As we recently covered, the CPRA is a ballot measure created by Californians for Consumer Privacy, led by co-founders Celine Mactaggart and Alastair Mactaggart—chief architect of the California Consumer Privacy Act (CCPA)—to amend the CCPA and create new data privacy obligations, including some measures that appeared in a 2018 ballot initiative but did not survive the CCPA’s legislative process.
The CPRA would significantly amend the CCPA. Substantive provisions of the CPRA would become effective on January 1, 2023. Below is a summary of key additions and modifications to the CCPA’s existing obligations:
- In-Scope Businesses (modification)
- Revises the standard to become a CCPA “business”:
- Bases “business” determination on previous year’s activities.
- Increases one threshold for businesses to for-profit entities who process 100,000+ consumers or households (other thresholds are unchanged).
- Requires entities sharing common control and common branding to also share consumer personal information to be considered the same “business.”
- “common branding” is a shared name, servicemark, or trademark such that the “average consumer” would understand the two entities are commonly owned.
- Service Providers (modification)
- Clarifies that “service providers” cannot combine personal information collected as a service provider with information received from other businesses or collected in the service provider’s “business” capacity (subject to exceptions).
- Employee and Business-to-Business Exemptions (modification)
- Retains the CCPA’s exceptions for personal information collected in the employment and business-to-business contexts and extends their sunset provisions to January 1, 2023.
- Deidentified (modification)
- Redefines “deidentified” to mean information that “cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer,” so long as the business takes reasonable measures to ensure that the information cannot be associated with a consumer or household, publicly commits to maintain information in deidentified form, and contractually requires recipients to comply with the provisions.
Transparency and Data Governance
- Pre-collection Notice (modification)
- Clarifies that a business that “controls the collection” of a consumer’s personal information must provide the consumer with notice at or before the point of collection.
- Expands the information that a business must include in the pre-collection notice, to include:
- The categories of sensitive personal information collected and whether they are sold or shared; and
- The length of time the business intends to retain each category of personal information or the criteria that would be used to determine the retention period.
- Storage Limitation (new)
- Prohibits retaining personal information for longer than is “reasonably necessary” for the specific, disclosed purposes.
- Data Minimization (new)
- Limits collection, use, retention, and sharing of personal information to what is “reasonably necessary” to achieve the specified purposes.
- Contracting Requirements (modification)
- Requires businesses to enter into contracts with all entities to which the business discloses personal information, including:
- service providers;
- contractors (a new category of person that receives PI for specific business purposes); and
- third parties (entities other than the business, its service providers, or its contractors) and notably even for sales or disclosures to third parties the agreement must “specif[y] that the personal information is sold or disclosed by the business only for limited and specified purposes.”
- Reasonable Security Procedures and Practices (new)
- Requires businesses to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal from unauthorized or illegal access, destruction, use, modification, or disclosure.
- Deletion (modification)
- Requires businesses to, in response to a valid deletion request, notify service providers and contractors to delete personal information and to notify all third parties to delete the personal information.
- Requires service providers and contractors to cooperate with responding to rights requests.
- Requires service providers and contractors to delete personal information when directed.
- Correction (new)
- Requires businesses to use commercially reasonable efforts to correct inaccurate personal information in response to a verifiable consumer request.
- Requires that businesses take into account “the nature of the personal information and the purposes of the processing of the personal information.”
- Right to Know (modification)
- Expands the period of time covered by consumer right to know requests beyond the 12-month window provided in the CCPA, at the consumer’s request (applicable to personal information collected on or after January 1, 2022).
- Expands the scope of right to know requests to include a business’ sharing and disclosure of the consumer’s personal information.
- Expands the manner in which specific pieces of personal information must be shared, including that they be provided in a format “easily understandable to an average consumer” and if technologically feasible in a “structured, commonly used, machine readable format.”
- Opt-Out of Sale and Sharing (modification)
- Requires businesses to provide consumers with the ability to opt-out of sharing of personal information in addition to the existing right under the CCPA to opt-out of the sale of personal information.
- Sharing includes the transferring or making available personal information to a third party for cross-context behavioral advertising, regardless of whether consideration is exchanged.
- Requires that opt-out links be updated to read “Do Not Sell or Share My Personal Information” link unless the business allows consumers to opt-out via an opt-out preference signal sent with the consumer’s consent via a mechanism conforming to specifications to be established by implementing regulations. If a business is providing the link, it can be combined with the “Limit My Use of Sensitive Personal Information” link discussed below, if applicable.
- Limit on Use and Disclosure of Sensitive Personal Information (new)
- Requires that businesses not use or disclose a consumer’s sensitive personal information for purposes other than those necessary to provide the goods or services requested by consumers without providing consumers the right to limit the additional uses or disclosures except for certain limited business purposes.
- Sensitive personal information would capture a wide range of data elements (e.g., identification numbers, financial information, precise geolocation, racial and ethnic origin, the contents of certain communications, and genetic data).
- Requires that businesses provide a link to consumers (combined with the opt-out link or separately in a clear and conspicuous manner) reading “Limit the Use of My Sensitive Personal Information” unless the business allows consumers to opt-out via an opt-out preference signal sent with the consumer’s consent via a mechanism conforming to specifications to be established by implementing regulations.
- The provision of advertising and marketing services and internal research are not business purposes for which a business or service provider can use sensitive personal information without providing consumers the right to limit.
- California Privacy Protection Agency (new)
- Establishes the “California Privacy Protection Agency” to assume responsibilities for promulgating rules and enforcing the CCPA through administrative proceedings.
- Rulemaking Authority (modification)
- Empowers the Attorney General (and eventually the California Privacy Protection Agency) to issue regulations on a wide range of topics, including:
- Identifying certain “business purposes” for which service providers may use personal information (on their own behalf);
- Updating the definition of “sensitive personal information,” “deidentified,” and “unique identifiers”;
- Establishing when service providers and contractors can combine personal information from multiple sources; and
- Defining “specific pieces of information” to minimize delivery of information not helpful to consumers (e.g., log information and technical data).
- Cure Period (modification)
- Eliminates the 30-day cure period following notice of alleged non-compliance.
- Penalty for violations involving minors (new)
- Adds a new penalty of $7,500 for violations involving personal information of consumers whom the business knows to be under 16 years of age.
California’s Secretary of State has until June 25, 2020 to certify that the CPRA ballot initiative has received the valid signatures (623,212) required to appear before California voters in the November 2020 election. Though Californians for Consumer Privacy could still withdraw the ballot initiative until the June 25 deadline, the CPRA text is no longer subject to modification.
If adopted by California voters, new and modified obligations under the CPRA would enter into force on January 1, 2023 and apply to personal information collected by businesses on or after January 1, 2022. Certain technical provisions, such as creation of the California Privacy Protection Agency and the extended exemptions for personal information collected in the business-to-business and employment contexts, would take effect within days after the initiative is adopted.
For more information on administration of California’s elections process, through which the CPRA is currently progressing, please read our previous post.
Authored by Mark Brennan, Bret Cohen, Timothy Tobin and Julian Flamant.