Consistent with California’s history of prioritizing consumer privacy protections, Proposition 24 (full text here), a.k.a the California Privacy Rights Act (“CPRA”), was placed on the November ballot and handily approved by voters last week. The measure’s background itself indicates that the CPRA was being put forward to make privacy more transparent to users, similar to “ingredient labels on foods.” Background information also indicates a willingness to strengthen privacy rights over time rather than diluting them (particularly as regards to children), and in fact this push for increased transparency and protection is consistent with how certain platforms are requiring clearer policies (we discuss Apple’s new requirements here). While the CPRA will be fully effective and enforceable January 1, 2023, certain provisions take effect earlier and have a look-back provision. Businesses should start to familiarize themselves with the new or updated definitions and additional requirements contained in the CPRA.
Most notably, the CPRA changes one of the 3 thresholds that renders a business subject to the CCPA. Under the original CCPA, a business is subject to the CCPA if it receives, buys or sells personal information of more than 50,000 California residents. Now with the CPRA, this particular threshold is much more limited in scope to when a business actually buys, sells or shares personal information of 100,000 or more California residents. As such, the CCPA’s application is reduced. With an effective date of January 1, 2023 for most provisions, this puts some companies in an awkward position where they currently are subject to the “original” CCPA per the 50,000 metric, but in 2023 have not reached the 100,000 metric (or another threshold). Once a company has rolled out their CCPA program and offered various rights to consumers, it seems unlikely – and a questionable business decision – to take those rights away.
Additionally, the CPRA establishes a new category of “sensitive personal information” that is reminiscent of the GDPR’s definition of special categories of data around data points that could result in discrimination of an individual. However, the CPRA’s definition is even broader than the GDPR’s, as it expands to data points (financial data, primarily) that have traditionally been considered “sensitive” in the US and not in the EU because such data could result in identity theft. The broad new definition spans from race, religion, and sexual orientation to financial account information and government identifiers (e.g., social security numbers). In addition, consumers will be able to choose to limit the use, sale and sharing of their sensitive data. Additional links on business websites will be required to “Limit the Use of My Sensitive Personal Information” along with the current “Do Not Sell My Personal Information” link that some businesses must now include under the CCPA (which link will also change per below).
The CPRA is also includes a definition of precise geolocation, which means “any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of one thousand, eight hundred and fifty (1,850) feet, except as prescribed by regulations.” For some context, a handful of industry standards do define precise location (NAI, Apple), but an actual legal definition of precise geolocation is hard to come by, and yet it remains a highly debated topic.
The CPRA also adds a definition of “share” to expressly address lingering confusion over “sales” of personal information under the CCPA – and to ward off further arguments that sharing personal information for behavioral advertising in the adtech space is not a “sale” under the CCPA. Setting the record straight once and for all where the CCPA and implementing regulations have failed, “sharing” will include any provision or transfer to a third party for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” Consumers will have rights to opt-out of having their information shared or sold and the “Do Not Sell My Personal Information” link will be expanded to “Do Not Sell or Share My Personal Information”.
The CPRA also enhances security requirements and enlarges the scope of data security breaches to include unauthorized access to or disclosure of an email address and password or security question that would allow access to an account. If the breach were attributable to the business not maintaining reasonable security measures, consumers could bring private rights of action for these breaches. Businesses that conduct higher risk processing of certain personal information will be required to undergo annual audits, thereby putting more teeth in the security requirements. There are also heightened fines for violations involving children under age 16.
Significantly, and similar to the EU, a new data protection agency will be created to take the enforcement load from the Attorney General. In addition to enforcement, the agency is authorized to prepare rules and regulations. The agency will have the authority to issue subpoenas and will have audit powers, as well as rights to impose regulatory fines. The agency will be active and in place by July 1, 2021, with an expected annual budget of $10 million dollars (note, such budget is in line with the FTC’s federal privacy enforcement budget). Once the new agency and its significant team of agents takes over in 2021, we can certainly expect to see heightened enforcement in the area of California consumer privacy.
The CPRA also removes the 30 cure period such that businesses will be subject to fines immediately on a violation. Many companies implementing CCPA relied on this cure-period in assessing overall risk of non-compliance as they worked through some of the ambiguities of the CCPA.
Given today’s pro-privacy environment (especially in California), as businesses continue to navigate the CCPA, they must also consider the CPRA with an eye toward the not-too-distant future. Businesses should begin sooner rather than later to audit their privacy programs and perform a gap analysis between their current programs and CPRA. As we did prior to CCPA coming into effect, we would urge businesses outside of California and outside of the US to pay close attention to CPRA and move toward compliance, as California remains firmly established as a beacon of consumer privacy protection in the US.