California: What CPRA will mean for businesses, consumers, and US privacy landscape
It took five days for Americans to know who their new president would be, but by the morning after Election Day 2020, it was clear that Californians had voted to move the state – and practically, by extension, the nation – toward a European approach to consumer privacy. California voters approved a ballot measure, Proposition 24, which is known as the California Privacy Rights Act of 2020 ('CPRA'), popularly known by some as CCPA 2.0 and by others as the second dumpster fire. Alan Friel and Kyle Fath, Partner and Associate respectively at Baker & Hostetler LLP, guide us through the provisions of the CPRA and what they will mean for California consumers and businesses.
CPRA: CCPA 2.0.
The CPRA amends certain provisions of the paradigm-shifting California Consumer Privacy Act of 2018 ('CCPA'), which went into effect in January 2020 and became subject to enforcement in July 2020. Moreover, the CPRA will introduce a number of new provisions and concepts to a law that regulators are still fleshing out and businesses are struggling to understand. Like the CCPA, the CPRA will be supplemented by future regulations to be issued by a new privacy protection agency; however, the nature and the extent of the CPRA's regulatory mandates far exceed those of the CCPA.
The CPRA becomes effective immediately. However, while most of the CPRA is not operational until January 2023 and will not be enforced until July 2023, the two-year extension of the current stay on certain CCPA provisions covering business-to-business ('B2B') communications and human resources ('HR') data will be effective immediately. In addition, the forthcoming privacy agency is set to begin rulemaking to elaborate on the CPRA's requirements as early as next summer, superseding CCPA rulemaking authority of the California Attorney General ('AG'). Accordingly, organisations subject to the CPRA will need to begin monitoring the status of the regulations and preparing for CPRA compliance beginning in about seven months.
Rulemaking and enforcement
The CPRA establishes a new data protection agency, the California Privacy Protection Agency ('the Agency'), tasked, along with the AG, with enforcement of the CPRA. The Agency will take over all rulemaking responsibilities and is apportioned a sizable budget that must be increased by the Legislature 'as may be necessary to carry out the provisions of this title.' Administrative fines collected by the Agency will be used to reimburse the state courts and the AG for costs related to CPRA enforcement, with a small portion of the proceeds going to the Agency itself.
Any 'person' – any individual or organisation – has the ability to bring a CPRA complaint to the Agency. This means that consumers, competitors, vendors, customers, consumer advocacy groups and other parties have standing to bring complaints about a business's privacy practices. The Agency may also investigate possible violations on its own initiative and will have discretion 'not to investigate or decide to provide a business with a time-period to cure the alleged violation.' There is a five-year statute of limitations for the Agency's administrative actions, which can be tolled if violations were fraudulently concealed. Although both the AG and the Agency will have enforcement authority, the AG has the power to require the Agency to stay any administrative investigation or action. The AG, however, cannot bring a civil action based on a violation that has been the subject of an Agency administrative decision or order.
As early as July 2021, the Agency will assume the AG's rulemaking authority. However, the CCPA's enforcement provisions (including the 30-day cure period) and the AG's enforcement authority thereunder remain in effect through 1 July 2023. However, the Agency must adopt final CPRA regulations by 1 July 2022.
Enforcement of the CPRA by the Agency, via a prescriptive administrative procedure, will begin 1 July 2023, but will apply only to violations that occur on or after that date. As with the CCPA, the CPRA does not provide a private right of action except in relation to security breaches. The CPRA specifies, however, that remedial measures following a security breach do not constitute a 'cure' that would preclude a consumer lawsuit.
Scope of application and new concepts and definitions
Definition of 'personal information'
The CPRA creates a hole in the definition of 'personal information' ('PI') that could allow businesses to significantly curtail consumer rights and their obligations under California's privacy regime. Under the CCPA, 'publicly available' information, which under the law is not treated as PI, is limited to information made publicly available by the government. The CPRA will amend that to also include 'lawfully obtained truthful information of public concern.' Further, 'publicly available' was expanded to include information a business has a reasonable basis to believe was made available to the general public by the consumer or the 'widely distributed media' or is otherwise obtained from a person to whom the consumer disclosed the information without having restricted it to a specific audience. This provision would seem to exclude from the definition of PI information published by the press, provided to a platform or service that is then publicly posted on the platform or service, such as public reviews, comments, and social media posts, and directory listings and similar publications. This expansion of the definition of publicly available therefore excludes such data from the scope of the obligations of businesses and third parties and the rights of consumers, including the rights to know, delete and opt out of sale and the new rights created by the CPRA. On the other hand, categories of 'sensitive personal information,' including 'precise geolocation' (which is now a defined term), have been added to the definition of PI, with consumers having the ability to limit the processing of sensitive PI, discussed further below).
