California: Provisions of the CPRA
On 3 November 2020, Californians will have the opportunity to vote for a set of wide-ranging amendments to the California Consumer Privacy Act of 2018 ('CCPA') in the form of the California Privacy Rights Act ('CPRA'), potentially heralding stricter rules on data sharing by businesses and the establishent of a fully-fledged state data protection authority, among other things. Alan L. Friel, Partner at Baker & Hostetler LLP, discusses the provisions of CPRA with particular reference to how these may alternately benefit its various stakeholders.
The CCPA forever changed the consumer privacy compliance landscape in the US by applying European-inspired privacy principles, but reworking them in a uniquely American way. Most notable in this regard is approach to consent, wherein the CCPA rejects an opt-in requirement in favour of a more limited opt-out of 'sale' approach. The same consumer advocates that had qualified a ballot initiative that would have put the issue of consumer privacy to voters back in 2018, but pulled it when they worked out a compromise with legislators, has found the CCPA to have fallen short and qualified an amendment initiative that will be on the 3 November 2020 general election ballot. California has a system that lets voters directly amend or pass laws, so California voters will ultimately decide on the scope and reach of this paradigm-shifting law that is sure to set the base line for US consumer privacy, at least unless the federal legislature were to step in and occupy the field with an omnibus federal law (an unlikely scenario).
The CPRA, known colloquially as CCPA 2.0 and officially as Proposition 24, if passed into law, would significantly amend and expand on the requirements of the CCPA2. But, unsurprisingly, most voters will never read the 52 page document. Instead, voters will be presented on their ballot a short title and summary, and brief statements by proponents and opponents. The California Secretary of State recently published the following ballot title and summary ('the Ballot Title'), on which voters will be expected to rely in making such an important public policy decision, explaining how the proposed amendment:
- permits consumers to:
- prevent businesses from sharing personal information;
- correct inaccurate personal information; and
- limit businesses' use of 'sensitive personal information' - such as precise geolocation; race; ethnicity; religion; genetic data; union membership; private communications; and certain sexual orientation, health, and biometric information.
- changes criteria for which businesses must comply with these laws;
- prohibits businesses' retention of personal information for longer than reasonably necessary;
- triples maximum penalties for violations concerning consumers under age 16;
- establishes the California Privacy Protection Agency ('CalPPA') to enforce and implement consumer privacy laws and impose administrative fines; and
- requires adoption of substantive regulations.
The Ballot Title continues by outlining the summary of estimate by Legislative Analyst and Director of Finance of fiscal impact on state and local governments, including:
- increased annual state costs of roughly $10 million for a new state agency to monitor compliance and enforcement of consumer privacy laws;
- increased state costs, potentially reaching the low millions of dollars annually, from increased workload to the Department of Justice and the state courts, some or all of which would be offset by penalty revenues; and
- unknown impact on state and local tax revenues due to economic effects resulting from new requirements on businesses to protect consumer information.
In order to try to unpack the details of the proposal, this article breaks the legislation down into three categories: pro-business, pro-consumer, and mixed or neutral. Reasonable minds can differ on how to categorise the provisions. Indeed, consumer privacy advocates are not in agreement as to the net benefits or harm that will result from passage of the proposed law, with the American Civil Liberties Union and the Alliance for Retired People against the proposition, and Consumer Reports, the Parent Teacher Association, and the National Association for the Advancement of Colored Peoples urging Californians to vote yes. Truly, there are aspects of the proposal that you can love or hate depending on whether your interest is to protect industry or consumers.
The CPRA clarifies that consumers should not have access to personal information in a manner that would threaten trade secrets rights, which would be a big win for industry. The CCPA had softer language regarding intellectual property protection and tasked the California Attorney General ('AG') to address the issue in regulations, which has not been done to date. Also welcomed by business is an extension of the carve outs from most consumer rights aspects of the CCPA for human resources ('HR') data and business-to-business communications ('B2B') data until 1 January 2023. The current exception is set to sunset on 31 December of 2020. The amendments also relax pre-collection notice obligations for indirect collection by allowing notice on the company's own website, which the current CCPA regulations would not permit if such personal information is sold unless the business is a registered data broker.
