California: FAQs - CCPA
The California Consumer Privacy Act of 2018 ('CCPA') was signed into law on 28 June 2019 before entering into effect on 1 January 2020. The Final CCPA Regulations were approved on 14 August 2020, which provided further requirements and clarifications on the application of the CCPA.
The CCPA is one of the most comprehensive privacy laws in the US and has introduced significant compliance challenges for organisations. In particular, the CCPA established a new set of consumer rights, additional protections for children's data, and specific rules on the selling of personal information.
The framework provided by the current version of the CCPA is, though, set to change following the passing of the California Privacy Rights Act of 2020 ('CPRA') on 3 November 2020. The CPRA stipulates several amendments to be made to the CCPA, including new consumer rights, provisions for a state privacy authority, and further obligations relating to children's data. Although the CPRA will not become operative until 1 January 2023, many of its provisions will be applicable to personal information collected from 1 January 2022.
Scope and applicability
What is the CPRA?
The California Privacy Rights Act of 2020 ('CPRA'), or Proposition 24, is a ballot initiative that passed with a 56% majority in the California General Election of 3 November 2020. It will significantly amend privacy legislation in California.
The first version of the ballot initiative that became the CPRA, was introduced in September 2019 by Alastair Mactaggart, Board Chair and Founder of the Californians for Consumers Privacy group and proponent of the California Consumer Privacy Act ('CCPA'), which was passed by the California Legislature in June 2018.
When will the CPRA come into effect?
The CPRA will enter into effect on 1 January 2023, and with the exception of the right of access, it will apply to personal information collected by a business on or after 1 January 2022.
What are some of the main changes to be introduced by the CPRA?
The CPRA will introduce several new privacy requirements to Californian legislation. These include:
sensitive personal information as a new category of personal information;
- additional and amended consumer data rights;
- expanded contractual requirements for service providers and third parties;
- new definitions for, among other key terms, 'sharing', 'profiling', and 'service providers';
- the creation of a state privacy agency;
- new risk assessment and cybersecurity audit requirements;
- provisions on profiling; and
- extended exemptions.
Do we still need to comply with the CCPA?
The CCPA and its associated Regulations will continue to be in effect as they currently are. The CPRA will amend and replace certain aspects of the CCPA when it enters into effect on 1 January 2023. The parts of the CCPA that are not impacted by the CPRA will continue unchanged.
What organisations will the CPRA affect?
The territorial scope of the CPRA is broadly similar to the CCPA in terms of having a potential, although not explicitly clarified, extraterritorial application.
The CPRA will, though, modify key definitions within the CCPA and thereby change its scope. In particular, the definition of 'business' will be amended to include businesses deriving 50% or more of their profits from sharing personal information, extending the threshold for businesses that buy, sell, or share personal information from 50,000 to 100,000 consumers or households, businesses that certify voluntarily with the new state privacy agency, and certain joint ventures. There are also notable additions to the definition of 'business purpose' and specifically in the context of behavioural advertising, as well as new provisions for 'contractors'.
Furthermore, the introduction of provisions for 'sensitive personal information' and 'profiling', will impact relevant organisations. The CPRA also establishes new exemptions. For instance, the CPRA outlines that its regulations on business with regards to rules on the rights to deletion, correction, access, information and data minimisation, among others, do not apply to organisations that collect data from a natural person in the course of the natural person acting as 'a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of that business to the extent that the natural person's personal information is collected and used by the business solely within the context of the natural person's role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.'
What is 'sensitive personal information' under the CPRA?
'Sensitive personal information' is defined as '(1) personal information that reveals (A) a consumer's social security, driver's license, state identification card, or passport number; (B) a consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer's precise geolocation; (D) a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer's mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer's genetic data; and (2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analysed concerning a consumer's health; or (C) personal information collected and analysed concerning a consumer's sex life or sexual orientation.'
What is 'sharing' under the CPRA?
The CPRA defines 'share', 'shared', or 'sharing' as 'sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal Information by the business to a third party for cross-context behavioural advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioural advertising for the benefit of a business in which no money is exchanged.'
