Update: please note that the California Privacy Rights Act was approved on November 3, 2020.
The CCPA: California Consumer Privacy Act (“CCPA”) is landmark privacy legislation in the United States. The law provides a variety of consumer rights to Californians, allowing individuals to expand their control over their personally identifiable information (“PII”). At a minimum, the CCPA is a step towards the European Union’s General Data Protection Regulation (“GDPR”), perhaps the most comprehensive privacy law to date.
Although the CCPA has been passed and has been enforced since July 1st, 2020, the privacy law landscape, at least with respect to the state of California, remains very much unsettled. That is because the political nonprofit Californians for Consumer Privacy – a group largely responsible for creating the CCPA – has collected approximately 900,000 signatures (675,000 is the required amount) from Californians to place the “California Privacy Rights Act” (“CPRA”) on the November 2020 ballot (For the record, I am a proponent of the pronunciation “sipra”). Assuming those signatures are legitimate, the CPRA would be placed on the November 2020 ballot for Californians to either accept or reject the measure.
This article will provide a general overview of the key provisions of the CPRA, including key differences with the CCPA. To that end, the following topics will be discussed:
- Enforcement and penalties for the misuse of minors’ data
- Updated consumer privacy rights
- Other notable CPRA provisions
Enforcement and penalties for the misuse of minors’ data
One of the more notable provisions of the CPRA pertains to enforcement and penalties for noncompliance under the law. With respect to enforcement, the CRPA would establish the “California Privacy Protection Agency,” a governmental agency that would be responsible for the implementation and enforcement of the CRPA. The hierarchy of the agency would comprise a five-member board, including the Chair of the agency. Each member would possess “expertise in the areas of privacy, technology, and consumer rights.” With respect to appointing the members, the Governor would have the right to select both the Chair and one member, with the state Attorney General, Senate Rules Committee, and the Speaker of the Assembly each having the right to select one board member respectively.
A notable change in comparison with the CCPA is the CPRA’s specification of fines for violations involving minor consumers under the age of 16. While each intentional violation of the CCPA may be penalized by up to $7,500, the CPRA provides that violations involving the PII of minors, intentional or unintentional, may also result in fines up to $7,500.
Updated consumer privacy rights
The CPRA includes a number of additional privacy controls for Californians, including the following:
- Consumers’ right to correct inaccurate personal information
- Consumers’ right to limit the use and disclosure of sensitive personal information
- Expanded private right of action for breaches involving email accounts
The right to correct inaccurate personal information can be found in Section 1798.106 of the CPRA. That provision specifies that “a consumer shall have the right to request a business that maintains inaccurate personal information about the consumer correct such inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.” Similarly to deletion and disclosure requests under the CCPA, consumers must submit verifiable requests to the business to initiate the correction process. Notably, the GDPR contains a similar right known as the “right to rectification.”
Section 1798.121 specifies the consumer’s right to limit the use and disclosure of “sensitive personal information.” Businesses, similarly to the “Do Not Sell My Personal Information” link required by the CCPA, must, under certain circumstances, furnish a link to a “Limit the Use of My Sensitive Personal Information” webpage. The CPRA defines “sensitive personal information” as personal information that reveals any of the following:
- A consumer’s social security, driver’s license, state identification card, or passport number
- A consumer’s account log-in, financial account, debit card, or credit card number, in combination with any credential allowing access to the account
- Geolocation data
- The racial or ethnic origin of the consumer
- The religious or philosophical beliefs of the consumer
- Union membership
- Genetic data
- The contents of the consumer’s mail, email and texts, unless the business is the intended recipient of the communication
Other categories of information that fall under the definition include biometric information used to identify the consumer, personal information regarding the consumer’s health, and information pertaining to the consumer’s sex life or sexual orientation. Should a business collect sensitive personal information, a consumer has the right to direct the business to limit the use of the data to that necessary to render the goods or services “reasonably expected by an average consumer.” However, the provision expressly exempts sensitive information that is not collected for the purpose of “inferring characteristics about the consumer.”
Lastly, the CPRA expands the ability of consumers to file lawsuits against businesses. In addition to the unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencypted and nonredacted personal information, breaches involving a consumer’s email address in combination with a password or security question and answer are grounds for a private right of action under the CPRA.
Other notable CPRA provisions
Additional CPRA provisions of note include the following:
- Clarifying the definition of a covered “business” under the CCPA to include entities that, as of January 1st of the calendar year, had annual gross revenue in excess of $25,000,000 in the preceding calendar year, alone or in combination annually buys, sells, or shares the personal information of 100,000 or more consumers or households (originally 50,000 in the CCPA). Or, derives 50% or more of annual revenue from selling or sharing the personal information of California consumers. The personal information collected from “devices” is omitted from the definition of a “business” under the CPRA.
- Distinguishing between “sharing” and “selling” consumer data. In addition to having the ability to opt-out of the sale of their personal information, consumers also have the ability to opt-out of the sharing of their personal information. “Sharing” is defined as:
- “Sharing, renting, releasing, disclosing, disseminating, making available, transferring . . . a consumer’s personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
- Extension of delaying the law’s coverage of both employee data and business-to-business data until January 1st, 2023.