In June 2018, California passed the California Consumer Privacy Act (CCPA), becoming the first state in the country to pass a comprehensive consumer data and privacy law. The CCPA was loosely based off of the General Data Protection Regulation (GDPR) implemented by the European Union, but took a broader view than the GDPR.
More recently, on November 3, 2020, California voters approved the California Privacy Rights Act (CPRA), which amends and expands the CCPA. Although the CPRA took effect on December 16, 2020, most of the provisions amending the CCPA will not go into effect until January 1, 2023.
This edition of our "Gearing Up" for privacy law compliance series will discuss key changes brought on by the CPRA, outline some key modifications in the proposed regulations, and give information on how the law will be enforced.
CPRA's Scope and Threshold Requirements
The CCPA only applied to businesses, service providers, and third parties, but the CPRA adds a fourth entity—contractors—to the list of obligated entities.
A contractor is similar to a service provider—they are bound by the terms of a written contract with restrictions and prohibitions on the use of personal information. However, a contractor must certify that it understands these restrictions and prohibitions and that it will comply with them.
In order to comply with the CPRA, contractors must adhere to the
terms of their contract and use personal information only to
perform services on behalf of a business, implement security
safeguards, not combine personal information received from a given
business with any personal information received from other
businesses, and notify the business regarding their use of
subcontractors (who are bound to the same contractual terms as the
The CPRA did not make changes to the CCPA's threshold requirements. Thus, the CCPA/CPRA continues to be applicable to entities that:
- Conduct business in the state of California that collects, shares, or sells California residents' personal data; and
- Satisfy one of the following:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50 percent or more of their annual revenue from selling California residents' personal information.
The CPRA created a new agency—the California Privacy Protection Agency (CPPA"—that was given rulemaking and enforcement authority. On May 27, 2022, the CPPA released a preliminary draft of its proposed regulations. Of note, the draft focuses on creating a more consumer-friendly experience. While these proposed regulations will likely undergo changes following the notice and comment period, some key points from the draft are outlined below.
Under the CCPA, consumers have six specific rights: (1) the right to know and request disclosure; (2) the right to delete; (3) the right to opt out of the sale of personal information; (4) the right to opt into the sale of personal information of consumers under the age of 16; (5) the right to non-discriminatory treatment; and (6) the right to initiate a private cause of action. The CPRA and the proposed regulations create two additional rights:
- The right to correct inaccurate personal information;
- The right to limit use and disclosure of sensitive personal information (e.g., SSN, DLN, financial information, geolocation, racial or ethnic origin, religious beliefs, union membership, contents of physical or electronic communications, genetic data, etc.).
Some other notable changes are listed here:
- New requirements for user interface design that obtain valid consent through the use of dark patterns.
- Several new and modified provisions impacting service providers and vendors that expand the applicability of service provider provisions while excluding cross-contextual advertising services, add product or service improvements to the list of reasonable uses of personal information, and institute explicit and specific requirements for contracts with service providers and contractors.
- Additional contractual requirements for third parties that receive personal information from an entity other than the individual to whom the personal information belongs.
- Controllers must conduct due diligence on service providers, contractors, and third parties to determine whether these entities are compliant.
- Consumer notification for third-party involvement in the collection of personal information.
- Data minimization requirements that require businesses to collect, use, retain, and/or share consumers' personal information only in a way that is "reasonably necessary and proportionate" to the original purpose for collecting it. This standard is governed by the expectations of the average consumer, although the draft does not illustrate or delineate how those expectations will be determined.
- Requirement that businesses process consumer opt-out preference signals (i.e., do-not-track signals) that meet certain requirements.
- Cookie banners or cookie controls will no longer be sufficient on their own as opt-out or limit mechanisms.
What Your Business Can Do
Enforcement on the CPPA's final regulations will begin in July 2023. Because the CPPA has published its proposed regulations, there is a 45-day (minimum) public comment period. Entities are encouraged to comment on the proposed regulations. Additionally, entities should stay apprised of changes to the CPPA's proposed regulations.
While the original CCPA gave enforcement authority to the California Attorney General, the CPRA gave the CPPA "full administrative power, authority, and jurisdiction to implement and enforce" the CCPA/CPRA. However, the CPRA does not limit the Attorney General's power to enforce the CCPA. Additionally, the CCPA/CPRA is unique in that it allows residents a private right of action.
In the event of non-compliance, the CCPA provides for civil penalties, damages (in actions brought by consumers), non-monetary relief, and injunctions brought by the Attorney General.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.