While most business are still waiting on final regulations for the California Consumer Privacy Act (“CCPA”), which are likely to be delayed, and Attorney General enforcement on July 1 of this year, the same group behind the CCPA has proposed a new ballot initiative, the California Privacy Rights Act of 2020 (“CPRA”), dubbed “CCPA 2.0.” That group announced last week that it had gained enough signatures for the CPRA to be considered by California consumers on November 2020 ballot, where the initiative is believed to have a high chance of being passed.
As described below, businesses suffering fatigue from implementing the CCPA may have to make further changes to their practices and updates to their privacy policies to address the CPRA.
Who: Californians For Consumer Privacy, the consumer privacy organization that successfully initiated the “Consumer Right To Privacy Act” ballot initiative in California in 2018, which was then withdrawn in a compromise to allow the California State Legislature to pass the CCPA. The CCPA is effective as of January 1, 2020, with final regulations from the Office of the Attorney General expected immediately.
What: The California Consumer Privacy Act, a ballot initiative by Californians For Consumer Privacy that seeks to significantly expand and amend the CCPA, with a one-year look back to January 2022.
Where: While the CCPA was passed in California, it purports to apply to all businesses with annual revenue of over $25 million which “do business in California,” where this threshold has been interpreted broadly to include business which collect and process California consumer personal information including, for example, by e-commerce sales or IP address (in connection with other data points), among other thresholds.
While the CPRA has basically the same applicability thresholds of the CCPA, it does double the 50,000 data threshold in one provision of the CCPA applicability section, applying now to businesses with under $25 million in annual revenue that “alone or in combination, buys or sells or shares the personal information of 100,000 or more [California] consumers or households.”
When: If the CPRA initiative passes sampling, it will be on the ballot before California voters this November. As written, the CPRAhas a January 2023 effective date, with a one year look-back to January 2022.
How: The CPRA creates additional privacy rights and obligations pertaining to certain category of personal information – sensitive personal information. Specifically, the CPRA proposes the following changes to the CCPA:
Sensitive Personal Information: The CPRA imposes limits on businesses’ use of “sensitive personal information,” a newly defined category of personal information that includes things like social security number, driver’s license, passport number, sexual orientation, biometric, health and financial information, and precise geolocation. The definition of “sensitive” PI under the CPRA is broader than the definition of sensitive categories of data under the European GDPR but the CPRA does not prohibit collection of this information altogether. Rather, the CPRA gives consumers additional rights to limit the processing and use of their sensitive data to specified purposes.
Data Correction: The CPRA gives consumers the right to request and require businesses to correct inaccurate personal information. These requirements are subject to reasonableness standards, require authentication, and there are specified exemptions. Service providers and contractors are required to assist businesses in complying with these requirements.
Expanded Breach Liability: By adding 21 words, the CPRA seeks to expand the data breach liability created by the CCPA. In addition to the private right of action for breaches of nonencrypted, nonredacted personal information under the CCPA, the CPRA would add a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security. This is an important change, given the high frequency of data breaches and incidents, and the inclusion of email addresses and related information in those breaches.
Automated Decision Making: Automated decision making is a hot topic, stemming in part from the GDPR’s requirements around these types of actions. The CPRA attempts to address automated decision by regulating it as “profiling” and providing new rights of access and opt-outs.
Specifically, the CPRA defines “profiling” as the automated processing of personal information to evaluate personal aspects of an individual and to make predictions concerning that individual’s performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements. The Act then requires promulgation of regulations to provide consumers with access and opt‐out rights for the profiling, including requiring businesses to disclose to them the logic and algorithmic underlying the decision-making process.
Service Provider Provisions: The CPRA increases the contractual obligations of service providers (which are defined as in the CCPA) as currently exist under the CCPA, now requiring them to allow businesses to monitor the provider’s compliance with the contract provisions, certify that it understands and will comply with the contractual obligations.
The CPRA also seeks to impose data protection obligations directly on service providers, contractors and third parties. Specifically, it requires businesses that send personal information to third parties, service providers or contractors to enter into an agreement binding the recipient to the same level of privacy protection as provided by the act, granting the business rights to take reasonable and appropriate steps to remediate unauthorized use, and requiring the recipient to notify the business if can no longer comply.
Finally, the CPRA clarifies what the CCPA regulations do not: it requires service providers to cooperate with and assist businesses in providing requested personal information in response to verifiable data subject requests, as well as correcting or deleting information or limiting the use of sensitive personal information in response to such requests, though exceptions exist.
Enforcement Agency: Lastly, before the 2023 effective date, the CPRA requires the California state government to create a new agency, the California Privacy Protection Agency, to oversee and enforce data privacy.
Again, the CRPA, if passed by ballot initiative in November will not be effective until 2023, with a look back to 2022, giving businesses ample time to plan implementation.
In the meantime, businesses await the California Attorney General’s final CCPA regulations, which are now understood to be delayed, and the start of AG enforcement of the CCPA, which may still commence on July 1, 2020.
Octillo’s dedicated CCPA attorneys routinely counsel clients on implementation of CCPA policies and procedures, including assisting businesses to operationalize Data Subject Request (DSR) processes, perform CCPA training and record keeping, manage third party vendor relationships, and make CCPA required breach notifications. Our clients include major E-commerce retailers, international news media companies, consumer goods manufacturers and retailers, health care organizations and financial entities.
*Attorney Advertising. Prior results do not guarantee future outcomes.