On 3 November 2020, California citizens voted and directly approved the enactment of the Proposition 24 or officially the California Privacy Rights Act of 2020 (CPRA), which amends and expands the existing California Consumer Privacy Act (CCPA) that became effective on 1 January 2020. In a nutshell, being GDPR-inspired, the CPRA creates new consumers rights, modifies existing ones, introduce a new category of sensitive personal information, alters the scope of application and establishes a dedicated privacy protection authority. The CPRA will become effective on 1 January 2023, applying though to personal information already collected by businesses on or after 1 January 2022.
The CPRA changes the criteria for which business are regulated. In particular, the CPRA doubles the threshold number of consumers or households (no reference to devices anymore) from 50,000 to 100,000, resulting thus to the exclusion of small and medium businesses. Furthermore, it expands the applicability of the privacy laws to businesses that generate their revenue not just from selling but also from sharing personal information.
Moreover, the exemption envisaged in the CCPA that its obligations upon the businesses would not apply to employment and business-to-business data until 31 December 2021, is now extended for an additional year, until 31 December 2022, and they will fully expire on 1 January 2023.
The CRPA establishes new consumer privacy rights and expands the existing ones as follows:
Right to correction
The CPRA adds a new consumer right to request businesses to use commercially reasonable efforts in order to correct inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.
Right to limit the use and disclosure of sensitive personal information
The CPRA adds a new consumer right to direct a business that collect sensitive personal information to limit its use and disclosure of such information for purposes other than those that are commercially necessary or as otherwise authorized by the CPRA. This new category of personal information, the sensitive personal information, includes government-issued identifiers (social security, driver’s licence etc), finance information, precise geolocation, race or ethnic origin, religious or philosophical beliefs, union membership, sex life or sexual orientation, contents of private communications, genetic data, biometric data, and specified health information. The CPRA grants the consumers the rights to restrict businesses’ use and disclosure of these information for advertising and marketing purposes.
Right to opt-out of automated decision making
The CPRA gives consumers the right to opt out of the use of automate decision making technology, including profiling.
Right to know about automated decision making
The CPRA gives consumers the right to request access to and information about how automated decision technologies work and what their likely outcomes are.
Right to deletion
The CPRA modifies the deletion right by requiring service providers, contractors and third parties to cooperate with the business to delete personal information from their records pursuant to a consumer request.
Right to know
The CPRA expands the right to know to include personal information collected beyond the prion after 12-month period, if collected after 1 January 2022).
Right to opt out of sharing (additional to sale)
The CPRA expands the right to opt out by requiring businesses to provide consumers with the ability to opt out of sharing personal information for the purposes of cross-contextual behavioral advertising.
Rights of minors
The CPRA provides that the opt-in requirement for businesses when dealing with minors is extended to include the sharing of personal information for behavioral advertising purposes.
Right to data portability
The CPRA empowers the consumers to request to have their personal information transmitted to another entities.
The CPRA imposes additional obligations on businesses that essentially correspond to the GDPR principles of transparency, data minimisation, purpose limitation, storage limitation and data security. In particular:
The CPRA requires businesses to only collect, use, retain and share consumers’ personal information for specific, explicit, and legitimate disclosed purposes and only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared.
Information obligations of businesses expand to inform consumers not only of the categories of personal information collected (including now also the categories of sensitive personal information collected) but also for what purposes; if that information is sold or shared; and the length of time the businesses intend to keep each category of information.
Furthermore, the CPRA requires business to notify, at the time of collection, consumers of the retention periods of each category of personal information collected. Businesses are further prohibited from retaining PI for longer than is “reasonably necessary”for each disclosed and specifies purpose.
Finally, the CPRA requires businesses to implement reasonable security procedures and practices and to perform mandatory risk assessments and cybersecurity audits for high-risk activities.
The CPRA also expands the current consent requirements envisaged in the CCPA to include:
· Consent needed for the selling or sharing personal information after a user has already opted out
· Consent needed when selling or sharing the personal information of minors
· Consent needed for secondary use, selling or sharing of sensitive personal information after a user has opted out
· Consent needed for research exemptions
· Consent needed to opt-in to financial incentive
Similar to the concept of the Data Protection Authorities established in each member state of the European Union under the GDPR, the CPRA provides for the establishment of a dedicated privacy enforcement authority, the California Privacy Protection Agency. The Agency will replace the California Office of Attorney General and it will be vested with full enforcement, investigative and rule making powers regarding the implementation of the Californian consumer privacy laws.
The CPRA removes the 30-day time period in which businesses can currently correct alleged violations before the commence of administrative enforcement and the imposition of penalties by the AttorneyGeneral.
Furthermore, the CPRA triples the maximum penalties up to $7,500 for violations concerning minors under the age of 16 and authorises civil penalties for theft of specified consumer login information.
In view of the CPRA, businesses should perform a data mapping exercise in order to determine whether they collect sensitive personal information and review their data retention policies. Businesses should also update their privacy statements with the new required information and implement mechanisms for allowing consumers to exercise their rights to correction and opt-out. In this regard, businesses shall update their “Do not sell my personal information” mechanism to include a second “Limit the use of my sensitive personal information” or bundle both of them under one single link. Finally, Businesses should update their “Do not sell my personal information” to read as “Do not sell or share my personal information”.