California voters passed the California Privacy Rights Act at the ballot box in November, which will require stricter data privacy obligations for companies doing business in the state when the law goes into effect in 2023.
The law builds on the protections established in the California Consumer Privacy Act, adding new rights for consumers and bringing the state’s data privacy regime more in line with what activists had hoped to achieve with a proposed ballot initiative in 2018. The California legislature ended up passing the CCPA as a compromise bill, and the law went into effect this year.
“When you look at the CPRA itself, it’s an amendment to drastically amend the CCPA,” said Greg Szewczyk of Ballard Spahr. “So it’s not a brand new framework. It works within the CCPA framework. It just creates several new rights, and it goes further in other areas.”
The CCPA gave California residents the right to know what personal data companies collect about them and to request that data be shared with them, deleted and not be sold.
Under the CPRA, consumers will have the right to correct any inaccurate personal data companies have on them. The CPRA also extends the period of time covered by right-to-access requests from one year to indefinitely.
The CPRA allows consumers to not only opt out of selling personal information but to opt out of “sharing” it. According to Davis Graham & Stubbs attorney Camila Tobón, sharing is narrowly defined as the disclosure of personal information for purposes of behavioral advertising. “They’ve basically made clear that transfer of information for tracking individuals across websites for behavioral advertising is something that you need to honor the right to opt out of if a customer wishes,” she said.
One of the biggest changes in the CPRA is the creation of a new category of personal information called “sensitive personal information.” The category includes government identifiers such as Social Security numbers or driver’s license information, precise geolocation, account and log-in credentials and financial information. It also covers information about a consumer’s race and ethnicity, religion, trade union membership, health and genetic data and sexual orientation.
Consumers will have the right to limit a company’s use or disclosure of sensitive personal information to what is necessary to provide the goods and services requested. For example, Szewczyk said, if a business is collecting a customer’s financial information to sell them a pair of skis, the company can only use that data to complete the ski transaction. Likewise, if a company collects data on a consumer’s religious or political affiliation, Tobón said, it cannot later use that information to create a profile for marketing other goods or services.
The CPRA will create a new agency, the California Privacy Protection Agency, to enforce the law. Previously, the California Attorney General’s Office had been tasked with enforcement but, Szewczyk said, “the attorney general’s office was fully employed before the CCPA came into existence, so you always have that issue of limited resources when you’re adding another task to an existing department’s plate.” He said he expects more aggressive enforcement once the new agency is up and running. The agency will begin enforcement in July 2023.
The new enforcement agency will also be responsible for rulemaking related to the CPRA, and final regulations must be adopted by July 1, 2022. Some of the issues to be addressed by the new rules include requirements for risk assessments and cybersecurity audits for businesses engaged in high-risk data processing as well as access and opt-out rights for automated decision-making and profiling.
Tobón said the California AG has made the CCPA and data privacy a priority. Around the time of the CCPA enforcement deadline in July, she said, the office sent letters to corporations identifying deficiencies in their practices, and it has even been reviewing Twitter and other online forums to see what consumers have been saying about companies and identify complaints.
To avoid becoming a target for complaints, Tobón said, companies will want to prioritize consumer rights and their response to data-related requests, which could include having a web form or toll-free number with trained staff who can handle questions about consumer data.
To prepare for the CPRA’s implementation, Szewczyk recommended businesses start doing thorough data inventories and mapping so they know what data they have, where it is and where the information flows. “They should also be making sure that they are doing a good job of data classification and maybe working the CPRA’s definitions into their data classification schemes if they have not already,” he said.
Szewczyk added now is a good time for businesses to apply data minimization principles and ask themselves why they have the data they have and whether they really need to hang on to it.
“Which is ultimately the goal of some of these privacy laws — to drive companies to not take in more than what they need and not for longer than they need,” he said. “Because if you don’t have it, you can’t use it or lose it.”