skip to main content

November 5, 2020

Stroock Client Alert

By: Quyen T. Truong, Stephen J. Newman, Ali Fesharaki

Voting tabulations show Californians moving to adopt the ballot initiative known as the California Privacy Rights Act (“CPRA”), an overhaul of the California Consumer Privacy Act (“CCPA”) that became effective at the beginning of this year. The CPRA becomes fully operative on January 1, 2023, and, with the exception of the right of access, only applies to personal information collected on or after January 1, 2022. Unlike the CCPA, which continues to undergo legislative fine-tuning, the CPRA’s provisions cannot be modified by the legislature, although they can be supplemented with stricter requirements. A California Privacy Protection Agency (“CPPA”) is to be established by January 1, 2021, with a $100 million budget to implement and enforce privacy requirements, supplementing the California Attorney General’s (“AG”) efforts. 

The CPRA expands California’s privacy framework with new requirements more akin to Europe’s General Data Protection Regulation (“GDPR”) and codifies Fair Information Practice Principles (“FIPPs”), including a consumer right to correct inaccurate personal information, a consumer right to limit the use of sensitive personal information for any secondary purpose, a prohibition on retaining sensitive personal information longer than necessary and a requirement to delete unnecessary data regularly, as well as expansion of the “reasonable security” private right of action to include breach of an email address in combination with a password or security question that permits account access. But the CPRA also clarifies or scales back a few CCPA provisions. With businesses still working on compliance with the CCPA rules issued by the AG a mere month ago, we highlight below the top changes and recommendations for adjusting that effort to California’s expanded privacy framework.

New Requirements Under the CPRA

Sensitive Personal Information. Borrowing from the GDPR, the CPRA defines a new category of “sensitive personal information,” which includes data elements such as government identifiers (e.g., Social Security numbers), account login, bank account, credit card or debit card number in connection with any password or access code; precise geolocation data (within a 1,850-foot radius); racial or ethnic origin; religious beliefs; the contents of a consumer’s mail, email or text messages; genetic data; biometric information; health information; or information concerning a consumer’s sex life or sexual orientation. Businesses must disclose separately, at or before the point of collection, the purpose and categories of sensitive personal information collected, whether this information is shared or sold, and the retention period for each category.  Additional data minimization requirements also apply, with consumers having a right to opt out from the use of sensitive personal information for any purpose beyond providing their goods or services.

Right to Opt-Out of Sharing of Personal Information. The CPRA gives consumers a new right to opt-out from businesses’ sharing of their personal information, which includes sharing for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” In addition, the CPRA revises the CCPA’s definition of “business purpose” to clarify that allowable usage of consumers’ personal information for operational purposes, which includes advertising and marketing services, does not include cross-context behavioral advertising.

The CPRA’s provisions targeting cross-context behavioral advertising will have major impact given how virtually all data sharing today becomes integrated in the web of data aggregation for behavioral advertising. 

Right to Correct Personal Information. The CPRA gives consumers a new right to correct inaccurate personal information maintained by a business and requires businesses to notify consumers of that right. 

Website Links. Businesses that engage in such data collection and sharing activity must provide conspicuous “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links on their websites to enable consumers to exercise their opt-out rights. Businesses can employ a single link if it takes the consumer to a webpage that enables the exercise of both opt-out rights.

Disclosures and Retention of Personal Information. The CPRA requires that a business notify consumers of the length of time that it intends to retain each category of personal information or sensitive personal information. Following the GDPR data minimization model, the CPRA provides that a business may not retain personal information “for longer than is reasonably necessary for that disclosed purpose.” 

Processing of Personal Information. Like the GDPR, the CPRA requires businesses to inform consumers if they have been “profiling” them using automated processes. The CPRA requires that new regulations be enacted to govern access and opt-out rights relating to such automated processing of personal information. In response to access requests, businesses would have to include meaningful information regarding the logic behind their decision-making processes and the likely outcome of the process for the consumer. Absent an opt-out request, service providers may combine personal information obtained from different businesses or directly from consumers for “any business purpose.” The CPRA also requires businesses performing “high-risk processing” to undergo annual risk assessment and independent audits, including cybersecurity audits, which the CPPA and AG can demand. 

Vendors and Other Third Parties. Going beyond the CCPA’s provisions relating to service providers, the CPRA requires businesses to revise their contracts with service providers, contractors and other third parties to meet the law’s standards, including expressly requiring them to assist the business in honoring consumer requests and meeting other compliance obligations, prohibiting them from combining personal information obtained through the business with other data, preventing them from using and retaining personal information any more than reasonably necessary, requiring them to notify the business when they engage subcontractors or sub-servicers and binding those parties to the same contractual obligations as those under the contract with the business.

Cure Period. The CPRA eliminates the CCPA’s 30-day cure window, in which a business can cure an identified gap in its privacy protections before an enforcement agency can take action.

Children’s Personal Information. The CPRA triples the fines—from $2,500 to $7,500 per violation—for any business that violates requirements pertaining to the collection or sale of the personal information of those under the age of sixteen without consent.

