CCPAThe California Privacy Rights Act: The Who, What, Where, When, and How of the “CCPA 2.0

The California Privacy Rights Act: The Who, What, Where, When, and How of the “CCPA 2.0

While most business are still waiting on final regulations for the California Consumer Privacy Act (“CCPA”), which are likely to be delayed, and Attorney General enforcement on July 1 of this year, the same group behind the CCPA has proposed a new ballot initiative, the California Privacy Rights Act of 2020 (“CPRA”), dubbed “CCPA 2.0.” That group announced last week that it had gained enough signatures for the CPRA to be considered by California consumers on November 2020 ballot, where the initiative is believed to have a high chance of being passed.  

As described below, businesses suffering fatigue from implementing the CCPA may have to make further changes to their practices and updates to their privacy policies to address the CPRA.  

Who: Californians For Consumer Privacy, the consumer privacy organization that successfully initiated the “Consumer Right To Privacy Act” ballot initiative in California in 2018, which was then withdrawn in a compromise to allow the California State Legislature to pass the CCPA. The CCPA is effective as of January 1, 2020, with final regulations from the Office of the Attorney General expected immediately.  

What: The California Consumer Privacy Act, a ballot initiative by Californians For Consumer Privacy that seeks to significantly expand and amend the CCPA, with a one-year look back to January 2022.

Where: While the CCPA was passed in California, it purports to apply to all businesses with annual revenue of over $25 million which “do business in California,” where this threshold has been interpreted broadly to include business which collect and process California consumer personal information including, for example, by e-commerce sales or IP address (in connection with other data points), among other thresholds.  

While the CPRA has basically the same applicability thresholds of the CCPA, it does double the 50,000 data threshold in one provision of the CCPA applicability section, applying now to businesses with under $25 million in annual revenue that “alone or in combination, buys or sells or shares the personal information of 100,000 or more [California] consumers or households.”

When: If the CPRA initiative passes sampling, it will be on the ballot before California voters this November. As written, the CPRAhas a January 2023 effective date, with a one year look-back to January 2022. 

How: The CPRA creates additional privacy rights and obligations pertaining to certain category of personal information – sensitive personal information. Specifically, the CPRA proposes the following changes to the CCPA:

Sensitive Personal Information: The CPRA imposes limits on businesses’ use of “sensitive personal information,” a newly defined category of personal information that includes things like social security number, driver’s license, passport number, sexual orientation, biometric, health and financial information, and precise geolocation. The definition of “sensitive” PI under the CPRA is broader than the definition of sensitive categories of data under the European GDPR but the CPRA does not prohibit collection of this information altogether. Rather, the CPRA gives consumers additional rights to limit the processing and use of their sensitive data to specified purposes.

Data Correction: The CPRA gives consumers the right to request and require businesses to correct inaccurate personal information. These requirements are subject to reasonableness standards, require authentication, and there are specified exemptions. Service providers and contractors are required to assist businesses in complying with these requirements.

Expanded Breach Liability: By adding 21 words, the CPRA seeks to expand the data breach liability created by the CCPA. In addition to the private right of action for breaches of nonencrypted, nonredacted personal information under the CCPA, the CPRA would add a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security. This is an important change, given the high frequency of data breaches and incidents, and the inclusion of email addresses and related information in those breaches.  

Automated Decision Making: Automated decision making is a hot topic, stemming in part from the GDPR’s requirements around these types of actions. The CPRA attempts to address automated decision by regulating it as “profiling” and providing new rights of access and opt-outs.  

Specifically, the CPRA defines “profiling” as the automated processing of personal information to evaluate personal aspects of an individual and to make predictions concerning that individual’s performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements. The Act then requires promulgation of regulations to provide consumers with access and opt‐out rights for the profiling, including requiring businesses to disclose to them the logic and algorithmic underlying the decision-making process.  

Service Provider Provisions: The CPRA increases the contractual obligations of service providers (which are defined as in the CCPA) as currently exist under the CCPA, now requiring them to allow businesses to monitor the provider’s compliance with the contract provisions, certify that it understands and will comply with the contractual obligations.

