, the CPRA does not resolve the debate between the differing positions<\/a> offered by the Internet Advertising Bureau (IAB) and the Digital Advertising Alliance (DAA) as to whether publishers or adtech companies are responsible for the corresponding opt out in an adtech context (i.e., who does the collection and when the sale\/sharing occurs). Both the IAB\u2019s and DAA\u2019s positions, however, arguably remain viable under the CPRA.<\/li>\n \t
Businesses are exempt from certain opt-out requirements if they allow \u201cconsumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal.\u201d Conversely, it seems that the CPRA would allow businesses to ignore global opt-out signals sent by platforms or other mechanisms if they offer the traditional Do Not Sell\/Share options on their online properties.<\/li>\n \t
The CPRA would make opting in to downstream sales\/sharing more viable. Under the CCPA, disclosures are excluded from sale if the \u201cconsumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title<\/em>.\u201d Under the CPRA, the prohibition against onward sales (and now also sharing) has been removed.<\/li>\n \t
Businesses now must notify all parties to whom personal information was disclosed regarding a deletion request (not just service providers, as in the CCPA), and service providers and contractors must pass that notice down to any service providers, contractors or third parties with which they have shared the information. The CPRA discusses exceptions for service providers\u2019 and contractors\u2019 deletion obligations after receiving a request from a business but is silent as to third parties\u2019 deletion obligations.<\/li>\n \t
Access (Right to Know and Correction) Requests:\n\n \t
The lookback period for access requests is to be extended beyond 12 months by regulation, as is already the case with deletion. However, the Agency is to issue regulations addressing the issue of whether providing beyond 12 months would be \u201cimpossible or would involve a disproportionate effort.\u201d<\/li>\n \t
The definition of \u201cspecific pieces of information\u201d is subject to refinement in the regs, including in order to \u201c[minimize] the delivery of information to a consumer that would not be useful \u2026 such as system log information and other technical data.\u201d<\/li>\n<\/ul>\n<\/li>\n \t
The CPRA does not include provisions that significantly implicate verification of identity except to the extent that it clarifies the requirements will again be subject to the regulations.<\/li>\n \t
Service providers and contractors are explicitly required to assist in consumer requests under the CPRA. Under the CCPA, this was only explicitly required where negotiated in agreements with businesses and only implicitly provided for under the CCPA<\/li>\n \t
Proportionality Requirement. A business\u2019 collection, use, retention and sharing of a consumer\u2019s PI must be reasonably necessary and proportionate to achieve the purposes for which the PI was collected or processed or for another disclosed purpose that is compatible with the context in which the PI was collected and not further processed in a manner that is incompatible with those purposes.<\/li>\n \t
A business must disclose at collection its intended retention period for personal information, by category of PI, or if that is not possible the basis for determining such periods, and may not retain PI for longer than is necessary for the purposes disclosed at the time of collection.<\/li>\n<\/ul>\nVendors and Contracting Requirements<\/u>\n
\n \t
Under the CPRA, businesses are explicitly required to have agreements in place with parties to whom they disclose information, such as service providers and contractors, or third parties to which they sell or with which they share PI. Under the CCPA, it was implicit for service providers and contractors with the effect of not having a contract in place being that the disclosure is a sale, and there was not contracting requirement for third party sales. Now, without having a contract in place with a data recipient, businesses will be in violation of the CPRA and subject to enforcement.<\/li>\n \t
Service providers are more restricted on the face of the CPRA in their processing activities than those that are permitted under the CCPA, including with respect to the combination of PI of other customers. This is specifically said, however, to be subject to expansion in the regs. In particular, the Agency must issue regulations as to which \u201cbusiness purposes, including other notified purposes, for which service providers and contractors may use consumers\u2019 personal information received pursuant to a written contract with a business, for the service provider or contractor\u2019s own business purposes.\u201d<\/li>\n \t
