In November 2020, Californians voted to pass the California Privacy Rights Act (CPRA), a significant addition and amendment to the currently operative California Consumer Privacy Act (CCPA).
Most of CPRA’s provisions will become effective on January 1, 2023, and administrative enforcement will start six months later, with a 12-month look back period (CPRA will apply to personal information collected by businesses on or after January 1, 2022).
Below we summarized a few key additions and modifications from CPRA to CCPA:
The definition of covered business is amended (changes in bold).
Under CPRA, businesses that satisfy one or more of the following thresholds must comply with the law:
- has over $25,000,000 dollars in gross annual revenue in the preceding year;
- buys, sells or shares of personal information of over 100,000 consumers or households; OR
- derives at least 50 percent of annual revenue from selling or sharing consumer’s personal information.
Again, there is no requirement that the company be physically located in California.
If a company handles personal information related to California residents (e.g. Californians visit its website), it may want to take time to determine if it needs to comply with the privacy laws.
Sensitive Personal Information
CPRA adds a new category of sensitive personal information with additional restrictions on its collection, use and disclosure.
- Examples of sensitive personal information, to name a few: government identification information, precise geolocation, contents of private communications, ethnicity, religion and biometric information.
- Companies should disclose their collection of sensitive personal information, and consumers should be allowed to limit how such information is used or disclosed.
California Privacy Protection Agency
CPRA creates a privacy protection authority, the California Privacy Protection Agency (CPPA), to issue additional rules, investigate possible violations and enforce the CPRA through administrative proceedings.
Moreover, CPPA will appoint a Chief Privacy Auditor to conduct audits of businesses to ensure compliance with the law.
30-day Cure Period
CCPA includes a 30-day cure period, which generally allows a company to avoid enforcement actions brought by the California AG if they can cure the violation within 30 days after being notified of non-compliance.
Now, it is within the CPPA’s discretion to determine how much time a company should have to remedy the violation.
Moreover, with regard to security breaches, CPRA adds that the implementation and maintenance of reasonable security procedures and practices following a breach does not constitute a cure with respect to that breach.
Changes to Consumer Rights
As discussed above, CPRA adds the right to restrict the use and disclosure of sensitive personal information.
CPRA also includes a new right to correct personal information, and made a few changes to the existing rights:
- Right to Delete: Businesses must notify all third parties to delete consumer’s personal information received pursuant to a request submitted by the consumer, unless this proves impossible or involves disproportionate efforts.
- Right to Know: Consumers have the right to know what information is collected beyond the prior 12 months.
- Right to opt out: Under CCPA consumers have the right to opt out of the sale of their personal information to third parties. Now the opt-out right also covers the sharing of personal information (no exchange of monetary value or other valuable consideration is required).
Third Party Contracts
CPRA requires a company that sells or shares consumer personal information to enter into an agreement with each recipient of such information to specify the purpose for the sale or sharing of personal information and to obligate the third party to comply with CPRA.
A company’s collection,use and retention of a consumer’s personal information shall be “reasonably necessary and proportionate” to achieve the specified purposes for processing.
Cybersecurity Audits and Risk Assessments
CPRA also requires businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to conduct a cybersecurity audit on an annual basis and submit risk assessments to CPPA on a regular basis with respect to their processing of personal information.
More specific standards will be announced by CPPA pursuant to its rule-making authority.
New Cause of Action
CPRA adds a new private right of action, allowing consumers to bring lawsuits against a company if an email address in combination with a password or security question and answer is subjected to unauthorized access as a result of a company’s unreasonable security procedures.
The full texts of the CPRA can be accessed here.
Before CPRA takes effect, companies are still expected to comply with CCPA.
As a reminder, violation of CCPA can subject one to a civil penalty imposed by the California Attorney General of up to $2,500 per violation or $7,500 per intentional violation.
The CCPA also provides a private right of action which is limited to data breaches.
Under the private right of action, consumers may recover statutory damages ranging from $100 – $750 per consumer per incident or actual damages suffered by the consumers as a result of the breach (whichever is greater).
Since CCPA took effect on January 1, 2020, most of the private lawsuits filed have been class actions.