Corporate TIPS: Privacy Law Compliance - Expansion of CCPA Regulations
By Craig S. Horbus & Jarman J. Smith (Law Clerk) on November 19, 2020
By now, many of you are probably familiar with the California Consumer Privacy Act (CCPA), which currently holds the title as the leading authority on consumer data protection in the United States. However, it may be news to you that CCPA’s data compliance regulations were just beefed up substantially through the enactment of the California Privacy Rights Act (CPRA aka “CCPA 2.0”).
What is the CPRA?
Californian voters approved the CPRA on November 3, 2020. The CPRA considerably revamps data privacy law in the United States by including several revisions to the already stringent set of regulations set forth in the CCPA, which may apply to businesses located in and outside of California. The CPRA bolsters requirements set forth in the CCPA by introducing new privacy and data security obligations for covered businesses, including the addition of a right to correction, restrictions on the collection and retention of data, a special category of “sensitive data,” rights relating to automated decision making, security requirement expansion, and the creation of a dedicated privacy authority in the California Privacy Protection Agency (CPPA). These new revisions to California privacy law draw a closer line of comparison between the CCPA and the European Union’s General Data Protection Regulation (GDPR), which is currently the world’s strong-arm of data compliance requirements. Covered businesses have a relatively small window to get up to speed with the new CCPA regulations, as CPRA is set to become effective on January 1, 2023.
What You Need to Know
Most businesses are currently in the process of restructuring their data handling procedures to become compliant with the already complex CCPA requirements. Thus, the idea of becoming familiar with an additional set of regulations may seem like a daunting task. However, with guidance from knowledgeable professionals in the area of privacy law, your organization can adequately prepare for the changes and get one step closer to full data privacy compliance. We’ve outlined some of the key changes brought under the CPRA below:
- Creation of the California Privacy Protection Agency. The CPPA is a new administrative agency that is responsible for enforcing compliance with the CCPA and enacting further regulations. Enforcement was previously handled by the California attorney general who has admitted to having limited resources to enforce the CCPA. The establishment of a dedicated enforcement agency means that enforcement is more likely to be a reality for entities covered under CCPA regulations. The CPPA is required to adopt final regulations under the CPRA by July 1, 2022, and enforcement of CPRA provisions will commence July 1, 2023. This move officially makes California the first U.S. state to establish an enforcement agency that is specifically dedicated to privacy law, but you should expect more states to follow California’s lead in the coming years.
- Limitations of Sharing Consumer Data with Third Parties. Businesses that sell or share sensitive personal information may be required to provide consumers with the ability to limit the use of their data. The CPRA introduces limitations to the “sharing” of sensitive personal information for the purposes of cross-context behavioral advertising. This expands upon the CCPA’s current limitations restricting the ability of businesses to “sell” consumer data. Now, requirements are in place to protect personal information from being shared in general, regardless of whether or not it is done for monetary or other value. Consumers will have the right to opt out from any sharing of their personal information, and businesses cannot share information for consumers under the age of 16 without opt-in consent. Any businesses that share personal consumer data must provide consumers with a clear and conspicuous link allowing the consumers to limit the selling or sharing of their personal information.
- Changes to the Scope of Applicability. The definition of a covered business has been modified in a way that may be helpful to small businesses and start-ups. Under the CPRA, the definition of a covered business has been amended by increasing one of the qualifying criteria from collection, using, or sharing data from 50,000 California consumers to 100,000 California consumers. Although more small businesses are expected to be excluded from CCPA coverage as a result of this change, other businesses that were previously excluded as their activity did not amount to the “sale” of consumer data may now be included due to the new amendments related to “sharing” personal information as previously discussed above. Under the new scope of applicability, the CCPA will now cover organizations that conduct business in California if any of the following conditions apply:
- The business’ annual gross revenues are in excess of $25 million (no change in this condition in comparison to CCPA); or
- The business annually buys, sells, or sharespersonal information of more than 100,000 California residents (as opposed to CCPA’s original scope of 50,000); or
- The business derives over 50% of its revenue from selling or sharingdata belonging to Californian residents.