As mentioned above, the new vendor category of \u201ccontractor,\u201d in addition to the existing \u201cservice provider,\u201d has been added, though it reflects an undefined type of vendor articulated in the CCPA as not being a third party, and thus carved disclosures to this type of party out of the definition of sale. This was a source of much confusion. Creation of a defined term makes clear that there are two types of regulated vendors. While there remain subtle differences between the two classifications, it seems that for the majority of vendors, service provider will still be the proper classification, though businesses will have to determine how to classify their vendors on a case-by-case basis.<\/li>\n<\/ul>\nThe CPRA is 52 pages long, half of which are either additions or revisions. Given the ballot initiative process, there will be no legislative history to inform rulemaking or judicial interpretation. There is a four-page statement of intent that provides some general guidance as to what the CPRA aims to accomplish, but on a 60,000-foot level. One positive statement of intent is that HR and B2B data subjects are intended to be treated differently than traditional consumers, leaving open the door for substantial revisions prior to the Jan. 1, 2023 sunset as to how those individuals\u2019 \u201cconsumer\u201d rights will be treated.\n\nLook for future blog posts for more details on the nuances of the CPRA. For more information, please feel free to reach out to the authors or others in BakerHostetler\u2019s Digital Assets and Data Management (DADM) Practice Group. For additional articles covering the CCPA, the CPRA or the recent\u00a0Schrems II<\/em>\u00a0decision, visit BakerHostetler\u2019s\u00a0Data Counsel<\/a>\u00a0blog and our\u00a0 Consumer Privacy Resource Center<\/a>.","saveContent":" $\"\"$ \n\nThe nation awoke the morning after Election Day 2020 with much still unresolved.\u00a0 By early morning Pacific Time, however, it was called by various media outlets that California voters approved a ballot measure, Proposition 24, known as the California Privacy Rights Act of 2020 <\/a>(CPRA).\n\nReferred to by some as CCPA 2.0, the CPRA amends certain provisions of the paradigm shifting 2018 California Consumer Privacy Act (CCPA), which went into effect in January 2020 and became subject to enforcement in July 2020<\/a>. Moreover, the CPRA will introduce a number of new provisions and concepts to a law that regulators are still fleshing out<\/a> and businesses are struggling to understand. Like the CCPA, the CPRA will be supplemented by future regulations to be issued by a new privacy protection agency; however, the nature and the extent of the CPRA\u2019s regulatory mandates far exceed those of the CCPA.\n\nAs discussed below, while most of the CPRA is not effective and will not be enforced until July 2023, the two-year extension of the current stay on certain CCPA provisions (covering business-to-business (B2B) communications and human resources (HR) data) will be effective immediately. In addition, the forthcoming privacy agency is set to begin rulemaking to elaborate on the CPRA\u2019s requirements as early as next summer, superseding CCPA rulemaking authority of the California attorney general (AG). Accordingly, organizations subject to the CPRA will need to begin monitoring the status of the regulations and preparing for CPRA compliance beginning in about seven months.\n\nSome of the more significant provisions in the CPRA are summarized below.\n\nEnforcement and Timing<\/u><\/strong>\n\nEnforcement:<\/u>\n
\n \t
Establishment of a new data protection agency, the California Privacy Protection Agency (the Agency) \u2013 tasked along with the AG with enforcement of the CPRA \u2013 will take over all rulemaking responsibilities. The Agency is apportioned a sizable budget that must be increased by the legislature \u201cas may be necessary to carry out the provisions of this title.\u201d Administrative fines collected by the Agency will be used to reimburse the state courts and the AG for costs related to CPRA enforcement, with a small portion of the proceeds going to the Agency itself.<\/li>\n \t
Any \u201cperson\u201d \u2013 any individual or organization \u2013 has the ability to bring a CPRA complaint to the Agency. This means that consumers, competitors, vendors, customers, consumer advocacy groups and other parties have standing to bring complaints about a business\u2019s privacy practices.<\/li>\n \t
The Agency may also investigate possible violations on its own initiative, and will have discretion \u201cnot to investigate or decide to provide a business with a time-period to cure the alleged violation.\u201d There is a five-year statute of limitations for the Agency\u2019s administrative actions, which can be tolled if violations were fraudulently concealed.<\/li>\n \t
Although both the AG and the Agency will have enforcement authority, the AG has the power to require the Agency to stay any administrative investigation or action. The AG, however, cannot bring a civil action based on a violation that has been the subject of an Agency administrative decision or order.<\/li>\n<\/ul>\nTiming:<\/u>\n
\n \t
Effective immediately upon passage, the CPRA will:\n
\n \t
Extend the CCPA\u2019s HR and B2B exemptions through the end of 2022.<\/li>\n \t
Establish and appropriate a budget to fund the Agency.<\/li>\n<\/ul>\n<\/li>\n \t
As early as July 2021, the Agency will assume the AG\u2019s rulemaking authority. However, the CCPA\u2019s enforcement provisions (including the 30-day cure period) and the AG\u2019s enforcement authority thereunder remain in effect through July 1, 2023.<\/li>\n \t
The CPRA becomes operative Jan. 1, 2023 (excluding some provisions that have immediate effect, as mentioned above). However, the Agency must adopt final CPRA regulations by July 1, 2022.<\/li>\n \t
Enforcement of the CPRA by the Agency, via a prescriptive administrative procedure, will begin July 1, 2023, but will apply only to violations that occur on or after that date.<\/li>\n \t
As with the CCPA, the CPRA does not provide a private right of action, except in relation to security breaches. The CPRA specifies, however, that remedial measures following a security breach do not constitute a \u201ccure\u201d that would preclude a consumer lawsuit.<\/li>\n<\/ul>\nScope of Application and New Concepts and Definitions<\/u><\/strong>\n
