United States: California Privacy Rights Act: A Compliance Guide

Overview

On November 3, 2020, California voters passed Proposition 24, the California Privacy Rights Act (CPRA), by a margin of approximately 56% to 44%. By this vote, California has decided to amend and supersede the groundbreaking and still new California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020. The CPRA will supersede the CCPA effective January 1, 2023. Until that time, the CCPA remains in effect.

Background

Many readers may be scratching their heads regarding why California would replace the CCPA so quickly, and, thus, some background on how we arrived at the CPRA would be useful. In 2018, Californians for Consumer Privacy sponsored a ballot initiative to place a new privacy law on the November 2018 California ballot. After obtaining the requisite signatures to qualify for the ballot, Californians for Consumer Privacy negotiated a legislative deal whereby it withdrew the initiative in exchange for the legislature passing the CCPA. The CCPA though was less restrictive than the law originally proposed by the ballot initiative; and, thus, Californians for Consumer Privacy began a process to modify the CCPA and expand potential enforcement.

The result of this process is an extensive and detailed piece of legislation. In its more than 50 pages, the CPRA makes revisions both significant and minor to the CCPA, including alteration to the law's application, creating a new oversight agency (CalPPA), expanding breach reporting obligations, and enhancing individual private causes of actions.

The Compliance Guide

We prepared this Compliance Guide for two purposes - provide brief summaries of the CPRA's key provisions and encourage businesses (in California or otherwise) to begin planning for what will be one of the nation's most expansive and strict data privacy laws. In the first section of this guide, "Key Topics," we address the law's application, review key concepts, and summarize some of the law's more noteworthy and important provisions. In subsequent sections, we provide a general timeline of key dates and deadlines relating to the CPRA's implementation. We end with a compliance checklist for businesses regarding how to approach planning for and complying with the CPRA.

Key Topics

Who Needs to Comply with the CPRA?

The CPRA applies to any entity organized and operated for profit or financial benefit that:

• collects consumers' personal information,
• determines the purpose and means of processing that information,
• does business in the state of California, and
• meets one or more of the following thresholds: 1) has annual gross revenue in excess of 25 million, adjusted for inflation, 2) annually buys, sells, or shares the personal information of 100,000 or more consumers or households, or 3) derives 50% or more of its annual revenues from selling, or sharing consumers' personal information.

Those readers familiar with the CCPA will note that the above criteria differ in that the second threshold in the last bullet point was changed from 50,000 or more consumers, households or devices to 100,000 consumers or households. While the increase from 50,000 to 100,000 may not materially affect the CPRA's application to many businesses, the removal of "devices" is a potentially significant change.

My business is not located in California - do I really need to comply?

While the CPRA's definition of "does business" is broad, CPRA compliance is not required if every aspect of a business's commercial conduct takes places wholly outside of California. Commercial conduct takes place wholly outside of California if:

• The business collected that information while the consumer was outside of California,
• No part of the sale of the consumer's personal information occurred in California, and
• No personal information collected while the consumer was in California is sold.

Therefore, if a California resident provides information to a business outside of California, and that business neither conducts commercial activity in California nor sells that information in California, the CPRA is inapplicable.

Who Is a California Resident?

The CPRA applies to the personal information of California residents, which the law refers to as "consumers."

A consumer is a natural person who is a California resident, as it is defined in the California tax regulation. According to California tax provisions¹, a resident is defined as:

• An individual who is in California for other than a temporary or transitionary purpose; and
• An individual domiciled in the state of California who is outside of the state for a temporary or transitionary purpose.

As shown above, the definition of a California resident is quite broad. When analyzing whether a purpose is "temporary or transitionary," businesses should take into account a number of factors unique to each case.

To view the full article, please click here.

Footnote

1. Section 17014 of Title 18 of the California Code of Regulations.

Originally Published 30 June 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.