Most of the obligations imposed by the CCPA are on 'businesses,' defined to include certain for-profit entities that deal with consumer PI and that meet one of three thresholds – revenue, processing, or profiting from the sale of PI. Under the CPRA, the existing $25 million revenue threshold is clarified to establish that revenues are to be measured as of 1 January of the calendar year, to preclude midyear application to companies that hit the threshold in the middle of the year. The collection threshold now requires that the entity '[a]lone or in combination, annually buys or sells, [sic] or shares the personal information of 100,000 or more consumers or households' ('devices' has been removed). The threshold under the CCPA is 50,000, and included 'devices,' which did not require a California residency nexus. Because the new definition of 'household' limits that term to a collection of consumers, and the definition of consumers includes the California residency requirement, the question of whether only Californians are to be counted in calculating this threshold number is resolved in the affirmative by the CPRA.
Under the CCPA, certain commonly branded entities affiliated with a covered business also are deemed covered businesses. The common branding provision now requires that 'the business shares consumers' personal information' with the commonly branded entity. This might exclude commonly branded parent and sister companies to the extent that data is not shared between and among them and otherwise does not meet the threshold criteria for being a business. In addition, there is a new joint venture/partnership concept. Where each business has at least a 40% interest, the joint venture/partnership is its own business, and each business remains a separate business. It is not clear how this interrelates with the common branding provision. Moreover, it is not clear to what extent 'joint venture' ('JV') and 'partnership' are used loosely and are meant to refer to any entity in which two entities have an interest or are used as terms of art. There is a prohibition on sharing among the JV businesses that was likely intended to instead designate the sharing as a sale rather than imposing an outright prohibition.
The CPRA clarifies a question that arose out of the CCPA's definition of 'third party' in the negative, which set forth a type of vendor that was not a third party, and thus to which a disclosure of PI was not a sale. However, the statutory elements did not match those of a 'service provider' under the title. The CPRA has added a defined category of party called 'contractor' that is similar to the undefined party carved out of the definition of third party in § 1798.140(w)(2) of the CCPA (sometimes called the non-third party or exempt third party), which required contractual 'certification' of CCPA compliance. The differences and similarities between the new contractor designation and service providers are discussed further below.
The CPRA also introduces the concept of a third party controlling the collection of PI. The third-party controller can meet its pre-collection notice obligations by providing the required information prominently and conspicuously on the homepage of its internet website (similar to how data brokers would meet their obligations, but no registration is required).
Consumers' rights and businesses' obligations
Inspired by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the CPRA adds the right to correction of inaccurate information. A cornerstone of the CCPA was access, or the 'right to know.' Under the CCPA, access was limited to a period of the prior 12 months. The lookback period for access requests is to be extended beyond 12 months by regulation, as is already the case with deletion. However, the Agency is to issue regulations addressing the issue of whether providing beyond 12 months would be 'impossible or would involve a disproportionate effort.' This concept of carving out subject data if the value is not reasonably related to the effort shows up also in new CPRA language noting that the definition of 'specific pieces of information' will now be subject to refinement in the regulations, including in order to '[minimise] the delivery of information to a consumer that would not be useful … such as system log information and other technical data.'
One of the potentially most significant changes that the CPRA will bring about is the adoption of GDPR Articles 13 and 30 into §1798.100 of the CCPA, introducing obligations of proportional use limitations and retention limitations. Indeed, the language used is directly taken from Article 13 and Article 30. Under the CPRA, a business' collection, use, retention and sharing of a consumer's PI must be reasonably necessary and proportionate to achieve the purposes for which the PI was collected or processed or for another disclosed purpose that is compatible with the context in which the PI was collected, and not further processed in a manner that is incompatible with those purposes. Further, a business must disclose at collection its intended retention period for personal information by category of PI or, if that is not possible, the basis for determining such periods, and it may not retain PI for longer than is necessary for the purposes disclosed at the time of collection. These new §1798.100 requirements will require businesses to do even better data inventories and to maintain robust information governance to tie specific pieces of PI to the collection purposes corresponding to parallel use and retention limitations.
The CPRA does not include provisions that significantly implicate verification of identity except to the extent that it clarifies the requirements will again be subject to the regulations.
The CPRA adds clarifying details to obligations of a business and its downstream data disclosure recipients following a consumer deletion request, but also complicates the issue somewhat, due to what is likely poor drafting. Businesses will be required to notify all parties to whom personal information was disclosed regarding a deletion request (not just service providers, as in the CCPA), and service providers and contractors must pass that notice down to any service providers, contractors or third parties with which they have shared the information. The CPRA discusses exceptions for service providers' and contractors' deletion obligations after receiving a request from a business but, inexplicably, is silent as to third parties' deletion obligations. This is an area the regulations will need to flesh out further.
