On November 3rd, 2020, the California Privacy Rights Act (CPRA), also known as Proposition 24, was approved, complementing the state’s data privacy regulations. The CPRA amends existing California law, the Consumer Privacy Act (CCPA) of June 28th, 2018.
The regulations not only affect businesses doing business in California, but also those advertising in the state, regardless where they are legally based. Therefore, compliance with the CCPA and CPRA is quite a big deal, considering California’s leading economy and highest overall population for a US state.
- Who is affected
- Consumer rights under the regulations
- CPRA: what are the main amendments?
- How to comply with the amendments
Who is affected
Businesses don’t need to be based in California to fall under the CPRA and CCPA. The two acts apply to all businesses that onboard California residents and/or fall under other criteria defined by the regulations. Let’s dive into the finer details.
What kinds of businesses fall under the regulations?
To fall under the regulations, businesses should meet at least one of the following conditions:
- having annual gross revenues of more than $25 million;
- buying or selling personal information of 50,000 or more users, households or devices for commercial purposes;
- earning more than half of annual revenue from selling consumers’ personal information.
- having annual gross revenues of more than $25 million in the preceding calendar year;
- buying, selling, or sharing personal information of 100,000 or more users or households;
- earning more than half of annual revenue from selling or sharing consumers’ personal information.
Definitions under the regulations:
Selling: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration”.
Sharing: “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged”.
What are the new types of regulated businesses?
The CPRA amendments introduce the new types of businesses covered by the regulation:
- a joint venture or partnership, in which each business has at least a 40% interest matching the above-mentioned criteria;
- any business that voluntarily certifies to the regulation;
The CPRA also specifies that businesses also fall under the regulations if they share common branding with a regulated business. According to the amendments, common branding means “shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned”.
Who are the other parties under the regulations?
Under the CCPA and CPRA, the regulation of personal information flows involves three counterparts to which businesses may entrust personal data:
- contractors, defined as a “person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract”;
- service providers, defined as “a legal entity organized for profit that processes personal information on behalf of a business. Similar to the contractor, service providers receive data from businesses “for a business purpose, pursuant to a written contract”;
- third parties, defined as persons not covered by above-mentioned terms, constituting any counterpart to whom businesses “sell or share” personal information.
Transferring personal information to contractors and service providers is regulated by a written contract. The contract imposes restrictions on the use of personal information, banning the resale of personal data among others. Whereas entrusting personal information to third parties is regulated by other mechanisms, namely the users’ rights regarding their data.
Consumer rights under the regulations
Under the CCPA and the CPRA, personal information is anything that a business collects about its customers. This includes not only names and locations, but also IP addresses, cookies, and behavioral patterns that are deduced from user web engagement.
Covered businesses are obliged to provide California residents with mechanisms to take advantage of their privacy rights:
- to know what personal information is collected, as well as its sources, the purpose for which it is collected;
- to know whether their personal information is shared and with whom;
- to know whether their personal information is sold and to whom;
- to refuse “selling or sharing” of their personal information (to opt out of “selling or sharing”);
- to access their personal information;
- to ask a business to delete their personal information.
When a client exercises these rights, businesses are not allowed to refuse service or change the quality of their service.
CPRA: what are the main amendments?
The CPRA gives Californians more control over their privacy by adding new personal information rights and expanding existing ones. Among other updates, the law introduces a subcategory of personal information defined as “sensitive personal information” or SPI. Click the toggles for more details:
CCPA: The act only obliges businesses to provide access to delete or disclose personal information upon the user’s request.
CPRA: The act gives consumers the right to request correction if the data which is held about them is inaccurate. Businesses have 45 days to respond to such requests.
CCPA: The act doesn’t divide personal information into sub-categories. Consumers have the right to opt-out from the use of personal information in general.
CPRA: The act introduces the term “sensitive personal information” (SPI) which includes:
- social security, driver’s license, state identification card, or passport number;
- financial accounts, debit/credit card numbers with required security or access codes, and passwords;
- account login or any data allowing access to the account;
- race or ethnicity, religious and philosophical beliefs, or union membership;
- contents of mail, emails, or text messages;
- biometry, if it’s used for the purpose of uniquely identifying an individual;
- personal information concerning health, sex life or sexual orientation that is collected and is analyzed;
- genetic data;
- precise geolocation.
Under the CPRA, precise geolocation is any data that is derived from a device and that is used to locate a consumer within a radius of 1,850 feet or less.
The new act imposes obligations on businesses to inform users about the collection and usage of their sensitive personal information and provides them with mechanisms to opt out.
CCPA: A person can request a business to provide them with access to the personal data it has collected in the preceding 12-month period.
CPRA: The act provides individuals with the right to apply for access to any information collected, regardless of when it was collected or whether it was personally identifiable data. Businesses have 45 days to respond to such requests.
CCPA: The act allows users to refuse the sale of their personal information. The definition of “sale” does not explicitly include sharing.
CPRA: The act clarifies that people can opt out of both the sale and sharing of their personal information to third parties.
CCPA: The act gives users the right to sue a business for personal information data breaches.
CPRA: The act expands this to cover data breaches where the personal information that was exposed includes usernames and passwords.
The amount of civil penalties under the regulation depends on the type of violation:
- for an intentional violation – $7,500 per violation;
- for an accidental violation – $2,500 per violation.
Penalties are imposed in case businesses don’t rectify a violation within 30 days.
If an individual sues, the fines depend on whether data is harmed during the breach:
- for data breaches in which data is not harmed, consumers may collect between $100 and $750 for each instance;
- if harm is done, consumers may collect more than $750.
While the CPRA does not come into effect until January 1st, 2023, the amendments cover personal information collected as of January 1st, 2022.
How to comply with the amendments
Businesses that have already implemented measures to comply with the CCPA have a good head start. Still, transition to the CPRA will require them to conduct a thorough review of their existing data privacy policies. CPRA compliance should include adjusting privacy notices, contracts, and procedures of consumer rights response.
1. Updating privacy policies
Businesses must include information on new and expanded user rights and sensitive information handling. This includes:
- clarification of whether sensitive personal information is handled, the purpose of its handling, its categories and sources;
- explanation of user rights to access all information about them, regardless of the collection period;
All in all, businesses are recommended to revise their privacy policies and make sure they guarantee user rights and access to personal information.
2. Providing mechanisms for data correction
Businesses must ensure an advanced level of data access for consumers. This must include one of the following:
- giving consumers direct access to the tools they need to correct personal data;
- establishing a process for considering consumer’ requests within 45 days and modifying the data internally.
3. Implementing opt-out links
Businesses must update their opt-out options depending on the type of personal information they handle:
- if a business handles general personal information, they must include a “do not sell or share my personal information” link;
- if a business handles sensitive personal information, they must additionally include a “do not sell or share my sensitive personal information” link.
The links must be present on the homepage of the company’s website and should redirect users to the web page where they can choose settings to opt-out.
4. Revising contracts with contractors and service providers
Businesses disclosing personal information to contractors and service providers must follow the restrictions set by the regulation and write them into the contracts. These restrictions prohibit contractors from:
- the sale or sharing of personal information;
- the retention, use, or disclosure of personal information outside a direct relationship with the business;
Also, regulation prescribes contractors to undertake compliance certification. It is the business’s responsibility to monitor the certification of their contractors.
Compliance with CPRA means respecting new consumer rights definitions of personal information. Although businesses have to bear financial and administrative costs, by implementing the regulations’ requirements, they lay the groundwork for expanding in California—the state with the greatest consumer potential in the US.