On November 3, 2020, California voters, by majority vote, passed ballot Proposition 24 also known as the California Privacy Rights Act of 2020 (CPRA).
The CPRA primarily focuses on expanding the state’s consumer data privacy laws, including provisions allowing consumers to direct businesses to not share/sell their personal information; remove the time period in which businesses can fix violations before being penalized; and create the California Privacy Protection Agency to enforce the state’s data privacy laws.
On the heels of enacting the California Consumer Privacy Act (CCPA), Proposition 24 was introduced to overcome limitations in the CCPA and further establish an enforcement arm to defend consumer privacy rights and hold businesses accountable for the privacy rights of California consumers. The law will go into effect on January 1, 2023. However, the CPRA’s requirements will apply to personal information collected on or after January 1, 2022.
The CPRA, in conjunction with the CCPA, will put data privacy requirements much closer to the European Union’s General Data Protection Regulation (GDPR) and will be the strongest privacy law in the US.
A Brief History of the Bill
Advertisers have long had the power to use consumers’ data beyond its stated purpose and without an adequate level of transparency or accountability. The methods in which these companies have been operating with consumer data has raised a fundamental question on the importance of data privacy and ethics. In 2018, data privacy concerns took a focal point after the Facebook-Cambridge Analytica incident where millions of Facebook customers’ data was compromised. Alongside this incident, Alastair Mactaggart from California, a real estate developer and privacy advocate crafted the CCPA bill. The CCPA was signed into law in June 2018 and went into effect on January 1, 2020. While the CCPA does not address all nascent consumer privacy concerns, it provides a means for consumers to understand what data an organization collects about them, decide whether the company can keep or sell the data and take actions for data breaches or violations.
Alastair Mactaggart took the CCPA a step further by introducing the CPRA to eliminate key flaws within the bill such as preventing companies from selling/sharing insights on certain personal data, stiffer penalties for violations related to children’s data, establishing an enforcement arm to protect civil liberties, and, in incorporating and amending the text of the original CCPA, protecting the law from potential legislative repeal.
A Few Important Provisions
The Entity Coverage for CPRA has Changed
The applicability thresholds for organizations that need to comply with the law has been adjusted from what was established in the CCPA. The law will apply to any business that operates for-profit in the state of California, collects consumer personal information and/or determines the purposes and means of processing of that information, and meets one of the following thresholds:
- Businesses that earn $25 million in annual revenue
- Businesses that control the purchase, sale, or sharing, of the personal information of 100,000 or more consumers or households each year
- Businesses that earn 50% or more of their annual revenue from selling or sharing consumers’ personal information.
Impact to affected business: The key change from CCPA is for those businesses that purchase, sell or share personal information of 100,000 or more consumers or households versus 50,000 required under CCPA. This change will result in more small– to medium-sized businesses falling out of scope. The current thresholds will continue to remain until 2023.
- Right to data correction: The CPRA will give California residents the right to correct inaccuracies in their personal information that a business holds.
- Disclosure requirements: The CPRA provides consumers with an option to opt-out of the sharing of their personal information in addition to selling of data. Along the lines of the definition of what constitutes a sale in the CCPA, this law extends sharing not just for monetary or other valuable consideration, but, for cross-context behavioral advertising as well. In contrast, the CCPA provides consumers with an option to opt-out of the sale only. Although this requirement created a shift in power to consumers by providing the right to prevent companies from selling data to third parties, it did not restrict organizations from sharing the data.
- Right to restrict use of sensitive personal information: The law includes a new personal information category called “sensitive personal information” and allows consumers to request a business to stop collecting or using sensitive personal information. Under the CPRA, sensitive personal information includes the following: consumer’s social security number, driver’s license, state identification card, or passport number, account log-in, financial information, geolocation, racial or ethnic origin, religious or philosophical beliefs, or union membership, genetic data, biometric information for the purpose of uniquely identifying a consumer, health data and sexual orientation.
- Automated profile decisioning: Consumers have the right to object to automated profile decisioning which includes profiling or inferences drawn from personal information about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. The consumer can further request information from the business on the logic applied to automated decision technology.
