On June 1, 2020, the California Attorney General Office submitted the final draft of California Consumer Privacy Act (CCPA). However, even before CCPA’s official enforcement date, the public is made aware of the draft of California Privacy Rights Acts (CPRA). The draft is scheduled to be heard by the legislature in November 2020.
What is it?
The CPRA is proposed as an amendment to the current CCPA. CPRA is designed to allow consumers access necessary information and tools to limit the use, selling, and distribution of their information for advertising and similar commercial purposes. Many see CPRA as an omnibus law modeled after the EU General Data Protection Regulation (EU GDPR). CPRA is expected to strengthen laws to place the consumer on ‘a more equal footing’ with businesses to protect their rights.
What are the key provisions of CPRA?
The CPRA added and amends several new provisions to protect consumers’ privacy rights. Below is the summary of some of the key rules and how it will impact business’ operation.
1. Revised scope of covered “businesses”
The CPRA amends the business definition to an entity that either alone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumers or households. It also clarifies the operation of separate entities through clarifying definition of indirect business, clarifies the definition of joint venture entity. It also covers entities that are not covered by CPRA but filing self-certification to the California Privacy Protection Agency (CalPPA).
2. New definition on sensitive personal information
The CPRA provides a new category of “sensitive personal information”. It includes a Social Security Number, driver’s license number, passport number, financial account information, precise geolocation, race, ethnicity, religious or philosophical beliefs, union membership, personal communications including contents of mail, email and text messages, genetic data, biometric or health information, and information about sex life or orientation. Any result of analytics on consumer’s health and sexual orientation information is also considered as sensitive personal information.
3. New and revised consumer’s rights
The CPRA sets some new rights such as the right to correct consumer’ inaccurate personal information received by business, the right to limit use and disclosure of sensitive personal information, and the right to know what personal information is being collected. The CPRA also expands the right to opt-out of “sales” or sharing for cross-context behavioral advertising to include sharing of personal information. Furthermore, expansion can be found on the exemption of right to deletion where business can refuse to delete personal information. The right to nondiscrimination is also expanded by clarifying that business is allowed to offer loyalty, or similar programs provided it does not re-request consumer’s consent for such a program for at least a 12 months period following the consumer’s last refusal to provide consent.
4. Children’s privacy
Any violations on children’s privacy under the age of 16 on the CCPA’s opt-in to sale right may be imposed by fines that tripled from the previous amount. CPRA also adds new requirements to obtain opt-in consent to sell or share data from consumers under the age of 16. Businesses are also prohibited to re-ask any consent to sell or share data for at least 12 months if a consumer under 16 fails to consent. Lastly, the CPRA urges a regulation to establish technical specifications for an opt-out signal allowing children or their parents to specify that a consumer is less than 13 or between 13 and 16 years old.
5. Data breach liability
The CPRA clarifies that breaches resulting in the compromise of a consumer’s email address in combination with a password or security question and answer that would permit access to the consumer’s account are subject to the relevant provision on security. CPRA also allows private right of action for breaches of non encrypted, and non redacted personal information under the CCPA.
6. Establishment of California Privacy Protection Agency
The CPRA would establish the California Privacy Protection Agency (CalPPA), a government agency dedicated solely to privacy to regulate and enforce CPRA and CPPA. As the replacement of the attorney general’s office role, it will have power to audit, subpoena, rulemaking and imposing administrative fines. It is also mandated to raise awareness on privacy risks and provide guidance to businesses and consumers.
7. Data retention
The CPRA places prohibition for business to retain information longer than reasonably necessary for the disclosed purpose of collection. Businesses are also required to inform the consumers of the length of time the business plan to store personal information and sensitive personal information or criteria used to determine such period.
8. Moratorium on the governance of employee data
Any personal information collected by a business in the employment, which is covered under employment and contractors’ relationship, context is not regulated by CPRA until 2023, extending the current expiration date of January 1, 2021. This is since while the privacy interests of employees must be protected, its relation is not consumers and business relations.
9. Automated profiling and decision-making
The CPRA defines “profiling” as means automated processing of personal information to evaluate personal aspects of an individual and to make predictions concerning that individual’s performance in a certain environment. It also creates new access and opt-out rights related to automated-decision making and mandates the development of regulations on access and opt‐out rights on the businesses’ use of automated decision‐making technology.
10. Service provider/contractor/third party’s obligations
Modelling after EU GDPR’s obligations for processors, CPRA provides contractual and direct obligations on service providers, contractors and third parties. These obligations include, among others, to allow business to monitor the compliance of service providers and its affiliates to the processing activities, ensuring it provides privacy protection at the level required by CPRA, and assisting business in fulfilling verifiable consumer requests on their personal information. Any violations from service providers’ direct obligations could result with direct liabilities.
With the implementation date of CCPA has begun, business starts to adjust their privacy practice. The introduction CPRA, and its likely prospect being passed at near future may urge business to begin its effort to get familiarized with the act. Especially because CPRA will not only introduce certain provisions, but also establish CalPPA as a dedicated privacy agency that may even further scrutinize businesses’ privacy practice.
- Submission of Amendments to The California Privacy Rights and Enforcement Act of 2020, Version 3, No. 19-0021, and Request to Prepare Circulating Title and Summary (Amendment)