- Special Categories of Sensitive Personal Information. The CPRA maintains the CCPA’s existing categories of personal information (PI) but adds the new category of “sensitive personal information” (Sensitive PI). Consumers will now have increased rights when Sensitive PI is involved. Privacy notices must identify categories of Sensitive PI collected, the purpose for the data collection or usage, and whether the information is sold or shared with third parties. This new category of Sensitive PI includes Social Security and other government/state issued identification numbers; account log-in information, debit and credit card numbers, and any associated security or access codes; precise geolocations; information pertaining to race, ethnicity, and religious beliefs; contents of mail, email, and text messages; genetic and biometric information; consumer health information; and sexual orientation. Consumers have the right to restrict the use of their Sensitive PI to that which is necessary to provide them with goods and services.
- Limitations on Processing and Retention of Personal Information. The CPRA requires data collection, use, retention, and sharing to be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed. Consumers must be notified of the length of time a business intends to retain each category of personal information or the criteria that will be used to determine such period. Businesses will be strictly prohibited from retaining personal consumer data for longer than reasonably necessary.
- Increased Security Requirements. The CPRA requires reasonable security measures to be implemented which must protect all personal information. This is an expansion upon the current requirements, which are limited only to the protection of certain categories of information. The CPPA will issue regulations for certain categories of businesses whose processing presents a significant risk to consumer privacy or security. Such businesses will be required to perform annual security audits and submit regular risk assessments to the agency.
- Limitations and Contractual Requirements for Service Providers and Contractors.The CPRA increases limitations on the use of personal information by service providers and contractors. Service providers and contractors will now be required to cooperate in responding to verified requests from data subjects, and they will also be required to notify their own service providers and contractors to delete personal information upon receipt of a data subject request. Those who engage their own service providers or contractors will also be required to have written agreements in place that comply with all CCPA and CPRA requirements.
- Right to Correct Inaccurate Information and Private Right of Action. Businesses must provide consumers with two or more methods for submitting requests to correct inaccurate personal information. Additionally, the consumers’ private right of action is expanded to include a cause of action for a breach of an email address alongside its respective password, or security question and answer. The CPRA also clarifies that the implementation and maintenance of security procedures after a breach does not constitute a cure.
- Exemption Extensions for B2B and Employee Data. Effective immediately, the current exemption for all business-to-business data and the partial exemption for employee data will be extended until January 1, 2023. However, covered employers are still required to provide applicants, employees, and contractors with an initial disclosure, identifying the categories of personal information collected and the purposes for which the categories of personal information shall be used. It’s important to note that employees may also have a right to statutory damages in the event of a data breach caused by a failure to implement reasonable security measures.
- Additional Regulations to Come. The CPPA is charged with issuing additional regulations. Regulations that businesses should anticipate include rules regarding the governance of access and opt-out rights with respect to the use of automated decision-making technology. These regulations will allow consumers to gain a better understating of how their personal information is used for “profiling,” and will require responses to access requests to include meaningful information about the logic involved in automated decision-making processes and a description of the likely outcome. These regulations could significantly affect how artificial intelligence can be used with respect to consumer data.
Generally, the CPRA builds upon the existing framework of the CCPA—expands consumer privacy rights, imposes additional obligations on businesses, and establishes the nation’s first agency dedicated to privacy regulation and enforcement. However, until the CPRA becomes effective in 2023, the current language of the CCPA will remain fully in effect. Yet, with respect to privacy law enforcement, earlier steps in preparation will make compliance easier.
What Your Organization Should Do Now
Regulations to further develop CPRA are expected into July 2022. While this means that there is still time for the CPRA to be revised, any changes would most likely only make the compliance requirements more stringent. Therefore, your organization should remain vigilant about updates and changes to all applicable privacy laws, as not to fall behind the curve in developing and implementing an effective compliance plan. You should begin taking the steps necessary to become compliant with the new CPRA regulations as soon as possible by familiarizing yourself with its provisions and seeking advice from privacy law professionals. Preparing for the new obligations brought forth by CPRA may require significant adjustments to existing procedures and contracts, but you are not alone on this journey towards complete data compliance.
How Brouse Can HelpThe California Privacy Rights Act is a prime example of the rapidly evolving data security landscape. However, there is a clear trend towards increased privacy obligations for businesses all around the globe. Brouse McDowell’s Cybersecurity and Data Privacy Practice Group can provide the guidance and tools you need to navigate data security and privacy law compliance. Along with providing insight to your business regarding CCPA compliance requirements, we also provide proactive solutions for companies to defend against cyber-attacks and general guidance through the complexities of all data privacy laws and regulations. Our team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.