On November 3, 2020, California voters passed Proposition 24, the California Privacy Rights Act (CPRA), which would amend and expand the California Consumer Privacy Act (CCPA) – which itself only went into effect on 1st January 2020. The substantial provisions of CPRA goes into effect on January 1, 2023 and would apply to personal information collected on or after January 1, 2022. Enforcement is expected to begin on July 1, 2023.
CCPA – a regulation inspired in many ways by the European General Data Protection Regulation (GDPR) – is a law that gives California consumers certain basic rights: notably the right to know what personal information is being collected about them, the right to access that data, the right to delete data, the right to know who it’s being sold to, and the right to opt out of those sales.
While the CCPA has its own unique requirements, the CPRA arguably helps make the CCPA more holistic as it widens a prior focus on third party data sharing (which was a topical area of concern at the time owing to high profile data breaches) to bring in more data protection dimensions from the GDPR. Hence, the CPRA reinforces the CCPA with additional consumer rights and company obligations which mirror some of the key GDPR provisions.
Key implications for companies
Companies may vary in the extent of their journey to meet CPRA requirements, depending on whether they have previously sought to comply with GDPR. The key provisions that companies would need to understand in order to assess the operational impact and their readiness to comply are listed below. These areas are:
1. A new type of personal information – “sensitive” personal information:
The CPRA imposes use and disclosure restrictions on “sensitive” personal information. This is similar to the covered information and special categories of data as defined by US state data breach laws and EU GDPR, respectively.
The definition of sensitive personal information is broad and includes data elements such as social security number, state identification card, passport number, financial account number, geolocation data, racial and ethnic origin, and information about the consumer’s sex life and sexual orientation.
The CPRA allows consumers to limit the use and disclosure of their sensitive personal information to the purposes necessary to perform the service or provide the goods requested. In order to comply, companies would have to provide either:
A link on their homepage titled “Limit the Use of My Sensitive Personal Information”, or
A link that covers both this opt-out right above in (a), and the right to opt out of selling / sharing personal information – the latter right being covered in the section below.
Firstly, companies would need to clearly understand what data they collect, and secondly, they would need to verify that their categories of data elements are clearly defined, to make them easily distinguishable from one another. The concepts of data minimization, purpose and storage limitation are at work here, and companies would do well to follow these broad principles.
2. Right to Opt-Out of sharing personal information:
Under CCPA, consumers were to be provided with the ability to opt out of a sale of their personal information. The definition of the “sale” of personal information as defined within the CCPA was open to some interpretation, which created challenges for many companies in their compliance journey. For example, companies could interpret that to mean that they could share (for no monetary gain) personal information with third parties, who could then use the information for targeted advertising.
Potentially seeking to address the potential for targeted advertising, the CPRA expands the existing opt out right of sale to include the “sharing” of their personal information. Accordingly, companies should advise consumers of this new right by providing them with the ability to opt out of sharing their personal information, and a concerted effort would need to be undertaken to understand how a consumer’s personal information is used by their service providers to assist that it would not be used for “cross-context behavioral advertising.”
A further consideration for companies (i.e. service providers, contractors, and third parties) who receive personal information from a company is that they need to build capabilities to comply with the contractual provisions that are now mandatory under the CPRA. The key provisions include:
Use and disclosure restrictions
Audit rights to the company who shares the personal information
Combining personal information from multiple data sources
Prohibition against selling or sharing personal information
3. Further consumer rights:
The CPRA provides for new and expanded GDPR-like rights for consumers that include:
The right for a consumer to request correction of personal information
The right to opt out of automated decision-making, including but not limited to profiling in connection with decision related to a consumer’s work performance, economic situation, health, and personal preferences;
The right to access personal information subject to automated decision-making;
Expanded right to data portability that helps a consumer to request that the business transmit specific pieces of personal information to another entity; and
Expanded private right of action that authorizes consumers to bring lawsuits for the unauthorized access or disclosure of an email address and password or security question that would permit access to an account, along with access to a consumer’s non-encrypted and non-redacted personal information.
4. Increase of Enforcement Resources:
The CPRA establishes the California Privacy Protection Agency (CPPA) as an independent watchdog to enforce the regulation and “ensure that businesses and consumers are well-informed about their rights and obligations1.”
The CPPA may implement and enforce the CPRA and possess subpoena and audit powers. The CPPA would also be charged with developing public awareness about privacy risks and providing guidance to businesses and consumers. It could levy administrative fines of up to $2,500 per violation of the act or up to $7,500 per intentional violation or violations involving minors. It would absorb the rulemaking authority granted under the act from the Attorney General’s Office.
5. New Assessment Requirements:
Businesses whose processing presents significant risks to consumer privacy or security would need to perform a thorough and independent cybersecurity audit and provide the results of a risk assessment to the CPPA annually.
Strategies and tactical next steps
Tactically, a gap assessment should be undertaken as soon as possible to compare the requirements of the CPRA against the current capabilities of the company – and this would subsequently provide them with the ability to identify priority areas. Readiness activities span across enterprise-wide functions and have far reaching implications to business operations and their compliance posture and companies would find depending on their level of compliance with GDPR and / or CCPA, if any, whether they would have more work or less work to do.
Strategically, companies should consider how to prepare for CPRA – but also consider that:
There could be further State privacy regulations in the US and the Washington Privacy Act, for example, is potentially going to be more stringent. Also, the Biden administration may have an appetite to develop federal privacy regulations over the next 3-4 years. This evolving regulatory landscape calls for holistic programs to address requirements that may overlap between various regulations, and facilitate the appropriate firm-wide engagement model.
Technology is also constantly evolving and companies should plan to consider how to bring automation into the program – in such areas as discovery, anonymization and disposal, as well as rationalization of application estates – to help to manage privacy risk going forward.
Companies should align their privacy methodology to their business strategy. Consideration should be given to what industries the companies expect to be working in in the next five years, and in what locations, as a company’s privacy requirements may need to be adjusted to meet expectations of those industries and geographies.
For more information please reach out to Ben Shorten from our Accenture Privacy Practice.
