CCPA 2.0: Voters approve more privacy measures

For the past two years, many companies doing business in California have worked overtime to comply with the California Consumer Privacy Act, the most stringent privacy law in the United States. Now, less than a year after the CCPA's effective date, a new privacy law has passed that (again) places a heavy operational burden on companies doing business with California consumers. On Nov. 3, Californians voted in favor of Proposition 24, known as the California Privacy Rights Act. While the CPRA may not have been the most exciting (or controversial) voting issue in 2020, it amends and significantly expands the rights, restrictions and provisions of the CCPA as applied to California residents. So, as many companies hit their stride for CCPA compliance purposes, California just threw them another curveball.

Among other things, the CPRA -- which many dubbed "CCPA 2.0" before it passed, and which becomes effective in January 2023

-- provides consumers with significantly more rights and control over their personal information; imposes increased transparency and compliance obligations on businesses; and expands enforcement and liability for violations. Some of these new obligations including providing consumers the right to correct purportedly inaccurate information maintained by businesses, as well as establishing a new enforcement agency, the California Privacy Protection Agency, known as CalPPA, which will assist with prosecution of compliance actions against businesses. This means businesses will be under even more scrutiny from regulators than under the CCPA, and will be required to expend significantly more resources to comply with consumer requests.

For example, if a business maintains incorrect our outdated information about a consumer, such as an inaccurate address, phone number, or other demographic information, that consumer may now demand that the business correct that information in the business' records (and prove compliance). This is a wholly new requirement never seen in the context of collecting or storing generic personal information, more akin to traditional credit reporting information (think inaccurate credit reports and the Herculean procedures/regulations in place to correct purportedly inaccurate credit information). We take a deeper dive into these and other new requirements and how they will impact a business's operations below.

Sensitive Personal Information Afforded Even More Protection

The CPRA creates a new category of personal information called "sensitive personal information." "Sensitive personal information" under the CPRA includes data elements like a consumer's Social Security Number, driver's license number, passport number, financial account information, account log-in credentials, precise geolocation, as well as race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation.

Although this new term clarifies ambiguities within the term "personal information" under the CCPA, businesses will need to review their data inventory (again) and determine whether they collect and store such sensitive information. Under the CPRA, consumers can limit the use and disclosure of "sensitive personal information" to "that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who request such goods or services." Businesses can expect to provide a link on their homepage titled "Limit the Use of My Sensitive Personal Information" to enable consumers to exercise these rights. This is a significant change to a business' use of personal information under the CCPA, and will further limit a business' ability to use such data for marketing or other non-transactional purposes.

Consumer Rights Expanded: Access, Delete (and now) Correct My Information

While the CCPA provides consumers with the right to access and delete personal information, the CPRA takes it to the next level: Consumers will now have the right to request that a business correct their personal information if that information is inaccurate. To comply, businesses will need to create mechanisms to update to the information it stores on consumers, pursuant to a correction request submitted to the company.

The CPRA also expands consumers' opt-out rights by clarifying ambiguities within the CCPA. For example, the CCPA has left businesses grappling with whether the use of third-party cookies, pixels or other "data" collected and transmitted to third parties from business websites for analytics and other purposes constitutes a "sale" under the CCPA. The CPRA addresses this issue head-on and expressly provides California consumers the right to opt-out of "sharing" personal information, not just for sale. "Sharing" is defined as providing information for "cross-context behavioral advertising, whether or not for monetary or other valuable considerations, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged." Companies not currently providing opt out rights for third-party cookies (or relying on a narrow definition of "sale" under the CCPA) will have to adjust processes to incorporate their use of cookies into their opt-out procedures under the CPRA. Businesses will also need to expand notices made "at or before the point" of collection beyond the minimal requirements found in the CCPA. Businesses will have to review all their notices, including any such notices made to employees, to determine whether they are robust enough to pass muster under the CPRA.

Enforcement and Liability: New Enforcement Agency and Data Breach Provisions

The CPRA also makes significant changes to the enforcement and liability provisions of the CCPA. Most notably, the CPRA creates a new enforcement agency, the CalPPA, to enforce the CPRA. Enforcement authority currently rests with the California Attorney General's office and other state and local authorities. The CalPPA will have the power to levy fines against non-compliant businesses of $2,500 per violation up to $7,500 per intentional violation or violations involving minors. The CalPPA will also have the authority to audit a business's privacy practices and issue regulations requiring annual audits and regular risk assessments for organizations that meet certain thresholds. This is a radical shift giving the State of California significantly more resources to investigate privacy violations than under the CCPA.

Businesses will also see new rounds of regulations. The CPRA initially calls for the California Attorney General to update and amend the CCPA regulations, with final regulations under the CPRA to be adopted by July 1, 2022. Businesses will also face greater liability for data breaches under the CPRA. Under the expanded liability provision, businesses will be liable for breaches for a broader set of data, such as compromise of a consumer's email address in combination with a password or security question and answer that would permit access to the consumer's account. The CPRA also enhances children's privacy rights by tripling the CCPA's fines for collecting and selling information of minors under 16 years of age. Businesses providing services to minors will have heightened risk for fines and compliance obligations on top of those already provided under the federal Children's Online Privacy Protection Act.

Conclusion: A Fast Approaching Compliance Period

The CPRA will go into effect Jan. 1, 2023, giving businesses a two year runway to modify existing CCPA and privacy compliance programs to comply with the new law. But if our experience from the CCPA is any indicator, those two years will fly by, with many businesses scrambling to comply near the end of that period. It's like déjà vu all over again.