There are also definitional changes that should be welcomed by businesses. The definition of business would be changed to apply the $25 million revenue threshold judged with reference to the prior calendar year, and the alternative data processing threshold would be increased from 50,000 to 100,000 consumers or households, but no longer also devices. 'Households' are defined as 'a group, however identified, of consumers who cohabitate with one another at the same residential address and share use of common device(s) or service(s).' However, the term households is only used to define personal information and to count data processing volume for purposes of defining a covered business. The obligations imposed on businesses in Sections 1798,105, 1798.106, 1798.110, and 1798.115, namely notices and consumer rights, will no longer apply to household data. The definition of business purposes would be expanded in many material ways, and more clearly applied to a service provider's purposes, including regarding the serving and measurement of advertising, excepting for so-called cross-context behavioural advertising (discussed below in the next section).
The definition of 'publicly available information,' which is not treated as personal information, is expanded to include not only information made publicly available by the government, but also information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. Finally, the exception from the definition of 'sale' for disclosures at the direction of the user is redefined as when a consumer uses or directs the business to intentionally disclose personal information, or intentionally interact with one or more parties, doing away the requirement that the recipient not engage in downstream sales of the personal information.
If a business that sells or shares personal information does not want to have the required business-specific opt-out links on their website, the CPRA would provide that they need not provide such opt-out links if it provides a statement confirming it will honour universal opt-out signals. Further, such a business can provide on their site a method for consumers to override the universal signal. Which approach to take is at the discretion of the business; however, it appears that businesses that do have their own opt-out program must still also accept universal opt outs, as is required by the current CCPA regulations.
While there are certainly changes that will make it easier for companies to comply, there is much that would increase consumer rights and, correspondingly, businesses' obligations. For instance, the CPRA limits retention of personal information to only so long as required to meet the collection and use purposes stated at or prior to the time of collection, and to state the retention period or method of determining it as part of the pre-collection notice. It also limits ancillary uses of personal information, even if disclosed at the time of collection, unless reasonably necessary and proportionate to the primary purpose. This could limit certain disclosures, even if disclosed prior to collection and notwithstanding the right to opt out, if not reasonably necessary and proportionate.
Inspired by the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the new law would provide consumers a right of correction, which correspondingly requires businesses to make commercially reasonable efforts to correct inaccuracies identified through a verified consumer request. The proposal also expands the pool of data subject who may exercise their consumer rights. Personal information collected after 1 January 2022 shall not fall under the current limitation of a one-year lookback for the right to know, except to the extent that responding to data subjects with regard to older data would be impossible or involve a 'disproportioned effort.' The amendments also require, at or prior to collection of sensitive personal information, notice, by category, of its purposes of collection and use and if it is sold or shared, along with notice of the ability to opt out of the sharing or sale, or any other use not reasonably necessary to enable the business to provide the consumer with requested goods or services. This will require a home page link to the opt out entitled 'Limit the Use of My Sensitive Information,' unless use is already limited to what is necessary to provide requested goods or services.
One of the most notable aspects of the revisions are efforts to clarify that the opt-out right is intended to limit sharing of personal information across the digital advertising ecosystem. The proposition expands the 'do not sell' opt out to include 'sharing' of personal information available for cross-context behavioural advertising regardless of the exchange monetary consideration. An opt-out right is also provided for precise location aware advertising. Notice of opt outs must be passed down by the business to the recipient, who is then required to also honour the opt out; provided, however, that the business is not responsible for the recipient's failure to do so. Cross-context behavioural advertising means the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business' distinctly-branded website, application, or service with which the consumer intentionally interacts. However, the CPRA does not resolve the debate as to whether the publisher or the ad tech company operating a cookie on the publisher's site is the party responsible for the collection, and thus providing pre-collection notice and the notice of opt out. However, it does, as noted above, ease the notice burden of parties indirectly collecting personal information.
