California: Operationalising CPRA - new and expanded consumer rights under CCPA
The California Privacy Rights Act of 2020 ('CPRA') became fully operative on 1 January 2023. The CPRA was approved by California voters in a November 2020 ballot initiative and amends the requirements of the California Consumer Privacy Act of 2018 ('CCPA'). The CPRA changes the scope of the CCPA, expands the rights afforded to consumers under the law, and introduces a new regulatory agency, the California Privacy Protection Agency ('CPPA'), to be responsible for enforcement.
In part one of this series, Operationalising CPRA, Emily S. Tabatabai and Alyssa Wolfington, from Orrick Herrington & Sutcliffe LLP, discuss how the CPRA has changed consumer rights under the CCPA and what companies may need to consider regarding these changes.
The CPRA is an amended and amplified version of the CCPA; it is not a new law. However, for the purposes of this article, 'CPRA' will be used to identify the ways in which the CPRA amended the existing, or original, CCPA.
The CPRA revises the threshold of what is a covered 'business'. Now, a company doing business in California is covered by the CPRA where it: (i) had $25M in annual gross revenues as of 1 January in the preceding calendar year; or (ii) buys, sells, or shares the personal information of 100,000 California consumers or households; or (iii) derives 50% or more of its annual revenues from selling or sharing personal information. In light of this revised test, most companies that triggered the coverage threshold under the CCPA based on annual revenues likely will continue to be covered, but many businesses that were covered by the CCPA merely because they collected the personal information of 50,000 devices (a threshold not difficult to trip for many online businesses) will now fall outside the scope of the CPRA.
As indicated above, the CPRA expands the privacy rights that were available to consumers under the CCPA and provides for additional consumer rights. The CPRA provides the following rights to consumers:
- Right to know. Under the CPRA, a consumer may request that a business provide the consumer details about its collection and treatment of its personal information, including the categories and/or specific pieces of personal information collected, as well as information about the sources, disclosures, and recipients of personal information. Upon receipt of a verifiable request, a business must provide more than 12 months of information, so long as such disclosure would not be 'impossible' or 'involve disproportionate effort'. This requirement does not apply to any data collected by the business prior to 1 January 2022. Service providers and contractors are required to assist the business in responding to a verifiable request to know.
- Right to portability. In connection with the right to know, the CPRA provides consumers with the right to obtain a copy of their personal information in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.
- Right to delete. The CPRA preserves the existing right for a consumer to request that the business delete personal information the business has collected from the consumer. Upon receipt of a verifiable consumer request, the business must delete the consumer's information (subject to certain exceptions) and notify its service providers and contractors to delete the consumer's personal information.
- Right to correct. The CPRA introduces a new right for a consumer to request that the business correct inaccuracies in the consumer's personal information. When a business receives a verified request to correct inaccurate personal information, it must use 'commercially reasonable efforts' to correct the personal information, unless such correction would be 'impossible' or 'involves disproportionate effort', or the business determines that the personal information is more likely than not accurate based on the totality of the circumstances. The CPRA regulations allow businesses, service providers, and contractors to delay compliance with correction requests for information stored on archived or backup systems. Similar to the right to delete, the business must notify its service providers and contractors of the correction request.
- Right to opt-out of sales and sharing. The CPRA expands the existing opt-out right to include both the sale and sharing of personal information. Under the CPRA, the consumer has the right to direct the business not to 'sell' the consumer's personal information or 'share' such information with third parties for 'cross-context behavioral advertising' purposes, whether or not the sale or share is for monetary or other valuable consideration. Unlike the other rights afforded to consumers under the CPRA, the consumer's identity does not need to be verified in order for a business to comply with an opt-out request.
- Right to limit the use and disclosure of sensitive personal information. The CPRA creates a new category of personal information – 'sensitive personal information' – and provides consumers with a right to direct a business to limit its use of the consumer's sensitive personal information to use that which is necessary to perform the services or provide the goods reasonably expected by the consumer. If the business uses or discloses sensitive personal information for other purposes, the business must notify the consumer and provide the right to limit its use and/or disclosure.
- Right to access information about, and opt-out of, automated decision-making. The CPRA directs the CPPA to issue regulations governing access and opt-out rights with respect to the business' use of automated decision-making technology and profiling. The CPPA has not yet issued regulations on this topic.
- Right to no retaliation. As discussed further below, under the CPRA, a consumer has the right not to receive retaliatory or discriminatory treatment in connection with a request to exercise any of the above privacy rights.
Applicability to employee information
As of 1 January 2023, the CPRA now applies to employee information, making the CPRA unique among the US state comprehensive privacy laws to apply in the employment context. As a result, the privacy rights afforded to consumers under the law must now be extended to California employees, job applicants, and independent contractors. Businesses should ensure that there are processes in place to provide employees with notice of their privacy rights under the CPRA and to respond to employee rights requests. Businesses should also identify those service providers or contractors processing California employee personal information because the business may need their assistance to comply with employee CPRA requests.
Mechanisms for submitting requests
Unlike other state privacy laws, the CPRA requires businesses to follow proscriptive requirements when designing the methods by which a consumer may submit a rights request.
- Requests to know, delete, and correct. Under the CPRA, a business that operates exclusively online and has a direct relationship with the consumer is only required to provide an email address for submitting requests to know, delete, or correct. All other businesses are required to provide two or more designated methods for submitting such requests, one of which must be a toll-free telephone number.
Note that if a consumer submits a request in a manner that is not one of the designated methods of submission identified above, the business can choose to either: (i) treat the request as if it had been submitted through a designated method; or (ii) provide the consumer with information on how to submit the request through the designated methods.
The CPRA permits consumers to use an authorised agent to submit requests on their behalf. However, a business may require the authorised agent to provide proof that the consumer gave the authorised agent to submit requests to delete, correct, or know.
Right against discrimination/financial incentives
As noted above, the CPRA provides consumers with the right not to receive retaliatory or discriminatory treatment in connection with a request to exercise their privacy rights. Retaliatory or discriminatory treatment may include:
- denying goods or services to the consumer;
- charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
- providing a different level or quality of goods or services to the consumer; or
- suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
However, the CPRA permits a business to charge or offer a consumer a different price or rate or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to the business by the consumer's personal information. This may, for example, include an offering of loyalty, rewards, premium features, discounts, or club card programs that are otherwise consistent with the CPRA. When a business provides these financial incentives, it must clearly disclose the terms relating to the price or quality difference and obtain opt-in consent to evidence the consumer's voluntary participation in the program.
Obligations for service providers and contractors
The CPRA requires service providers and contractors to assist the business in responding to verifiable consumer requests to know, delete, and correct. In addition, the contract between the business and the service provider or contractor must require the service provider or contractor to comply with all applicable sections of the CPRA, including cooperating with and responding to consumer requests.
Next steps for businesses
Businesses subject to the CPRA should ensure that they have procedures and policies in place to respond to consumer rights requests from consumers and employees. Businesses should also update their online disclosures to account for the new rights afforded under the CPRA and evaluate their request mechanisms to ensure that they comply with the requirements outlined in the CPRA and its regulations. Civil and administrative enforcement of the provisions added or amended by the CPRA will commence 1 July 2023.