\n \t
Definition of \u201cpersonal information\u201d (PI)<\/u>:\n
\n \t
\u201cPublicly available\u201d information, which under the CCPA is not treated as PI, will be amended to include also \u201clawfully obtained truthful information of public concern.\u201d Further, \u201cpublicly available\u201d was expanded from lawfully available government records to also information a business has a reasonable basis to believe was made available to the general public by the consumer, or the \u201cwidely distributed media,\u201d or is otherwise obtained from a person to whom the consumer disclosed the information without having restricted it to a specific audience.\u00a0 This provision would seem to exclude from the definition of PI information published by the press, provided to a platform or service that is then publicly posted on the platform or service, such as public reviews, comments, and social media posts, and directory listings and similar publications, and thus excludes that data from the scope of the obligations on businesses and third parties and the rights of consumers, including the rights to know, delete, opt-out of sale and the new rights created by the CPRA.<\/li>\n \t
Categories of \u201csensitive personal information,\u201d including \u201cprecise geolocation\u201d (which is now a defined term), have been added to the definition of PI, with consumers having the ability to limit the processing of sensitive PI (discussed further below).<\/li>\n<\/ul>\n<\/li>\n \t
Definition of Business<\/u>:\n
\n \t
The CPRA has made a notable distinction regarding a business that \u201ccontrols the collection of personal information\u201d in the pre-collection notice provisions in Section .100.<\/li>\n \t
The common branding provision now requires that \u201cthe business shares consumers\u2019 personal information\u201d with the commonly branded entity. This might exclude commonly branded parent and sister companies to the extent that data is not shared between and among them and otherwise does not meet the threshold criteria for being a business.<\/li>\n \t
Thresholds:\n
\n \t
The $25 million revenue threshold will be measured as of Jan. 1 of the calendar year (i.e., to address companies that hit the threshold in the middle of the year).<\/li>\n \t
The collection threshold now requires that the entity \u201c[a]lone or in combination, annually buys or sells, [sic] or shares the personal information of 100,000 or more consumers or households\u201d (\u201cdevices\u201d has been removed). The threshold under CCPA is 50,000, and included \u201cdevices,\u201d which did not require a California residency nexus. Because the new definition of \u201chousehold\u201d limits that term to a collection of consumers, and the definition of consumers includes the California residency requirement, the question of whether only Californians are to be counted in calculating this threshold number is resolved in the affirmative by the CPRA.<\/li>\n<\/ul>\n<\/li>\n \t
New joint venture\/partnership concept. Where each business has at least a 40 percent interest, the joint venture\/partnership is its own business, and each business remains a separate business. It is not clear how this interrelates with the common branding provision. Moreover, it is not clear to what extent \u201cjoint venture\u201d (JV) and \u201cpartnership\u201d are used loosely and are meant to refer to any entity in which two entities have an interest or are used as terms of art. There is a prohibition on sharing among the JV businesses that was likely intended to instead designate the sharing as a sale rather than imposing an outright prohibition.<\/li>\n<\/ul>\n<\/li>\n \t
Definition of Contractor.<\/u> The CPRA has added a defined category of party called \u201ccontractor\u201d that is similar to the undefined party carved out of the definition of third party in CCPA Section .140(w)(2) (sometimes called the non-third party or exempt third party), which required contractual \u201ccertification\u201d of CCPA compliance. The differences and similarities between the new contractor designation and service providers are discussed further below.<\/li>\n \t
Definition of Cross-Context Behavioral Advertising.<\/u> The term is defined as \u201cthe targeting of advertising to a consumer based on the consumer\u2019s personal information obtained from the consumer\u2019s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly-branded website, application or service with which the consumer intentionally interacts.\u201d This definition clearly covers traditional interest-based advertising activities and is directly invoked in the new concept of \u201csharing,\u201d discussed immediately below.\n
\n \t
\u201cSharing.\u201d The concept of sharing has been introduced and includes the same transfer activities in the definition of sale (e.g., \u201cmaking available\u201d), but applies only in the context of cross-context behavioral advertising. There is no requirement for consideration for a transfer of PI to be considered to have been \u201cshared.\u201d Arguably, by creating a distinct regulated activity rather than clarifying that this activity is type of \u201csale\u201d, many cross-context behavioral activities (i.e., those without valuable consideration provided directly in exchange for the data disclosure), would now be excluded from the definition of \u201csale\u201d and implicate only sharing and not sales.<\/li>\n \t