The CPRA, while expanding what service providers can permissibly do with data, requires detailed written contracts limiting use and obtaining other commitments, and providing for remediation rights, not just from service providers and contractors, but from recipients in a sale or cross-context behavioural advertising sharing, which will result in needing updates to vendor agreements beyond what was done for CCPA, in addition to the new forms of recipient agreements for sharing and sales. The amendments require a business that receives a deletion request to direct its service providers and contractors to delete the data and notify them of such request for deletion as a matter of obligation, who are in turn obligated to cooperate with the business and delete the personal information if further directed to do so, except to the extent they have their own retention right under the CCPA. Service providers and contractors have an obligation to pass this notification down to their subcontractors, 'unless this proves impossible or involves disproportionate effort.' Further a business' deletion request notification requirement is also expanded to third parties to which the business has sold or shared personal information, again, 'unless this proves impossible or involves disproportionate effort.'
The CPRA contemplates regulations to require businesses that are involved in the processing of personal information that creates a significant risk to privacy or security to provide privacy risk assessments and perform annual security audits.
The CPRA also proposes increased penalties for non-compliance regarding children's personal information, and vests enforcement authority both in the CalPPA as a stand-alone data protection authority agency that will be well-funded, as well as with the AG, thus increasing the likelihood of an enforcement action and the repercussions for non-compliance, and removes obligation of the government to give notice and a 30 day opportunity to cure non-compliance; provided, however, that the CalPPA will have the discretion to permit a one-time cure. The civil penalty authority for the CCPA remains with the AG, but a parallel administrative fine authority is granted to the CalPPA, which will in turn eventually take over the AG's regulatory authority and is specifically directed to promulgate regulations on a variety of topics. To be clear, the AG may still enforce the CCPA unless the CalPPA has already reached a final decision on the same issue, and it may require the CalPPA to stay any administrative action in order that it may proceed with a civil action. A 5-year statute of limitations for bringing administrative enforcement actions is added, subject to tolling for fraudulent concealment. It is clarified that implementing reasonable security measures after a breach does not cure the prior breach such that the private right of action for that breach would be precluded.
Mixed or neutral
Although the amendments on their face expand what service providers and contractors can do with their client's personal information for themselves and their other clients, the CalPPA is directed to develop regulations outlining constraints designed to protect consumer privacy.
A person that does not meet the definition of 'business' may nonetheless be deemed a business if it certifies that it will comply with the CCPA as a business. A new term 'contractor' is created to designate the types of vendors currently carved out from the definition of sale, but that do not meet the definition of a service provider. This type of qualified vendor is undefined under the current CCPA. The treatment of contractors remains substantively unchanged. In addition, the definition of service provider no longer requires it to be a for-profit business. The definition of de-identified data, which will not be treated as personal information, is revised to more closely match the Federal Trade Commission guidance standard. 'Precise geolocation' is defined as 'data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of one thousand, eight hundred and fifty (1,850) feet, except as prescribed by regulations.'
The CPRA proposes that law enforcement may place a 90 day hold on the deletion of personal information that may be relevant to an investigation.
A verifiable consumer request for specific pieces of, or to delete, personal information shall not extend to personal information about the consumer that belongs to, or which the business maintains on behalf of, another natural person.
Finally, the CPRA attempts to shut the door behind it. Amendments must be consistent with the stated legislative intent, suggesting that they could not materially change consumer rights or a business' obligations.
The CPRA will be on the November ballot. If approved by majority vote this fall, the CPRA would become operative shortly after the election, but most of the new obligations on businesses would not become operative until 1 January 2023 and would not be enforceable until 1 July 2023. However, the AG would be obligated to promulgate related regulations by 1 July 2022 and the data that would be subject to the CPRA's new requirements would be personal information collected after 1 January 2022. Once aspect of the CPRA which would take immediate effect is a two-year extension of the statutory exclusions of HR and B2B communications data, which are currently set to sunset at midnight on 31 December 2020. Accordingly, if the measure passes, businesses will have the immediate benefit of the extension of the HR and B2B carve outs, as well as significant time to prepare for the CPRA's additional obligations.
Alan L. Friel Partner
Baker & Hostetler LLP, Los Angeles