New privacy rules are coming to California thanks to state voters, on the heels of landmark legislation passed and signed into law not long before the last election. California voters passed Proposition 24, known as the California Privacy Rights Act (CPRA), in November 2020. The CPRA significantly amends the California Consumer Privacy Act (CCPA) enacted not long before that election and established the California Privacy Protection Agency (the Agency). While the CCPA remains the law of the land for covered businesses that interact with California customers, the CPRA, which goes into effect January 1, 2023, will broaden consumer rights and create new obligations. Here are the top 10 things covered businesses interacting with Californians should consider as the effective date for the CPRA draws near.
1. Find Ways to Keep up with New and Emerging Rules and Regulations
As every business leader knows, the past few years have seen an unprecedented level of data privacy and protection laws being enacted or revised around the world. It is challenging to keep up with the growing number and increasingly complex regulations, which is necessary in order to avoid missteps or fines. Indeed, the CPRA vests the new Agency with issuing regulations on twenty-two topics by July 1, 2022 in an effort to help businesses implement the new law. Given the complex landscape, businesses must find ways to stay on top of these changes, including by conducting regular audits, having trusted legal guidance, and adopting a holistic approach to privacy across the enterprise.
2. Consider the Scope of Application for the CPRA
The CPRA modifies the threshold requirements for covered "businesses" that collect consumers' personal information. A for-profit entity doing business in California must meet one of the three amended thresholds to be a covered business: (1) the law clarifies that the $25 million annual gross revenue threshold should be measured as of January 1 of the calendar year for the preceding calendar year; (2) the law increases the number of "consumers" or "households" from whom a for-profit entity annually buys, sells, or shares personal information from 50,000 to 100,000; (3) the law requires companies to include annual revenue derived from both "selling" and "sharing" (a newly defined term) personal information when assessing whether more than half of their annual revenue is derived from such disclosures of personal information. Interestingly, the CPRA will also modify the scope of its application by applying to an entity doing business in California that voluntarily certifies to the Agency that it is in compliance with and agrees to be bound by the CPRA.
3. Review Privacy Notices and Notices at Collection
California Attorney General Rob Bonta announced a “first-year” enforcement update on the CCPA in July 2021 by highlighting 27 examples of enforcement cases. Notably, one of the most cited examples of alleged deficiencies in CCPA compliance related to inadequate transparency. The Attorney General indicated that he is evaluating privacy notices as more than a check-the-box exercise. The CCPA already requires businesses annually update their notices and the CPRA will require businesses to update their notices with additional disclosures. Thus, businesses should ensure a process is in place to conduct annual reviews of privacy notices, including updating notices for the CPRA in advance of its effective date.
4. Review Security, Incident Response Plans
Pursuant to the CCPA, consumers may bring a private right of action against a business when certain types of personal information, not encrypted or redacted, are subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to maintain “reasonable” security practices and procedures. What consists of “reasonable security” has been the subject of much debate and little guidance by the courts. The CPRA expands the types of data subject to a private right of action should a breach occur. Businesses should evaluate their security and review policies and procedures to ensure their written information security program identifies the administrative, technical and physical safeguards necessary to protect personal information. The documentation should include personnel training, vendor management, risk assessments and measures to mitigate risk, and an incident response plan and data retention policy.
5. Inventory and Categorize Data
A key component of the CCPA and the CPRA include knowing what data the business is collecting about consumers, how it is being used, and where the data is stored. The CPRA adopts a definition of “sensitive personal information” as a new category of data that is notably broad and includes demographic information such as a consumer's racial or ethnic origin, religious or philosophical beliefs, union membership or sexual orientation, the contents of consumers’ communications, genetic and biometric data, precise geolocation, and personal information concerning a consumer’s sex life. Consumers will have separate, additional rights to opt out of the use of their sensitive personal information, which will create new business obligations. Businesses that collect any of the above information should have the ability to identify the information in its systems easily, along with other personal information to respond to consumer requests and comply with requirements.