\u201cProfiling.\u201d With details largely left to be determined by the regs, including the possibility of an opt-out right, the CPRA defines profiling as \u201cany form of automated processing of personal information \u2026 to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person\u2019s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.\u201d<\/li>\n<\/ul>\n<\/li>\n \t
Disclosure of Trade Secrets.<\/u> While much is left to be fleshed out in the regs, there is very clear statutory intent to exclude trade secrets from any of the CPRA\u2019s consumer rights provisions. This is more affirmatively stated than is the case currently under the CCPA.<\/li>\n \t
Concept of Third-Party Controller.<\/u> The CPRA introduces the concept of a third party controlling the collection of PI. The third-party controller can meet its pre-collection notice obligations by providing the required information prominently and conspicuously on the homepage of its Internet website (similar to how data brokers would meet their obligations, but no registration is required).<\/li>\n<\/ul>\nConsumer Rights\/Business Obligations<\/u>\n
\n \t
New Consumer Rights:\n
\n \t
Right to correction of inaccurate information.<\/li>\n \t
Right to opt out of sharing in the context of \u201ccross-context behavioral advertising\u201d:\n
\n \t
Businesses are required to have a button or link that states \u201cDo not Sell or Share My Personal Information,\u201d but the CPRA seems to also provide the option of stating only \u201cDo Not Share My Personal Information\u201d if the business does not also sell PI.<\/li>\n<\/ul>\n<\/li>\n \t
\u201cLimit the Use of My Sensitive Personal Information\u201d \u2013 Consumers have the right to limit businesses\u2019 use of sensitive PI to certain processing activities (certain internal business purposes, and expressly excluding advertising and marketing).<\/li>\n<\/ul>\n<\/li>\n \t
Control over Profiling. Because many profiling activities will potentially overlap with cross-context behavioral advertising sharing activities, the to-be-determined profiling opt out will likely interplay with the \u201cDo Not Share\u201d right discussed below.<\/li>\n \t
While the definition of share is limited to a cross-context behavioral advertising use case and does not require consideration, the CPRA does not resolve the debate between the differing positions<\/a> offered by the Internet Advertising Bureau (IAB) and the Digital Advertising Alliance (DAA) as to whether publishers or adtech companies are responsible for the corresponding opt out in an adtech context (i.e., who does the collection and when the sale\/sharing occurs). Both the IAB\u2019s and DAA\u2019s positions, however, arguably remain viable under the CPRA.<\/li>\n \t
Businesses are exempt from certain opt-out requirements if they allow \u201cconsumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal.\u201d Conversely, it seems that the CPRA would allow businesses to ignore global opt-out signals sent by platforms or other mechanisms if they offer the traditional Do Not Sell\/Share options on their online properties.<\/li>\n \t
The CPRA would make opting in to downstream sales\/sharing more viable. Under the CCPA, disclosures are excluded from sale if the \u201cconsumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title<\/em>.\u201d Under the CPRA, the prohibition against onward sales (and now also sharing) has been removed.<\/li>\n \t
Businesses now must notify all parties to whom personal information was disclosed regarding a deletion request (not just service providers, as in the CCPA), and service providers and contractors must pass that notice down to any service providers, contractors or third parties with which they have shared the information. The CPRA discusses exceptions for service providers\u2019 and contractors\u2019 deletion obligations after receiving a request from a business but is silent as to third parties\u2019 deletion obligations.<\/li>\n \t
Access (Right to Know and Correction) Requests:\n\n \t
The lookback period for access requests is to be extended beyond 12 months by regulation, as is already the case with deletion. However, the Agency is to issue regulations addressing the issue of whether providing beyond 12 months would be \u201cimpossible or would involve a disproportionate effort.\u201d<\/li>\n \t
The definition of \u201cspecific pieces of information\u201d is subject to refinement in the regs, including in order to \u201c[minimize] the delivery of information to a consumer that would not be useful \u2026 such as system log information and other technical data.\u201d<\/li>\n<\/ul>\n<\/li>\n \t
The CPRA does not include provisions that significantly implicate verification of identity except to the extent that it clarifies the requirements will again be subject to the regulations.<\/li>\n \t
Service providers and contractors are explicitly required to assist in consumer requests under the CPRA. Under the CCPA, this was only explicitly required where negotiated in agreements with businesses and only implicitly provided for under the CCPA<\/li>\n \t
Proportionality Requirement. A business\u2019 collection, use, retention and sharing of a consumer\u2019s PI must be reasonably necessary and proportionate to achieve the purposes for which the PI was collected or processed or for another disclosed purpose that is compatible with the context in which the PI was collected and not further processed in a manner that is incompatible with those purposes.<\/li>\n \t
A business must disclose at collection its intended retention period for personal information, by category of PI, or if that is not possible the basis for determining such periods, and may not retain PI for longer than is necessary for the purposes disclosed at the time of collection.<\/li>\n<\/ul>\nVendors and Contracting Requirements<\/u>\n