Alongside the inclusion of the definition of sharing, the CPRA will limit the exemptions previously provided in the CCPA for the sale of information and revises the definition of sale to remove the inclusion of sharing to another business. There are certain exemptions to sharing including when the consumer has intentionally directed the business to intentionally disclose the personal information.
Who is a 'contractor' under the CPRA?
Non-third parties are given a new definition under Section 15 of the CPRA as 'contractors', which means a person who shares personal information with a business for a business purpose and pursuant to a written contract with the business. This definition is distinct from that of service providers under the CCPA. The agreement between a business and contractor must meet strict requirements including:
prohibitions on the contractors use of personal information especially outside of the business purpose or relationship and combining the personal information provided;
- certifications outlining that the contractor is aware of the restrictions;
- granting permission for the ongoing monitoring of compliance of the contract by the business; and
- notification to the business when engaging any other party to assist in the processing of personal information.
What is 'profiling' under the CPRA?
The CPRA will establish a new definition of profiling which means any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person, and in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements. The CPRA will also authorise the California Attorney General ('AG') to issue regulations governing access and opt-out rights with respect to businesses' use of automated decision making, including profiling and requiring business' response to access requests to include meaning information about what was involved in these processes as well as a description of the likely outcome of the process in relation to the consumer.
What is the 'moratorium' related to employee data?
The CPRA will extend the exemptions provided under the CCPA for a moratorium (temporary prohibition) on its regulations' application to organisations, extended until 2023 from the previously mandated expiry in 2022 in Assembly Bill 1281, with regards to collected employee data. The CPRA outlines that its regulations on business with regards to rules on the rights to deletion, correction, access, information and data minimisation, among others, do not apply to organisations that collect data from a natural person in the course of the natural person acting as 'a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of that business to the extent that the natural person's personal information is collected and used by the business solely within the context of the natural person's role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.'
The moratorium on the application of the CPRA's rules applies to organisations till the 1 January 2023, following which the personal information collected in the employment context by organisations will fall under the purview of the regulations of the CPRA.
When do provisions for B2B communications enter into effect?
The CPRA will extend exemptions to personal information exchanged in business to business ('B2B') communications until 1 January 2023 as outlined in the CCPA. The CCPA provides this exemption to B2B communications where the consumer acts on behalf of the business and the information exchanged relates solely to the provision or receipt of a product or service to or from a business.
What consumer rights will the CPRA impact?
The CPRA will introduce:
the right to rectification (also known as a right to correct personal information); and
- the right to limit use and disclosure of sensitive personal information.
The CPRA will also modify:
- the right to delete information, particularly in relation to request recordkeeping and the responsibilities of service providers and contractors;
- the right to access information by clarifying concepts of sharing and disclosing information;
- the right to information, including significant changes to the details included in privacy notices;
- the right to information on the sharing or selling of personal information;
- the right to opt-out by introducing the right to opt-out of personal information being shared; and
- the right to non-discrimination by extending this right, particularly in regard to employees, applicants for employment and independent contractors.
There are also amendments to the associated requirements for organisations when ensuring these rights are provided. These include, for instance, internet websites being made available to exercise rights where the organisation has a website, certain verification requirements, information to provide, responsibilities for service providers and contractors, and details on the format in which information is provided.
Are there additional general obligations?
A business that controls the collection of personal information should ensure consumers are informed of, among other things:
categories of personal information and, where applicable, sensitive personal information; and
- retention period for collected information or criteria used to determine this period.
This information may be provided through the homepage of an internet website prominently and conspicuously, or, where applicable, clearly and conspicuously at physical premises, including vehicles.
Furthermore, 'A business's collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed In a manner that is incompatible with those purposes.'
'A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.'
The CPRA also establishes that none of these additional requirements, as well as those pertaining to contracts, shall require a business to disclose trade secrets.
What obligations will there be for sensitive personal information?
Categories and purposes of sensitive personal information that are collected or used by businesses must be communicated to consumers, at or before the point of collection. It will also be prohibited to use or collect additional sensitive information for purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected, without providing notice to consumers.
