California Privacy Rights Act of 2020 - Amendment to the CCPA

The California Privacy Rights Act (the “CPRA”), has qualified for the November 2020 general election ballot.

If approved, the CPRA would introduce significant amendments to and expand the California Consumer Privacy Act (the “CCPA”) by adding new definitions, giving consumers the right to limit the use and disclosure of a new category of “sensitive” personal information, and allowing consumers to opt-out of the sale and sharing of their data. The initiative would also triple fines for the unlawful collection or sale of children’s personal information. The CPRA would also establish the California Privacy Protection Agency, which would replace the state attorney general’s office in enforcing these rights. The following is an overview of some of the key changes.

Enhanced Obligations

For third parties, service providers, and contractors, the CPRA would enhance obligations which include: (1) providing notice at or before the point of collection where data is collected by a business acting as a third party, §1798.100(b), (2) the addition of contractual obligations to provide certain levels of privacy protection, §1798.100(d), and (3) requiring additional cooperation on consumer requests, including deletion and flow-down obligations. §1798.105(c)(3)

The CPRA would also impose a new obligation to implement reasonable security procedures and practices appropriate to the nature of the personal information. §1798.100(e)

New Rights

The CPRA adds several new rights to the CCPA[1]. These include allowing consumers to direct businesses to limit the use and disclosure of sensitive personal information and to request “correction of inaccurate personal information”. §1798.121; §1798.106.

Addition of Definitions

The CPRA proposes additional definitions of “consent,” “contractor,” “household,” “security and integrity,” “sensitive personal information,” “service provider,” and “share.” §1798.140(h), (j), (q), (ac), (ae), (ag), and (ah) respectively. Each of which carries new or enhanced obligations. For instance, an additional element of data sharing is added to the definition of “business” for entities who share control and common branding with a business subject to the CCPA. §1798.140(d)(2).  Moreover, “share,” “shared,” or “sharing” is very much like selling, but in relation to cross-context behavioral advertising. §1798.140 (ah). Also, a new category of “sensitive personal information” is established and would be defined to include a Social Security Number, driver’s license number, passport number, financial account information, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation. §1798.140 (ae).

Addition of Purpose and Storage Limitations

The CCPA does not include strict use and retention restrictions for personal information. The CPRA would amend this by imposing limitations on a business’s ability to collect, use, retain, and share personal information of California consumers. §1798.100. The CPRA requires these activities “be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” §1798.100(c).

Businesses would be required to include the length of time that they intend to retain each category of personal information that they process in their privacy notices or otherwise, explain the criteria used to determine the retention time frames. Personal information would only be permitted to be retained for as long as is reasonably necessary for the disclosed purposes. §1798.100(a)(3)

Creation of New Enforcement Agency

The CPRA creates a new state agency, the California Privacy Protection Agency, that would be vested with full administrative power, authority, and jurisdiction to implement and enforce the CPRA. The initial task for CPRA regulations would rest with the California Attorney General, who currently handles the CCPA and its regulations, but would then transition to the California Privacy Protection Agency. §1798.199

Expanded Data Breach Liability

The CPRA would amend the security breach liability provision of the CCPA to clarify that any data breaches resulting in the compromise of a consumer’s email address in combination with a password or security question and answer that would permit access to the consumer’s account are subject to civil actions. §1798.150(a)

Heightened Enforcement Measures

Businesses whose processing of personal information presents a “significant risk” to consumers’ privacy or security would be required to perform an annual cybersecurity audit and to submit regular risk assessments to the new Consumer Privacy Protection Agency. §1798.185(a)(15)

Any violations involving the personal information of individuals known to be under the age of 16 would be subject to the increased penalty level of $7,500 for each violation. §1798.155(a)

All businesses subject to the CCPA already have an affirmative obligation to establish security procedures and practices to protect any personal information maintained. Even during the current COVID-19 pandemic, a compliance program must be implemented. Further, this overview does not encapsulate all of the changes proposed by the CPRA and additional or different changes may occur before the implementation date.  If adopted by California voters, the CPRA would take effect on Jan. 1, 2023. It would substantially increase the requirements already imposed by the CCPA and companies that conduct business in California would face an even greater obligation related to consumer privacy. For further information please contact Yvonne Sewall at ysewall@larkinhoffman.com.