\n \t
Under the CPRA, businesses are explicitly required to have agreements in place with parties to whom they disclose information, such as service providers and contractors, or third parties to which they sell or with which they share PI. Under the CCPA, it was implicit for service providers and contractors with the effect of not having a contract in place being that the disclosure is a sale, and there was not contracting requirement for third party sales. Now, without having a contract in place with a data recipient, businesses will be in violation of the CPRA and subject to enforcement.<\/li>\n \t
Service providers are more restricted on the face of the CPRA in their processing activities than those that are permitted under the CCPA, including with respect to the combination of PI of other customers. This is specifically said, however, to be subject to expansion in the regs. In particular, the Agency must issue regulations as to which \u201cbusiness purposes, including other notified purposes, for which service providers and contractors may use consumers\u2019 personal information received pursuant to a written contract with a business, for the service provider or contractor\u2019s own business purposes.\u201d<\/li>\n \t
As mentioned above, the new vendor category of \u201ccontractor,\u201d in addition to the existing \u201cservice provider,\u201d has been added, though it reflects an undefined type of vendor articulated in the CCPA as not being a third party, and thus carved disclosures to this type of party out of the definition of sale. This was a source of much confusion. Creation of a defined term makes clear that there are two types of regulated vendors. While there remain subtle differences between the two classifications, it seems that for the majority of vendors, service provider will still be the proper classification, though businesses will have to determine how to classify their vendors on a case-by-case basis.<\/li>\n<\/ul>\nThe CPRA is 52 pages long, half of which are either additions or revisions. Given the ballot initiative process, there will be no legislative history to inform rulemaking or judicial interpretation. There is a four-page statement of intent that provides some general guidance as to what the CPRA aims to accomplish, but on a 60,000-foot level. One positive statement of intent is that HR and B2B data subjects are intended to be treated differently than traditional consumers, leaving open the door for substantial revisions prior to the Jan. 1, 2023 sunset as to how those individuals\u2019 \u201cconsumer\u201d rights will be treated.\n\nLook for future blog posts for more details on the nuances of the CPRA. For more information, please feel free to reach out to the authors or others in BakerHostetler\u2019s Digital Assets and Data Management (DADM) Practice Group. For additional articles covering the CCPA, the CPRA or the recent\u00a0Schrems II<\/em>\u00a0decision, visit BakerHostetler\u2019s\u00a0Data Counsel<\/a>\u00a0blog and our\u00a0 Consumer Privacy Resource Center<\/a>.","order":0,"get_parent":{},"attributes":{"content":" $\"\"$ \n\nThe nation awoke the morning after Election Day 2020 with much still unresolved.\u00a0 By early morning Pacific Time, however, it was called by various media outlets that California voters approved a ballot measure, Proposition 24, known as the California Privacy Rights Act of 2020 <\/a>(CPRA).\n\nReferred to by some as CCPA 2.0, the CPRA amends certain provisions of the paradigm shifting 2018 California Consumer Privacy Act (CCPA), which went into effect in January 2020 and became subject to enforcement in July 2020<\/a>. Moreover, the CPRA will introduce a number of new provisions and concepts to a law that regulators are still fleshing out<\/a> and businesses are struggling to understand. Like the CCPA, the CPRA will be supplemented by future regulations to be issued by a new privacy protection agency; however, the nature and the extent of the CPRA\u2019s regulatory mandates far exceed those of the CCPA.\n\nAs discussed below, while most of the CPRA is not effective and will not be enforced until July 2023, the two-year extension of the current stay on certain CCPA provisions (covering business-to-business (B2B) communications and human resources (HR) data) will be effective immediately. In addition, the forthcoming privacy agency is set to begin rulemaking to elaborate on the CPRA\u2019s requirements as early as next summer, superseding CCPA rulemaking authority of the California attorney general (AG). Accordingly, organizations subject to the CPRA will need to begin monitoring the status of the regulations and preparing for CPRA compliance beginning in about seven months.\n\nSome of the more significant provisions in the CPRA are summarized below.\n\nEnforcement and Timing<\/u><\/strong>\n\nEnforcement:<\/u>\n
\n \t
Establishment of a new data protection agency, the California Privacy Protection Agency (the Agency) \u2013 tasked along with the AG with enforcement of the CPRA \u2013 will take over all rulemaking responsibilities. The Agency is apportioned a sizable budget that must be increased by the legislature \u201cas may be necessary to carry out the provisions of this title.\u201d Administrative fines collected by the Agency will be used to reimburse the state courts and the AG for costs related to CPRA enforcement, with a small portion of the proceeds going to the Agency itself.<\/li>\n \t