Relaxation of CCPA Requirements

Covered Businesses. The CPRA raises the threshold for applicability of the CCPA/CPRA by increasing the minimum number of “consumers or households” whose personal information a covered business buys, sells or shares (from 50,000 to 100,000), removes from those criteria the business's need for a commercial purpose, and removes reference to “devices” in addition to “consumers or households.” 

Employee and B2B Exemptions. The CCPA contains certain exemptions for employment-related personal information and personal information exchanged in business-to-business communications. While these exemptions were set to expire on January 1, 2021, the CPRA extends these exemptions to January 1, 2023.

Trade Secret and Security Exemptions. The CPRA exempts a business from disclosing information in response to consumer requests or in relation to cybersecurity audits or risk assessments, if that information would qualify as trade secrets or could be used for security or fraud analysis.

Right to Delete. The CPRA allows a business to refuse a consumer request to delete personal information if retention would help to ensure data security and integrity and to limit transmission of the deletion requests to third parties who obtain the consumer’s personal information from that business if doing so required “disproportionate effort.”

De-identified and Publicly Available Information. The CPRA aligns the definition of “de-identified” information to match that of the Federal Trade Commission. The CCPA’s exclusion of publicly available information from the “personal information” definition is expanded under the CPRA to encompass information that a business reasonably believes is lawfully made available to the general public by the consumer via widely distributed media, and to include “information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.” As such, the content of social media posts made without viewing restrictions (e.g., on LinkedIn, Facebook) arguably falls outside the scope of “personal information” protected under the CPRA. 

Loyalty Programs. The CPRA confirms that the CCPA’s anti-discrimination provision does not prohibit businesses’ offering of financial incentives for use of consumers’ personal information under loyalty, rewards, premium features, discount or loyalty club programs. To be “consistent with” the provision against charging different prices to consumers who exercise their privacy rights as required by the CPRA, however, businesses should maintain documentation that the value provided to consumers “is reasonably related to the value provided to the business by the consumer’s data” (contrasted with the CCPA’s earlier requirement that the value be “directly related”). It also may be necessary for businesses to make specific data-related disclosures in connection with such programs. This is an area where rulemaking likely will be needed to provide clarity.

Implications

California’s already robust privacy regime has grown even more demanding, with more complexity still to come. The CPRA requires the adoption of new regulations to cover more than twenty topics, including definitions, exemptions, opt-out specifications, automated decision-making, cybersecurity audits and risk assessments, and adjusting monetary thresholds for business eligibility. With increased consumer privacy rights and corresponding obligations for businesses, the CPRA will exacerbate businesses’ compliance and litigation burdens. 

Key compliance challenges include:

  • Businesses can no longer take shelter behind the fact that they do not “sell” personal information, and must be prepared to respond to consumer requests to opt out of the sharing of personal information. The sharing opt-out is of concern for all businesses, particularly those engaged in online data harvesting, personalized advertising or marketing activities, as the CPRA targets information collection and sharing for cross-context behavioral advertising. 
  • The creation of a new category of sensitive personal information with extra compliance obligations requires a new layer of data inventory and protections, including compliance with prescriptive requirements for consumer notification and for acceptance and honoring of consumer requests.
  • New consumer rights, including the rights to correct and to opt out from the sharing of personal information, as well as requirements to ensure compliance by vendors and other third-parties downstream, require businesses to modify and expand the systems they have just implemented for notification of consumer rights and acceptance and handling of consumer requests.
  • The CPRA places increased burdens on businesses in structuring and managing their vendor and other third-party relationships, including incorporating new contract provisions and ongoing oversight to ensure that these parties implement the level of privacy protections required of the business.
  • Under the CPRA’s new data minimization framework, mimicking the GDPR, businesses that are not already GDPR-compliant must re-examine and disclose their reasons for collecting and retaining personal information and ensure that they neither collect nor retain personal information any more than reasonably necessary for their disclosed business purposes. 

Important compliance steps requiring prompt attention from every covered business include (a) updating data inventories, (b) revising privacy policies, notices and website links, (c) modifying systems for handling consumers’ CCPA/CPRA requests, (d) supplementing vendor and other third-party contracts and oversight mechanisms, and (e) reviewing and adjusting data collection and retention policies and practices for data minimization. Delay in tackling these tasks not only could threaten businesses’ ability to meet the compliance deadline, but undoubtedly would raise compliance costs as they would require overhaul of the compliance systems recently developed and still undergoing refinement. Accordingly, although the CPRA does not become fully operative until January 1, 2023, vigilant covered businesses should begin to take these steps now to comply with California’s new privacy framework.

______________________________

For More Information:

Quyen T. Truong

Stephen J. Newman

Ali Fesharaki

This Stroock publication offers general information and should not be taken or used as legal advice for specific situations, which depend on the evaluation of precise factual circumstances. Please note that Stroock does not undertake to update its publications after their publication date to reflect subsequent developments. This Stroock publication may contain attorney advertising. Prior results do not guarantee a similar outcome.