Last election day, Californians approved Proposition 24–adopting the California Privacy Rights Act (CPRA) to expand the state’s existing privacy law, the CCPA.
Besides establishing a new enforcement agency and making it harder for state lawmakers to restrict state privacy law beyond the CPRA’s minimum standards, the new law makes substantial changes to California’s privacy regime. Below are the five major changes that might affect businesses.
(1) The new definition of covered businesses excludes smaller businesses but reaches larger companies’ data sharing practices.
Under the old law, businesses were only subjected to the CCPA if they collected data from 50,000 or more California consumers, households or devices or if half the business’s revenue came from selling consumer’s information. The CPRA drops “devices” from the definition of covered businesses, doubles the consumer/household requirement, and expands the revenue prong to include selling or sharing personal data.
Increasing the consumer/household collection requirement to 100,000 consumers or households, and dropping “devices” from the calculation, means many smaller businesses will be excluded from the CPRA’s regulatory reach.
However, including revenue from sharing – not just the sale of PI – picks up more businesses’ data practices and subjects them to the CPRA’s consumer protection requirements. For example, app analytics companies oftentimes will offer free data tracking services to app developers in exchange for the right to collect the app users’ information. That information is then used for targeted advertising.
Under the old “sale” language, that data sharing practice may not have been classified as a sale of PI, which would have likely exempted the analytics company from CCPA requirements. With the CPRA, the phrase “or share” expands the law’s reach to ensure those practices are subject to its regulations.
(2) The new category of personal information (PI) creates more disclosures and opt-out requirements for businesses.
The CPRA creates a new subset of PI called sensitive personal information (SPI). That new category includes data on race, ethnicity, religious beliefs, sexual orientation or habits, political leanings, health data, geolocation, biometric data, SSN, driver license information, and financial information.
This new category of information is regulated differently than other types of PI in that users have the right to opt-out of a company’s SPI collection practices and requires subsequent consent if a user has already opted-out of the business’s data selling practices. Additionally, companies must provide new disclosures and purpose limitations for the collection of that type of data.
(3) CPRA’s new requirements move the state’s regulatory regime closer to the GDPR.
Expanded Consent: The CPRA requires consents for selling or sharing PI in the following situations:
- After a consumer has exercised their opt-out right;
- When the PI is that of a minor’s;
- For secondary uses of SPI (like third-party sharing);
- For research exemptions; and
- For opting-in to financial incentive programs.
Data Minimization: A business can not collect (or share) more consumer data than what is necessary based on a company’s stated purpose in its privacy policy. So, businesses need a data collection purpose statement they don’t already have one (see next point).
Purpose Limitation: A business’s privacy policy should explicitly state the PI they’re planning to collect and the purpose for collecting it. Any new purpose after the initial adoption must be communicated to consumers, and, in the case of SPI, the business will have to obtain consent from the consumer before applying a new use to such information
Storage Limitation: Consumers have a right to know how long a company will be storing their PI data and that time frame may not be longer than necessary in relation to the stated purpose for which the business collected the information. Therefore, the business is required to notify residents about the retention time of each type of PI (at the time of collection).
(4) The CPRA creates four new privacy rights (and modifies existing rights).
- Right to Correction: Consumers can ask you to correct inaccuracies in their PI.
- Right to Opt-Out of Automated Decision Making Tech: Consumers can opt-out of the AI-backed, automated decision-making practices some companies use in their end-user interface. Google’s Smart Compose feature is an example of this type of practice.
- Right to Access Info about Automated Decision Making: In that same vein, the CPRA allows users to request information about the logic and likely outcome of such an automated decision-making process.
- Right to Restrict SPI: With the new category of PI, users may also specifically limit a company’s collection, use, or disclosure of their SPI. This right is particularly geared toward limiting third-party sharing of SPI.
Additionally, the CPRA modifies the CCPA-rights to allow consumers to request that businesses notify third-parties of their deletion requests or transmit specific information to other businesses. With these new and modified rights, companies must ensure they can accommodate a covered-consumer’s exercise of those rights.
(5) The CPRA’s new category for advertising changes some opt-out requirements.
The CPRA specifically regulates “cross-context behavioral advertising.” That is the collection of specific PI in order to profile a users’ likely preferences and then advertise products (or more realistically share data with third-party advertisers) accordingly. Under the new law, businesses must allow consumers to opt-out of that type of data sharing and advertising practice.
On the other hand, “non-personalized advertising,” which is based on first-party advertising without using behavioral PI, is exempted from the opt-out requirements as a legitimate business purpose. That distinction in advertising changes the existing CCPA opt-out requirements to only apply to behavioral advertising.
So a game can push out advertising to its users based on contextual information, such as the type of game the user is playing, without worrying about the CPRA’s opt-out requirements; however, that same game must honor opt-out requests if it deploys more targeted-advertising methods, like using cookie data to personalize advertising campaigns.
Important Dates and Considerations
The CPRA won’t become effective until January 1, 2023, and it won’t be enforced until July 1, 2023. However, thanks to the law’s one-year look back period, it will apply to data collected as early as January 1, 2022, so covered businesses need to begin ironing out their compliance programs.
On July 1, 2021, the independent privacy protection agency created by the CPRA (the CPPA) will begin the extensive process of proposing and adopting the regulations that will govern compliance with the new law. Their deadline for adopting final regulations is July 2022. Under the CPRA the CPPA has broad rulemaking authority on a number of issues including standards and mechanisms for opt-out rights, data access and correction requests and data assessments. It is also vested with the power to implement and enforce the Act. We’ll be keeping a watchful eye on news from the CPPA as it develops.