Any \u201cperson\u201d \u2013 any individual or organization \u2013 has the ability to bring a CPRA complaint to the Agency. This means that consumers, competitors, vendors, customers, consumer advocacy groups and other parties have standing to bring complaints about a business\u2019s privacy practices.<\/li>\n \t
The Agency may also investigate possible violations on its own initiative, and will have discretion \u201cnot to investigate or decide to provide a business with a time-period to cure the alleged violation.\u201d There is a five-year statute of limitations for the Agency\u2019s administrative actions, which can be tolled if violations were fraudulently concealed.<\/li>\n \t
Although both the AG and the Agency will have enforcement authority, the AG has the power to require the Agency to stay any administrative investigation or action. The AG, however, cannot bring a civil action based on a violation that has been the subject of an Agency administrative decision or order.<\/li>\n<\/ul>\nTiming:<\/u>\n
\n \t
Effective immediately upon passage, the CPRA will:\n
\n \t
Extend the CCPA\u2019s HR and B2B exemptions through the end of 2022.<\/li>\n \t
Establish and appropriate a budget to fund the Agency.<\/li>\n<\/ul>\n<\/li>\n \t
As early as July 2021, the Agency will assume the AG\u2019s rulemaking authority. However, the CCPA\u2019s enforcement provisions (including the 30-day cure period) and the AG\u2019s enforcement authority thereunder remain in effect through July 1, 2023.<\/li>\n \t
The CPRA becomes operative Jan. 1, 2023 (excluding some provisions that have immediate effect, as mentioned above). However, the Agency must adopt final CPRA regulations by July 1, 2022.<\/li>\n \t
Enforcement of the CPRA by the Agency, via a prescriptive administrative procedure, will begin July 1, 2023, but will apply only to violations that occur on or after that date.<\/li>\n \t
As with the CCPA, the CPRA does not provide a private right of action, except in relation to security breaches. The CPRA specifies, however, that remedial measures following a security breach do not constitute a \u201ccure\u201d that would preclude a consumer lawsuit.<\/li>\n<\/ul>\nScope of Application and New Concepts and Definitions<\/u><\/strong>\n
\n \t
\nDefinition of \u201cpersonal information\u201d (PI)<\/u>:\n
\n \t
\u201cPublicly available\u201d information, which under the CCPA is not treated as PI, will be amended to include also \u201clawfully obtained truthful information of public concern.\u201d Further, \u201cpublicly available\u201d was expanded from lawfully available government records to also information a business has a reasonable basis to believe was made available to the general public by the consumer, or the \u201cwidely distributed media,\u201d or is otherwise obtained from a person to whom the consumer disclosed the information without having restricted it to a specific audience.\u00a0 This provision would seem to exclude from the definition of PI information published by the press, provided to a platform or service that is then publicly posted on the platform or service, such as public reviews, comments, and social media posts, and directory listings and similar publications, and thus excludes that data from the scope of the obligations on businesses and third parties and the rights of consumers, including the rights to know, delete, opt-out of sale and the new rights created by the CPRA.<\/li>\n \t
Categories of \u201csensitive personal information,\u201d including \u201cprecise geolocation\u201d (which is now a defined term), have been added to the definition of PI, with consumers having the ability to limit the processing of sensitive PI (discussed further below).<\/li>\n<\/ul>\n<\/li>\n \t
\nDefinition of Business<\/u>:\n
\n \t
The CPRA has made a notable distinction regarding a business that \u201ccontrols the collection of personal information\u201d in the pre-collection notice provisions in Section .100.<\/li>\n \t
The common branding provision now requires that \u201cthe business shares consumers\u2019 personal information\u201d with the commonly branded entity. This might exclude commonly branded parent and sister companies to the extent that data is not shared between and among them and otherwise does not meet the threshold criteria for being a business.<\/li>\n \t
Thresholds:\n
\n \t
The $25 million revenue threshold will be measured as of Jan. 1 of the calendar year (i.e., to address companies that hit the threshold in the middle of the year).<\/li>\n \t
The collection threshold now requires that the entity \u201c[a]lone or in combination, annually buys or sells, [sic] or shares the personal information of 100,000 or more consumers or households\u201d (\u201cdevices\u201d has been removed). The threshold under CCPA is 50,000, and included \u201cdevices,\u201d which did not require a California residency nexus. Because the new definition of \u201chousehold\u201d limits that term to a collection of consumers, and the definition of consumers includes the California residency requirement, the question of whether only Californians are to be counted in calculating this threshold number is resolved in the affirmative by the CPRA.<\/li>\n<\/ul>\n<\/li>\n \t
New joint venture\/partnership concept. Where each business has at least a 40 percent interest, the joint venture\/partnership is its own business, and each business remains a separate business. It is not clear how this interrelates with the common branding provision. Moreover, it is not clear to what extent \u201cjoint venture\u201d (JV) and \u201cpartnership\u201d are used loosely and are meant to refer to any entity in which two entities have an interest or are used as terms of art. There is a prohibition on sharing among the JV businesses that was likely intended to instead designate the sharing as a sale rather than imposing an outright prohibition.<\/li>\n<\/ul>\n<\/li>\n \t