- Right to data portability: The law further refines the right to data portability outlined in the CCPA. This provides the consumer the right to request data in a format that is easily understandable, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance.
An important point to note is that while the CCPA exempted employee and business data until January 2021, the CPRA extends exemptions for both until January 1, 2023.
Impact to affected business: Companies that have updated their existing processes to comply with CCPA rights will have to study the new host of consumer rights in the CPRA and implement updates to accommodate new provisions.
For companies using AI/machine language algorithms for automated decision–making, they will need to carefully assess the impact of drawing technology-based inferences from personal data. Further, they should prepare to provide meaningful explanation, in layman terms, of the logic behind automated decision-making technology.
More emphasis is given to minor data under the CPRA on top of what is expected in CCPA. The CPRA outlines triple fines related to violation of sharing and selling of children’s data. Just in the last few years, the country has seen continued violations of children’s privacy including the record fines paid by Google in 2019.
Impact to affected business: Companies collecting children’s data should assess the nuances in the regulation’s requirements. The provision goes on to provide that in the case of minors, their personal information may only be shared or sold where parental or guardian consent is obtained for children under 13 years, or the affirmative opt-in consent is obtained for those between 13 and 16 years of age. The key difference between CCPA and CPRA concerning minors’ data is that the CCPA draws focus on the selling aspect of the provision while the CPRA also includes “sharing or disclosure.”
If a business sells or shares data with third parties, the parties must have an appropriate legal agreement that includes specifics around data processing clauses including purpose limitation, notice of breach and remediation obligations. The law provides clear definitions and direct obligations on service providers and contractors compared to the CCPA. In addition to the established service provider definition in the CCPA, the CPRA defines a contractor as a person to whom the business makes available a consumer’s personal information for a business purpose in a written contract.
Impact to affected business:
In addition to requiring a contractual agreement between the business and service provider or contractor, CPRA mandates the following obligations:
- The entities cooperate with and assist in providing requested personal information with applicable consumer rights.
- Grants the business rights to take appropriate steps to ensure that the third party, service provider, or contractor uses the personal information transferred in a consistent manner in line with the stated business purpose of collection.
- Specifies that personal information is shared or sold for specified purposes as disclosed to consumers.
For contractors specifically, the following is prohibited:
- Selling or sharing of personal information.
- Retaining, using or disclosing the personal information for any other purpose other than for business purpose specified in the contract.
- If a contractor uses any other person to assist in the processing of personal information, the contractor should notify the business of such engagement and the engagement should have a written contract requiring all related obligations to be followed.
Violations and Enforcement Agency
The law requires establishment of an enforcement arm or authority called “The California Privacy Protection Agency” (CPPA) to protect consumer rights. In addition to assuming the role of rulemaking and enforcement currently held by the Attorney General’s office, the objective of this agency is to provide transparency and greater control to consumers over their personal information. The agency will have power to hold businesses accountable and administer violations and fines for noncompliance.
The CCPA of 2018 gave businesses 30 days to address and fix violations and data breaches before being fined. The CPRA eliminated the notice period of 30 days for violations and adopted the following penalties for violations and data breaches:
- Up to $2,500 for each violation
- Up to $7,500 for each violation involving the information of a person under the age of 16
- Up to $750 per consumer per data breach incident or actual damages, whichever is greater.
Impact to affected business: Businesses having to comply with the CPRA should recognize that the agency’s sole focus will be to enforce the state’s privacy laws.
In the coming weeks, a five-seat board will be assembled to provide interpretation and enforcement of this law. This board will evaluate the 52-page bill to outline practical details of legislation.
As the approved ballot Proposition 24 may further undergo changes through amendments up till the enforcement date, it will be important for organizations to monitor updates to ensure appropriate compliance measures are implemented.
Protiviti has partnered with clients, cross-industry, to stand up strategic data privacy programs, governance structures, technology implementation efforts, and operationalize privacy processes to assist with regulatory expectations. In that spirit, we will continue to monitor changes to the CPRA and support companies on their compliance journey to meet regulatory expectations.
Paul Laurent, Associate Director – Security and Privacy, also contributed to this post.