Guest Blog Post
The California Consumer Privacy Act is considered to be one of the most stringent privacy laws in the country. It affords enhanced protection and control to consumers over personal information that businesses collect. Proposition 24, the California ballot proposition that was passed during the state’s general elections held November 3, 2020, creates the California Privacy Rights Act (CPRA), which goes into effect on Jan 1, 2023. This act expands, clarifies and significantly amends provisions of the landmark California Consumer Privacy Act (CCPA).
Compare and Contrast with Other Laws, the CCPA and Europe’s GDPR
The CPRA addresses several loopholes under the CCPA and gives consumers improved means to opt-out from having their personal data collected or processed. Under the CCPA, personal information is defined as information that identifies and relates to or could reasonably be linked with the household; for example: name, social security number, email address, records of products purchased, Internet browsing history, geographic data, and fingerprints. The CPRA introduces a new category of “sensitive personal information” which includes demographic information such as a consumer’s racial or ethnic origin, religious or philosophical belief, financial information, sexual orientation, health, genetic, precise geolocation information and biometric data.
The CPRA follows some of the basic general principles of the European Union’s General Data Protection Regulation (GDPR), which also limits consumer data collection and storage. For example, like the GDPR, the CPRA requires that a business’s collection, use, retention and sharing of consumer information be reasonably necessary and proportionate to the purposes of the data collection. Thus, if a retail store collects a consumer’s name and contact information in connection with the consumer’s purchase of an umbrella, the consumer would not expect that data to be sold by the retailer to a car insurance broker, and have the data be used to solicit auto insurance to the consumer.
Section 3 of the Act talks about the responsibilities of a business. Businesses should specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice. Businesses should only collect consumers’ personal information for specific, explicit and legitimate disclosed purposes and should not further collect, use, or disclose consumers’ personal information for reasons incompatible with those purposes as discussed above. The businesses also need to make additional disclosures about the length of time the information will be retained. However, a business should not retain a consumer’s personal information or sensitive personal information for longer than is reasonably necessary for that disclosed purpose.
To be categorized as a covered business under the CPRA, the business must be operating in California and one of the following criteria must be met:
- As of January 1, the business must have an annual gross revenue of over $25 million from the preceding calendar year.
- The business must collect, transfer or sell personal information of at least 100,000 California consumers or households or
- Derive fifty percent of its annual revenue from selling or dissemination of consumer data.
The removal of the term ‘for commercial purposes’ is a notable change which implies that such data use need not be profitable purpose for the law to apply to such businesses.
The CPRA further expands the rights of the consumers; for example, it adds the right to correct, the right to opt-out of automated decision making and the right to restrict the use of personal information.
The new law expands the rights of consumers to opt-out of both the sale and sharing of personal information—A business that sells consumers’ personal information to or shares it with third parties shall provide notice to consumers that this information may be sold or shared and that consumers have the right to opt-out of such sale or sharing. Sharing personal information is aimed at targeted behavioral advertising which refers to the disclosure, making available by communicating orally or in writing a consumer’s personal information by a business to a third-party and it need not involve a sale of such information. The CPRA defines cross-context behavioral advertising as the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications or services with which the consumer intentionally interacts. The businesses will need to honor the individual requests of opting-out of the sale or sharing of such information. Further, a business cannot sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age unless there has been affirmative authorization to do so. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.
Consumers also have a right of no retaliation following the exercise of the opt-out provision. While a business may not discriminate against a consumer because the consumer exercised the opt-out provision or any of the other rights by denying goods or services, charging different rates; a business may do so if the difference is reasonably related to the value provided to the business by the consumer’s data.
Further, the consumers have the right to correction of personal information wherein a consumer may request a business to correct his or her personal information if it is inaccurate. Covered businesses must make “commercially reasonable efforts” to correct any inaccurate personal information as directed by the consumer.
A consumer may also request a business to delete and restrict the use of their personal information. The consumer may exercise the right to delete if the business collected the information from the consumer and it is no longer necessary for the business to fulfill the purpose, as discussed above. The organizations must inform consumers of the fact that the consumer has a right to request that information be deleted. Businesses that receive a request to delete are also required to notify third parties who bought or received the consumers personal information to delete that information.
CPRA modifies the data portability right wherein consumers can request that their data be available to them in standard non-proprietary format that is easily accessible to the ordinary consumer.
To ensure that the new rules are implemented, the ballot measure creates a state agency: The Consumer Privacy Protection Agency. This agency will act as an independent watchdog to protect consumers and is governed by a five-member board. The agency’s sole obligation is to enforce the CCPA and the CPRA.
To be in compliance with the new law, businesses should think of a new compliance and business strategy. Some steps that could help businesses would be implementation of a more robust system of data mapping tools. The CPRA provides more clarity on what the terms “selling” and “sharing” of personal information means and therefore businesses need to be more careful about what they are sharing. Further, measures to identify the purpose of collecting personal information, how the business uses and discloses such information, auditing the data flow between third party vendors are all steps that will prove to be helpful.
The full text of the CPRA can be found here.
This post is written by Amrita, a graduate of Santa Clara University School of Law. Her credentials include a Master’s in Human Rights and a Bachelor’s in Political Science. Her experience ranges from working with start-ups to large companies doing tech-transactions: contracts, intellectual property, licensing and compliance. She can be reached at firstname.lastname@example.org.
This article is intended for general informational purposes only and does not provide any specific legal advice.
Read this post for our earlier Guest Blog legal analysis on consumer privacy rights.