6. Plan to Minimize Data Collection
Though a core principle in other data protection laws around the world, data minimization is not a requirement under the CCPA. The CPRA, however, bars businesses from collecting more personal information than “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” The CPRA also requires that a business “shall not retain a consumer’s personal information or sensitive personal information [. . .] for longer than is reasonably necessary” for the purpose for which it was collected. Companies must carefully evaluate what data they collect and the purpose of the collection with an eye towards eliminating unnecessary data collection. Business must also implement measures to remove such information from their systems once it is no longer needed for such purposes.
7. Consider How to Treat Employee Data Moving Forward
Pursuant to a 2019 amendment to the CCPA and a subsequent extension, the majority of the CCPA does not apply to “personal information” collected by a business in the course of the person acting as an employee, job applicant, or contractor. Starting in January 2023, all CPRA obligations will apply to employee data previously exempt, including notice requirements, rights to access, correct, and delete, rights to restrict use of sensitive personal information, and rights to opt-out of sale and sharing. Given the complexity and sensitivity of employee data generally, it is not too early to begin thinking about how the business will facilitate employee rights under the CPRA. Ensuring that employee data is properly mapped and inventoried is a good place to start.
8. Revisit Contracts
Significantly, the CPRA now requires all sales, sharing, and disclosures of personal information for a business purpose to be made pursuant to a contract. To comply with these new CPRA provisions, businesses will need to evaluate and assess all transfers of personal information and ensure agreements are in place that bind the recipient to the same level of privacy protection as provided by the CPRA. The agreements must also grant the business rights to take reasonable and appropriate steps to remediate unauthorized use and mandates that recipients cooperate with and assist businesses in providing requested personal information in response to verifiable consumer requests as well as correcting or deleting information or limiting the use of sensitive personal information in response to such requests, each with some exceptions. Businesses will need to review existing contracts or draft new ones to re-classify relevant partners and ensure business partners can perform services as intended.
9. Reassess Consumer Rights Procedures
The CPRA introduces several new consumer rights, including the right of correction, the right to limit the use of sensitive personal information, and the right to opt out of sharing, that will require businesses to update existing CCPA compliance programs. Further, while existing CCPA rights will continue, there are various changes to those rights, including access right: "requests to know" the categories of personal information collected about a consumer must include disclosures about sensitive personal information and any sharing; and "requests to know" specific pieces of personal information are subject to new exceptions, such as where information relates to another individual or where information is generated for security or data integrity purposes. The CPRA also adds obligations to notify downstream service providers, contractors, and third parties of certain consumers requests. Businesses will need to review their consumer rights procedures and processes and ensure they are aligned with the many changes under the CPRA while recalling that many requirements for complying with the CCPA were defined through the Attorney General’s process of implementing regulations, not just through the statute itself. Under the CPRA, the Agency will conduct a similar rulemaking process and businesses can anticipate similar modifications to compliance programs and updates may come out of the new regulations. As a result, businesses should be prepared to implement technical or operational changes as necessary.
10. Prepare for a New Regulatory Landscape
Finally, but quite importantly, the CPRA created the first agency in the United States dedicated solely to privacy. The Agency is governed by a five-member board and it will lead investigation, enforcement and rulemaking on California privacy issues. On October 4, 2021, the Agency appointed Ashkan Soltani as its first Executive Director. Soltani is known for his role in drafting the CCPA and CPRA and championing the global opt-out of sale control, including by helping to develop the Global Privacy Control specification. Soltani is now engaged in staffing the Agency, which will be responsible for building public awareness about privacy risks and providing guidance to businesses and consumers. The Agency has the power to enforce the CPRA, alongside the Attorney General, by levying administrative fines of up to $2,500 per violation or up to $7,500 per intentional violation or violations involving minors. Though the Attorney General has been vocal about its enforcement of the CCPA, it is anticipated the Agency will be even more active in investigations and enforcements due to its increased funding and focus on enforcement as one of its primary tasks. Given the changing regulatory landscape for privacy, businesses should consider their obligations under the CPRA and begin formulating a plan for compliance by January 2023.
The CCPA and the CPRA are still very new laws. In order to navigate the uncharted waters and new obligations, businesses should plan ahead, keep a watchful eye on the Agency and its implementation of new regulations, and develop a plan for compliance by 2023. Due to the notable complexities involved, preparation will be key.
Author: Elaine F. Harwell, Senior Counsel and Privacy Officer, Procopio