\nDefinition of Contractor.<\/u> The CPRA has added a defined category of party called \u201ccontractor\u201d that is similar to the undefined party carved out of the definition of third party in CCPA Section .140(w)(2) (sometimes called the non-third party or exempt third party), which required contractual \u201ccertification\u201d of CCPA compliance. The differences and similarities between the new contractor designation and service providers are discussed further below.<\/li>\n \t
\nDefinition of Cross-Context Behavioral Advertising.<\/u> The term is defined as \u201cthe targeting of advertising to a consumer based on the consumer\u2019s personal information obtained from the consumer\u2019s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly-branded website, application or service with which the consumer intentionally interacts.\u201d This definition clearly covers traditional interest-based advertising activities and is directly invoked in the new concept of \u201csharing,\u201d discussed immediately below.\n
\n \t
\u201cSharing.\u201d The concept of sharing has been introduced and includes the same transfer activities in the definition of sale (e.g., \u201cmaking available\u201d), but applies only in the context of cross-context behavioral advertising. There is no requirement for consideration for a transfer of PI to be considered to have been \u201cshared.\u201d Arguably, by creating a distinct regulated activity rather than clarifying that this activity is type of \u201csale\u201d, many cross-context behavioral activities (i.e., those without valuable consideration provided directly in exchange for the data disclosure), would now be excluded from the definition of \u201csale\u201d and implicate only sharing and not sales.<\/li>\n \t
\u201cProfiling.\u201d With details largely left to be determined by the regs, including the possibility of an opt-out right, the CPRA defines profiling as \u201cany form of automated processing of personal information \u2026 to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person\u2019s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.\u201d<\/li>\n<\/ul>\n<\/li>\n \t
\nDisclosure of Trade Secrets.<\/u> While much is left to be fleshed out in the regs, there is very clear statutory intent to exclude trade secrets from any of the CPRA\u2019s consumer rights provisions. This is more affirmatively stated than is the case currently under the CCPA.<\/li>\n \t
\nConcept of Third-Party Controller.<\/u> The CPRA introduces the concept of a third party controlling the collection of PI. The third-party controller can meet its pre-collection notice obligations by providing the required information prominently and conspicuously on the homepage of its Internet website (similar to how data brokers would meet their obligations, but no registration is required).<\/li>\n<\/ul>\nConsumer Rights\/Business Obligations<\/u>\n
\n \t
New Consumer Rights:\n
\n \t
Right to correction of inaccurate information.<\/li>\n \t
Right to opt out of sharing in the context of \u201ccross-context behavioral advertising\u201d:\n
\n \t
Businesses are required to have a button or link that states \u201cDo not Sell or Share My Personal Information,\u201d but the CPRA seems to also provide the option of stating only \u201cDo Not Share My Personal Information\u201d if the business does not also sell PI.<\/li>\n<\/ul>\n<\/li>\n \t
\u201cLimit the Use of My Sensitive Personal Information\u201d \u2013 Consumers have the right to limit businesses\u2019 use of sensitive PI to certain processing activities (certain internal business purposes, and expressly excluding advertising and marketing).<\/li>\n<\/ul>\n<\/li>\n \t
Control over Profiling. Because many profiling activities will potentially overlap with cross-context behavioral advertising sharing activities, the to-be-determined profiling opt out will likely interplay with the \u201cDo Not Share\u201d right discussed below.<\/li>\n \t
While the definition of share is limited to a cross-context behavioral advertising use case and does not require consideration, the CPRA does not resolve the debate between the differing positions<\/a> offered by the Internet Advertising Bureau (IAB) and the Digital Advertising Alliance (DAA) as to whether publishers or adtech companies are responsible for the corresponding opt out in an adtech context (i.e., who does the collection and when the sale\/sharing occurs). Both the IAB\u2019s and DAA\u2019s positions, however, arguably remain viable under the CPRA.<\/li>\n \t
Businesses are exempt from certain opt-out requirements if they allow \u201cconsumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal.\u201d Conversely, it seems that the CPRA would allow businesses to ignore global opt-out signals sent by platforms or other mechanisms if they offer the traditional Do Not Sell\/Share options on their online properties.<\/li>\n \t
The CPRA would make opting in to downstream sales\/sharing more viable. Under the CCPA, disclosures are excluded from sale if the \u201cconsumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title<\/em>.\u201d Under the CPRA, the prohibition against onward sales (and now also sharing) has been removed.<\/li>\n \t
