On Election Day, November 3, 2020, California voters overwhelmingly voted in favor of Proposition 24—a ballot measure that creates the California Privacy Rights Act (CPRA). The CPRA revises and expands the California Consumer Privacy Act (CCPA), creating new industry requirements, consumer privacy rights, and enforcement mechanisms. The CPRA's new obligations for businesses will come into effect on January 1, 2023. At that time, the CPRA will effectively replace the CCPA. In the meantime, the CPRA requires that a new California privacy agency be established and that it adopts implementing regulations.

New Scope

The CPRA modifies the CCPA's definition of "business," both limiting and expanding the types of companies that will have to comply with the law. The definition doubles the CCPA's threshold to companies that handle the personal information (PI) of 100,000 or more California¹ consumers or households (under the CCPA, the number was 50,000).² In addition, whereas the CCPA definition of "business" included companies that receive the PI of 50,000 or more Californians for a commercial purpose, the CPRA only brings in scope companies that buy, sell, or "share" Californians' PI. This change to the definition of business may result in some small- to medium-sized businesses not having to comply with the CPRA, where they previously had to comply with the CCPA.

The definition of business was also extended to joint ventures and partnerships composed of businesses in which each business has a 40 percent share. The definition now clarifies that a company's parent or subsidiaries are only brought in-scope if the company shares PI with the parent or subsidiary (in addition to the CCPA requirement that the entities share common branding).

In addition, the CPRA limits the definition of "personal information" by excluding "publicly available" information, including information published by individuals on social media sites and "truthful information that is a matter of public concern."

New Industry Requirements

Additional Privacy Disclosures to Consumers

Businesses that control the collection of consumers' PI need to make additional disclosures to those consumers. For example, the CPRA establishes a new category of "sensitive personal information" and requires that businesses provide disclosures regarding the collection, use, selling, and sharing of such information in the business's privacy notice. "Sensitive personal information" includes: 1) Social Security Number, driver's license, or state identification card number, or passport number; 2) financial account information; 3) precise geolocation; 4) race, ethnicity, religion, union membership; 5) a consumer's mail, email, and text messages (unless the business is the intended recipient of the communication); 6) genetic data and biometric information; 7) information concerning a consumer's health; and 8) information about a consumer's sex life or sexual orientation. Businesses will also need to tell consumers about their new privacy rights related to sensitive PI (described below).

Data Retention and Minimization

The CPRA also adopts some General Data Protection Regulation (GDPR)-like principles, including data minimization and purpose limitation. Further, businesses will be required to tell consumers the length of time the business retains each category of PI collected. This requirement may necessitate revisiting or creating a data retention and destruction policy that addresses each category of PI collected from a California resident.

Service Providers and Contractors

The CPRA will require businesses to update their agreements with third parties and service providers to whom they disclose consumers' PI to include specific terms outlined in the CPRA. Further, the CPRA clarifies that service providers and contractors³ are not entitled to:

• Combine consumers' PI received from a business with PI received from other sources except for the service provider's "business purpose" (which will be defined by the CPRA regulations). Depending on how the regulations define "business purposes," it is possible that service providers will need to implement data silos for PI collected from businesses.
• Engage in "cross-context behavioral advertising" (i.e., targeting advertising based on a consumer's activity across different online services).

The CPRA also requires service providers to notify businesses when they employ a subcontractor, and that subcontractor agreement must bind the parties to the same CPRA terms in the business-service provider agreement.

