The California Consumer Privacy Act ("CCPA"), which went into effect January 1, 2020, created rights and obligations related to the collection and sale of consumer personal data. The California Privacy Rights Act ("CPRA") was a ballot measure that was approved by California voters on November 3, 2020. The CPRA significantly amends and expands the CCPA. Notably, the majority of the provisions revising the CCPA do not become "operative" until January 1, 2023, and enforcement will apply only to violations occurring on or after January 1, 2023.
The CCPA and CPRA apply to four different entities: "Businesses," "service providers," "third parties," and "contractors." Each entity has different obligations under the CPRA, therefore it is important to determine which category your business falls into to ensure compliance.
The CPRA requires that contracts entered into between businesses and service providers, contractors, or third parties must (1) state that personal information is sold or disclosed for limited and specific purposes; (2) require the service provider, contractor, or third party comply with the CPRA and provide at least the level of privacy protection required by the CPRA; and (3) allow businesses to "take reasonably and appropriate steps" to ensure that the use of personal information by the third party, service provider, or contractor is consistent with the CPRA and to remediate unauthorized uses.
While the CPRA codifies two popular exemptions from the CCPA regarding personal information collected in the employment context in the context of business-to-business transactions, both exemptions expire on January 1, 2023. This development is vital for businesses, as they must develop internal compliance mechanisms to handle and respond to requests for personal information from their employees.
The CCPA requires business to institute controls to protect consumer rights, such as providing notice at the time of data collection, the right to opt-out of the sharing or sale of personal information, and notices concerning financial incentive programs. The CPRA expands the rights granted under the CCPA in two ways.
First, rights involving the sale of data are expanded to include the sale or sharing of data. The CCPA initially limited the right to opt-out to the sale of personal data, but the CPRA expands it to include the sharing of personal data, which includes the use of personal data for cross-contextual behavior advertising. Simply put, consumers must be able to opt out if the targeting of advertising is based on personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services other than the ones with whom the consumer intentionally interacts.
Second, the CPRA creates the right to correct inaccurate personal information and the right to limit use and disclosure of sensitive personal information. The CPRA's definition of sensitive personal information is broader than that under other state data privacy laws, such as Virginia and Colorado, and includes categories such as a consumer's social security, driver's license, state identification card, or passport number, the contents of a consumer's mail, email and text messages (unless the business is the intended recipient of the communication), and a consumer's account log-in information.
Under the CPRA, consumers have the right to direct a business to use/share sensitive personal information only for purposes necessary to perform the service or provide the goods requested, with the a few limited exceptions, such as collection for security, website maintenance and non-personalized advertising purposes. Importantly, businesses with websites must include a link titled "Limit the Use of My Sensitive Personal Information" and provide information to the consumer about the specific practices a business takes in limited the use of sensitive personal information.
A consumer may send a request to exercise their rights, including the right to correct and right to limit use and disclosure of sensitive personal information under the CPRA in a process similar to that of Virginia and Colorado.
The CCPA vests the California Attorney General with enforcement authority. However, the CPRA establishes the California Privacy Protection Agency, which is vested with "full administrative power, authority, and jurisdiction to implement and enforce" the CCPA. In actions by the California Attorney General, businesses, service providers, and contractors can face an injunction and/or administrative fines of up to $7,500 per intentional violation or $2,500 per unintentional violation of the CCPA. Additionally, for violations involving the personal information of consumers under the age of 16 years old, businesses, service providers and contractors can face administrative fines of up to $7,500 when the business, service provider, or contractor had actual knowledge that the consumer was under 16 years old.
The CPRA eliminates the 30-day cure period in the context of administrative actions. However, the cure period was replaced with a non-time-specific opportunity to cure at the discretion of the California Privacy Protection Agency.
Notably, the CPRA adds a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonably security. In actions brought by consumers, consumers may recover statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. Consumers may also seek injunctive or declaratory relief, as well as any other relief the court deems proper.
As the data privacy landscape continues to shift, it is vital that companies who process and/or control the processing of personal information stay up to date on the laws and regulations affecting their business.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.