Businesses now must notify all parties to whom personal information was disclosed regarding a deletion request (not just service providers, as in the CCPA), and service providers and contractors must pass that notice down to any service providers, contractors or third parties with which they have shared the information. The CPRA discusses exceptions for service providers\u2019 and contractors\u2019 deletion obligations after receiving a request from a business but is silent as to third parties\u2019 deletion obligations.<\/li>\n \t
Access (Right to Know and Correction) Requests:\n\n \t
The lookback period for access requests is to be extended beyond 12 months by regulation, as is already the case with deletion. However, the Agency is to issue regulations addressing the issue of whether providing beyond 12 months would be \u201cimpossible or would involve a disproportionate effort.\u201d<\/li>\n \t
The definition of \u201cspecific pieces of information\u201d is subject to refinement in the regs, including in order to \u201c[minimize] the delivery of information to a consumer that would not be useful \u2026 such as system log information and other technical data.\u201d<\/li>\n<\/ul>\n<\/li>\n \t
The CPRA does not include provisions that significantly implicate verification of identity except to the extent that it clarifies the requirements will again be subject to the regulations.<\/li>\n \t
Service providers and contractors are explicitly required to assist in consumer requests under the CPRA. Under the CCPA, this was only explicitly required where negotiated in agreements with businesses and only implicitly provided for under the CCPA<\/li>\n \t
Proportionality Requirement. A business\u2019 collection, use, retention and sharing of a consumer\u2019s PI must be reasonably necessary and proportionate to achieve the purposes for which the PI was collected or processed or for another disclosed purpose that is compatible with the context in which the PI was collected and not further processed in a manner that is incompatible with those purposes.<\/li>\n \t
A business must disclose at collection its intended retention period for personal information, by category of PI, or if that is not possible the basis for determining such periods, and may not retain PI for longer than is necessary for the purposes disclosed at the time of collection.<\/li>\n<\/ul>\nVendors and Contracting Requirements<\/u>\n
\n \t
Under the CPRA, businesses are explicitly required to have agreements in place with parties to whom they disclose information, such as service providers and contractors, or third parties to which they sell or with which they share PI. Under the CCPA, it was implicit for service providers and contractors with the effect of not having a contract in place being that the disclosure is a sale, and there was not contracting requirement for third party sales. Now, without having a contract in place with a data recipient, businesses will be in violation of the CPRA and subject to enforcement.<\/li>\n \t
Service providers are more restricted on the face of the CPRA in their processing activities than those that are permitted under the CCPA, including with respect to the combination of PI of other customers. This is specifically said, however, to be subject to expansion in the regs. In particular, the Agency must issue regulations as to which \u201cbusiness purposes, including other notified purposes, for which service providers and contractors may use consumers\u2019 personal information received pursuant to a written contract with a business, for the service provider or contractor\u2019s own business purposes.\u201d<\/li>\n \t
As mentioned above, the new vendor category of \u201ccontractor,\u201d in addition to the existing \u201cservice provider,\u201d has been added, though it reflects an undefined type of vendor articulated in the CCPA as not being a third party, and thus carved disclosures to this type of party out of the definition of sale. This was a source of much confusion. Creation of a defined term makes clear that there are two types of regulated vendors. While there remain subtle differences between the two classifications, it seems that for the majority of vendors, service provider will still be the proper classification, though businesses will have to determine how to classify their vendors on a case-by-case basis.<\/li>\n<\/ul>\nThe CPRA is 52 pages long, half of which are either additions or revisions. Given the ballot initiative process, there will be no legislative history to inform rulemaking or judicial interpretation. There is a four-page statement of intent that provides some general guidance as to what the CPRA aims to accomplish, but on a 60,000-foot level. One positive statement of intent is that HR and B2B data subjects are intended to be treated differently than traditional consumers, leaving open the door for substantial revisions prior to the Jan. 1, 2023 sunset as to how those individuals\u2019 \u201cconsumer\u201d rights will be treated.\n\nLook for future blog posts for more details on the nuances of the CPRA. For more information, please feel free to reach out to the authors or others in BakerHostetler\u2019s Digital Assets and Data Management (DADM) Practice Group. For additional articles covering the CCPA, the CPRA or the recent\u00a0Schrems II<\/em>\u00a0decision, visit BakerHostetler\u2019s\u00a0Data Counsel<\/a>\u00a0blog and our\u00a0 Consumer Privacy Resource Center<\/a>."},"attributesType":{"content":{"type":"string","source":"html"},"lock":{"type":"object"}},"dynamicContent":null}]

California Voters Approve Reworking of Landmark Consumer Privacy Law – What CCPA 2.0 Will Mean for Businesses and Consumers