Before the dust has even settled on many California Consumer Privacy Act (CCPA) compliance projects, California voters have welcomed the future of privacy by overwhelmingly approving Proposition 24: The California Privacy Rights Act (CPRA).  Building off of the CCPA framework, the CPRA expands the rights of California consumers, adds new responsibilities for both business and service providers, and creates a new state agency, the California Privacy Protection Agency (the Agency), to take over enforcement from the state Attorney General.  Here are the notable changes:

First, every business will be happy to know that the B2B and employee information sunsets have been extended until January 1, 2023 (after being extended by another year until 2022 by the legislature).

Next, the CPRA establishes new rights for California consumers:

  • Consumers may request that a business correct inaccurate personal information
  • Consumers may opt-out of sharing (not just sales): In addition to the right to opt-out of the sale of their personal information, which has led to a significant amount of confusion regarding whether third-party cookies constitute sales, the CPRA specifically provides a right to opt out of the sharing of information for cross-context behavioral advertising.
  • Consumers will have an expanded right of access: Starting on January 1, 2023, businesses are required to provide access to more than 12 months of personal information “unless doing so proves impossible or would involve a disproportionate effort.”
  • Consumers have the right to request that the business minimize its use of sensitive data, which includes:
    • SSN, driver’s license, state ID card or passport
    • Account log in or financial account information in combination with security codes or passwords
    • Precise geolocation (radius of 1,850 feet)
    • Racial or ethnic origin, religious or philosophical beliefs, or union membership
    • Contents of a consumer’s mail, email or text messages unless the business is an intended recipient of the communication
    • Genetic data
    • Biometric data processed to identify a consumer
    • Personal information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation

Similar to HIPAA’s minimum necessary rule and the GDPR’s data minimization principle, the CPRA codifies data minimization principles: The collection, use, retention and sharing of personal information must be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”  The new law also requires notice of retention periods, and those retention periods must be “no longer than reasonably necessary” for each disclosed purpose.

The CPRA has new obligations for businesses selling, sharing, or disclosing data, requiring applicable agreements to include provisions:

  • Specifying the limited and specified purposes for which the personal information is sold or shared.
  • Requiring the recipient to comply with the CCPA/CPRA.
  • Granting the business the right to take reasonable steps to ensure the recipient uses the personal information appropriately.
  • Requiring the recipient to notify the business if it determines it cannot meet its CCPA/CPRA obligations.
  • Granting the business the right, with notice, to take steps to stop and remediate unauthorized use of personal information.
  • When information is shared with contractors or service providers, also prohibiting the recipient from combining personal information received from the business with other personal information received from other sources.

Service providers will have direct responsibilities under the new law, many of which businesses already impose through their existing privacy terms in agreements with third parties.  While service providers do not need to respond to consumer requests (if they only have access to data due to their role as service providers), the law states they must cooperate with the business in responding to a consumer request, including deleting and having its service providers or data recipients delete any personal information.  They also have an obligation to notify the business regarding their use of subcontractors and have their subcontractors enter into written contracts binding them to similar terms to which the service provider is bound.

There are a few other notable changes as well:

  • The definition of business has been refined to double the number of California consumers whose personal information is bought, sold, or shared (not just received) from 50,000 to 100,000 and to clarify the period for calculating the $25 million threshold (gross revenues from prior year).
  • Businesses may now offer loyalty programs if the different price, rate, level or quality of goods or services is reasonably—a change from the CCPA’s “directly”—related to the value provided to the business.
  • The CPRA expands upon exceptions for cooperating with law enforcement and maintaining personal information that is subject to law enforcement inquiry.
  • It clarifies that implementing reasonable security measures following a breach does not “cure” the breach.

With the creation of the California Privacy Protection Agency, California is the first state to shift privacy responsibilities away from the state’s attorney general, the typical regulator of general privacy violations at the state level.  The new Agency has significant powers, including responsibility for creating future regulations and the right, for businesses “whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security,” to require those businesses to both (a) perform an annual cybersecurity audit and (b) submit a privacy risk assessment addressing their processing of sensitive information and weighing the benefits to the business, consumer, public and other stakeholders against the risks to the rights of the relevant consumers.  Similar discussions of the creation of an independent privacy agency have occurred at the federal level; this division of power may be a harbinger of regulatory structure for privacy laws in other states as well.

The CPRA goes into effect on January 1, 2023 – slightly more than two years away.  More will come from the Agency, especially as the seats on the five-member board are filled and will likely provide more interpretation and guidance related to the regs.  Still, as companies that grappled with GDPR and CCPA know, data governance and security compliance programs require time, attention and effort from all aspects of a business. Now is the time to begin – or begin revising – your data governance projects and establish systems with an eye towards CPRA.