The CPRA also seeks to impose data protection obligations directly on service providers, contractors and third parties. Specifically, it requires businesses that send personal information to third parties, service providers or contractors to enter into an agreement binding the recipient to the same level of privacy protection as provided by the act, granting the business rights to take reasonable and appropriate steps to remediate unauthorized use, and requiring the recipient to notify the business if can no longer comply.

Finally, the CPRA clarifies what the CCPA regulations do not: it requires service providers to cooperate with and assist businesses in providing requested personal information in response to verifiable data subject requests, as well as correcting or deleting information or limiting the use of sensitive personal information in response to such requests, though exceptions exist.

Enforcement Agency: Lastly, before the 2023 effective date, the CPRA requires the California state government to create a new agency, the California Privacy Protection Agency, to oversee and enforce data privacy.

Again, the CRPA, if passed by ballot initiative in November will not be effective until 2023, with a look back to 2022, giving businesses ample time to plan implementation.

In the meantime, businesses await the California Attorney General’s final CCPA regulations, which are now understood to be delayed, and the start of AG enforcement of the CCPA, which may still commence on July 1, 2020.

Beckage’s dedicated CCPA attorneys routinely counsel clients on implementation of CCPA policies and procedures, including assisting businesses to operationalize Data Subject Request (DSR) processes, perform CCPA training and record keeping, manage third party vendor relationships, and make CCPA required breach notifications. Our clients include major E-commerce retailers, international news media companies, consumer goods manufacturers and retailers, health care organizations and financial entities.

For more information about the CCPA, CPRA and its impact on your business, contact: Myriah V. Jaworski, Esq., CIPP/US, CIPP/E and Nicole Smith Esq..

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Looking Back: Top Privacy and Cybersecurity Headlines from 2019Looking Back: Top Privacy and Cybersecurity Headlines from 2019

Looking Back: Top Privacy and Cybersecurity Headlines from 2019

In the fast-paced, ever-evolving world of privacy and cybersecurity law, gathering the biggest news from 2019 was no small feat – from new laws and landmark cases, to major technological developments and international guidelines, it was a busy year for anyone trying to stay up to date. But Beckage has narrowed down the top privacy and cybersecurity stories that shaped last year:

Read More
Important Clarifications Initiated on California Consumer Protection ActImportant Clarifications Initiated on California Consumer Protection Act

Important Clarifications Initiated on California Consumer Protection Act

The California Consumer Protection Act (CCPA) will impact global companies. The CPPA aims to sets forth landmark privacy rights for Californians and becomes effective January 1, 2020. Last week the California Assembly Privacy and Consumer Protection Committee began clarifying important ambiguities in the CCPA through a serious of amendment bills. These amendment bills are not law just yet. These bills were actions taken by the Committee to advance proposed changes through the legislative process. Some of the most notable clarification from the amendment bills include:    

  • Updating the current CCPA to make it clear that employees are not “consumers” for purposes of the CCPA and addressing some of the concerns with household data.
  • Clarifying personal and de-identified information by adding a reasonableness standard to make it clear that not all information capable of being associated with an individual or household will be considered personal information. Further, the de-identification standard would be shifted to the FTC “reasonably linkable” de-identification definition which is better understood. 
  • Redefining “publicly available” to mean information that is lawfully made available from federal, state, or local records to ensure there is a public record exemption from the definition of “personal information.” 
  • Adding amendments that make loyalty programs exempt from the CCPA’s “non-discrimination” restrictions. 
  • General cleanup of mistakes and confusion in the current language.  
  • Updating the current CCPA requirement that businesses must establish a toll-free number to receive CCPA requests, to a requirement that they must provide a toll-free number or an email address.   

Two amendment bills were withdrawn that would have dramatically expanded the CCPA requirements.  Notably, it included the bill that extended the private right of action to all privacy violations, extended the opt-out to all sharing of personal information (not just “sales”), added data minimization requirements, and expanded the CCPA right-to-know requirement to require accounting to consumers the specific third parties to whom personal information was shared. 

What’s next? These amendment bills head to the Senate leadership. However, these initial steps suggest that some legislative clarifications of CCPA requirements may pass this year.  It is important to balance compliance with this state law with other data privacy and security laws across the globe.  Taking a practical approach with experienced legal teams will be critical.

DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used or relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where the advice is sought.

Attorney Advertising: Prior results do not guarantee a similar outcome.

1 2