The CPRA will significantly impact consumers' rights and business' obligations in respect of interest-based advertising and other adtech activities. The CPRA gives a nod to the GDPR and will regulate 'profiling,' which it defines as 'any form of automated processing […] to evaluate […] personal preferences, interests [… or] behaviour,' though it is also to be fleshed out in the regulations. Another one of the significant new terms implicating digital advertising is that of 'cross-context behavioural advertising,' defined as 'the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly-branded website, applications, or services with which the consumer intentionally interacts.' This definition clearly covers traditional interest-based advertising activities and is directly invoked in the new concept of 'sharing,' which includes the same transfer activities in the definition of 'sale' (e.g. 'making available'), but applies only in the context of cross-context behavioural advertising. There is no requirement for consideration for a transfer of PI to be considered to have been 'shared.' Arguably, by creating a distinct regulated activity rather than clarifying that this activity is a type of sale, many cross-context behavioural activities (i.e. those without valuable consideration provided directly in exchange for the data disclosure) would now be excluded from the definition of 'sale' and implicate only sharing and not sales. In addition, the new definition and provisions regulating the use and disclosure of sensitive PI include precise geolocation data and other data used in interest-based advertising.
As a result, as if businesses have not struggled enough with the vexing 'Do Not Sell' right under the CCPA, in particular as it relates to digital advertising, they will have to grapple with four seemingly overlapping consumer rights under the CPRA:
- Do Not Sell;
- Do Not Share;
- Do Not Profile; and
- Limit the Use of Sensitive PI.
Moreover, some consequential revisions open the door to a possible opt-in regime. The CPRA's implications on adtech are beyond the scope of this article and are expected to be one of the key topics to be addressed during rulemaking.
Vendors and contracting requirements
Under the CPRA, businesses are explicitly required to have agreements in place with parties to whom they disclose information, such as service providers and contractors, or third parties to which they sell or with which they share PI. Under the CCPA, it was implicit for service providers and contractors, with the effect of not having a contract in place being that the disclosure is a sale, and there was no contracting requirement for third party sales. Now, without having a contract in place with a data recipient, businesses will be in violation of the CPRA and subject to enforcement.
Service providers, and now contractors, are more restricted on the face of the CPRA in their processing activities than those that are permitted under the CCPA, including with respect to the combination of PI of other customers. This is specifically said, however, to be subject to expansion in the regulations. In particular, the Agency must issue regulations as to which 'business purposes, including other notified purposes, for which service providers and contractors may use consumers' personal information received pursuant to a written contract with a business, for the service provider or contractor's own business purposes.' Service providers and contractors are explicitly required to assist in consumer requests under the CPRA. Under the CCPA, this was only explicitly required where negotiated in agreements with businesses and only implicitly provided for. As mentioned, the scope of PI-recipient deletion obligations upon receipt of notice from the disclosing party and their further downstream deletion obligations/ is not entirely clear and will need to be addressed in the regulations.
As discussed, the new vendor category of 'contractor,' in addition to the existing 'service provider,' has been added, though it reflects an undefined type of vendor articulated in the CCPA as not being a third party and thus carved disclosures to this type of party out of the definition of sale. This was a source of much confusion. Creation of a defined term makes clear that there are two types of regulated vendors. While there remain subtle differences between the two classifications, it seems that for the majority of vendors, service provider will still be the proper classification, though businesses will have to determine how to classify their vendors on a case-by-case basis.
The CPRA is 52 pages long, half of which are either additions or revisions. Given the ballot initiative process, there will be no legislative history to inform rulemaking or judicial interpretation. There is a four-page statement of intent that provides some general guidance as to what the CPRA aims to accomplish, but at a 60,000-foot level. One positive statement of intent is that HR and B2B data subjects are intended to be treated differently than traditional consumers, leaving open the door for substantial revisions prior to the 1 January 2023, sunset as to how those individuals' 'consumer' rights will be treated. Otherwise, the CPRA essentially locks in consumers' rights and obligations, prohibiting legislative amendment that would conflict with the stated intent. However, the new Agency is given broad authority to refine the law through regulatory rulemaking. This is good, since the CPRA, like its predecessor, the CCPA, is in many places confusing, internally conflicting or conceptual without guidance on how to practically apply it to real-life use cases. What is certain, however, is that there is no turning back for America. Just as the 2020 election will have a material impact on the direction of the nation's executive branch, the CPRA will change the direction of privacy law in the United States, and that could have broader and longer-lasting effects on both consumers and commerce than which political party holds the White House for the next four years.