New Consumer Privacy Rights

Businesses will need to implement new processes to address expanded and modified consumer rights under the CPRA, including:

• Right to Opt Out of "Sharing" of Consumers' PI - Consumers can opt out of a business "sharing" their PI. However, "sharing" is defined extremely narrowly as disclosing or otherwise communicating a consumer's PI for cross-context behavioral advertising. In other words, if a company shares consumer PI with a third party that will use the data for cross-context behavioral advertising—even if the sharing is not in exchange for monetary or other valuable consideration—it will have to provide consumers a choice to opt out through a "Do not Sell or Share my Personal Information" link or other option. Whereas under the CCPA there was debate as to whether sharing data with a third party for targeted advertising constituted a "sale," the CPRA renders that a moot issue, because businesses will need to offer an opt out of sharing for cross-context behavioral advertising regardless of whether or not any consideration is exchanged.
• Right to Correct - Consumers can request that businesses correct inaccurate information.
• Sensitive Personal Information - Consumers can request that businesses limit their use and disclosure of the consumer's sensitive PI for any purpose other than providing requested goods or services or for other specific business purposes enumerated in the CPRA. Businesses that use or disclose sensitive PI for any other purpose must provide a clear and conspicuous "Limit the Use of My Sensitive Personal Information" website link. It is worth noting, however, that this opt-out right does not apply if the business collects or processes sensitive personal information "without the purpose of inferring characteristics about a consumer."
• Data Portability - Consumers can request that businesses transmit certain pieces of PI, if it is technically feasible, to another entity in a commonly used and machine-readable format.
• Automated Decision-Making - The CPRA directs the new California Privacy Protection Agency (description below) to issue regulations governing access and opt-out rights with respect to businesses' use of automated decision-making technology, including profiling, and requiring businesses' responses to consumer access requests to include meaningful information about the logic involved in such decision-making process, as well as a description of the likely outcome of the process with respect to the consumer.

The CPRA modifies and clarifies other existing CCPA consumer rights:

• Right to Delete - Businesses have to notify service providers of a consumer's request to delete their PI.
• Right to Know - Whereas the CCPA allowed consumers to request access to the past 12 months of data collected about them, the CPRA allows them to request any PI that the business collected after January 1, 2022.
• B2B and Employee Exemptions - The CPRA extends the CCPA's partial exemptions for B2B personal information and employee personal information until January 1, 2023. Under the CCPA, the exemptions were slated to sunset on December 31, 2020, but Governor Newsom had recently signed a bill extending them until January 1, 2022.

New California Privacy Agency and Enforcement Mechanisms

The CPRA will establish the California Privacy Protection Agency (CPPA), which is tasked with investigating and enforcing the CPRA and promulgating regulations. The five-member board will be appointed by the governor, attorney general, state senate, and speaker of the assembly. The California attorney general also has the authority to investigate and enforce CPRA violations.

The CPRA does away with the CCPA's 30-day right to cure period for privacy violations. It also allows the CPPA to extract a civil penalty of $2,500/violation and increases the penalties to $7,500 for intentional violations and certain violations involving children.

Notably, like the CCPA, the CPRA does not include a private right of action for failure to comply with the law's privacy obligations. However, it retains the CCPA's private right of action for data breaches involving certain types of personal information and resulting from a failure to implement reasonable security measures.

Timeline

• On or around July 1, 2021 - CPPA rulemaking process begins (this date may be moved depending on when the CPPA formally notifies the attorney general that it is prepared to assume rulemaking responsibilities)
• July 1, 2022 - Deadline for the CPPA to adopt final regulations
• January 1, 2023 - Businesses must comply with the CPRA
• July 1, 2023 - CPPA and attorney general can bring enforcement actions

For more information or advice concerning your CPRA compliance efforts, please contact Tracy Shapiro, Eddie Holman, or another member of the firm's privacy and cybersecurity practice.

---

[1] The CPRA resolves an ambiguity from the CCPA, making clear that this threshold applies only to California consumers and households.

[2] The other two thresholds remain the same: Companies that have $25 million or more in annual revenues, or that make 50 percent or more of the revenues from monetizing personal information, still qualify as “businesses” if they are doing business in the State of California, regardless of the number of Californians’ data they process. The CPRA also clarifies that the $25 million threshold is to be calculated on January 1 of each year using the business’s revenue from the preceding year, thus removing the possibility of reaching the threshold mid-year.

[3] The term “contractor” was added to the CPRA but does not materially differ from a service provider in practice. While a service provider receives and processes PI on behalf of a business, a business “makes available” personal information to a contractor. The requirements for contractors and service providers are the same under the CPRA.