The CPRA will provides consumers with the right to limit the use and disclosure of sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services. In addition to the modified 'Do Not Sell or Share My Personal Information' links, businesses must provide a clear and conspicuous link on their internet homepage titled 'Limit the Use of My Sensitive Personal Information' that would enable a consumer, or a person authorised by the consumer, to exercise the aforementioned right. Nevertheless, a single link could be used by businesses to comply with this requirement, if such link easily allows a consumer to opt-out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information.
What are the new obligations regarding children's data?
The CPRA will enhance the right to opt-in to the sale or sharing of personal information for minors (consumers under 16 years old). If the consumer under 16 years old has declined to provide their information, the organisation will be required to wait at least 12 months before approaching the consumer again for consent to sell or share their personal information. There will also be more extensive fines for violations regarding children's data (up to $7,500 for each violation).
Does the CPRA impact relationships between organisations?
The CPRA will significantly expand the contracting requirements for business that collect personal information in Section 4 by obliging all businesses that share personal information with a third party or that disclose personal information to a service provider or contractor for a business purpose to enter into an agreement with such third party, service provider, or contractor. The CPRA also will provide businesses with the authority to supervise compliance with the obligations outlined in the agreement by granting them the ability to 'take reasonable steps' to do so.
What are the changes to service provider contracts?
The CPRA will modify the definition of service provider to include a requirement prohibiting services providers form selling or sharing the personal information that they have received from a business. Furthermore, service providers will be contractually prohibited form retaining, using, or disclosing the personal information they have received outside of the business relationship, as well as prohibited from combining the information with information the service provider receives or collects from another person. Similarly to the 'contractor' modifications, the contract between the business and service provider may, subject to agreement, permit the business to monitor the service providers compliance with the legislation with measures including ongoing manual reviews, and automated scans, and regular assessments, audits, or other technical and operational testing at least once every 12 months. Finally, the CPRA will add the obligation for a service provider to notify a business if it engages any person to assist in the processing of personal information for a business purpose on behalf of the business.
What are 'risk assessments' under the CPRA?
The CPRA will direct the AG, and subsequently the new state privacy agency, to adopt regulations that mandate that businesses conduct a risk assessment with respect to their processing of personal information on a regular basis and submit these to the agency. The CPRA outlines that the risk assessments should involve 'identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing.'
What are 'cybersecurity audits' under the CPRA?
The CPRA will oblige business to perform a cybersecurity audit on an annual basis and will establish that the AG and subsequently the new state privacy agency issue regulations on the scope and processes of audits. The CPRA highlights that size, complexity, and nature of the processing should all be factors to consider in determining when processing may result in significant risk of harm to the individual.
Will there be changes in relation to data breach requirements?
The CPRA will extends the scope of breach liabilities for organisations to include unauthorised access, theft, or disclosure of an email address with corresponding password or security questions that enables access to the account.
Furthermore, the CPRA explicitly states that the implementation of reasonable security procedures and practices as required elsewhere in the law, following a breach does not constitute a 'cure' of that breach.
Who is the new regulator?
The CPRA will mandate the creation of a new state agency - the Consumer Protection Privacy Agency ('the Agency'), which would enforce the provisions of the CCPA and have the authority to take other actions against organisations for non-compliance. The Agency would be governed by a five-membered board for eight-year terms including a Chair, with appointment powers being given to the AG, Senate Rules Committee, Speaker of the Assembly, and the Governor.
What powers will the new regulator have?
The Consumer Protection Privacy Agency ('the Agency') will enforce the provisions of the CCPA and have the authority to take actions against organisations for non-compliance. Under Section 24 of the CPRA the Agency is vested with full administrative, authority, and jurisdiction of the CCPA which would include modifications to the CCPA Regulations.
Will there be more Regulations?
The CPRA provides for the creation of new Regulations on, among other things, risk assessments, audits, correction requests, business purposes, and opt-out rights. The timeline for adopting final Regulations is 1 July 2022.
Will the CPRA impact federal privacy legislation?
The CPRA amends Californian legislation and does not directly impact federal legislation.
There have, however, been suggestions that, similarly to the CCPA, the increased interest in privacy legislation incited by the CPRA will encourage privacy developments at the federal level.
Authored by OneTrust DataGuidance
DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.