6 Key Ways the California Privacy Rights Act of 2020 Would Revise the CCPA

with contributing authors Garylene D. Javier and John Georgievski

The California Consumer Privacy Act (CCPA), the state’s landmark privacy regulation, became effective only eight months ago – and yet, the California Privacy Rights Act of 2020 (CPRA), a modified version of the CCPA, has garnered enough support to appear on the November 2020 ballot in California.[1] Early polling indicates that Californians are likely to vote in favor of passage, with nearly nine in 10 California voters saying they would support a ballot initiative that expands privacy protections for consumers’ personal information.[2]

The CPRA would make a number of changes to the CCPA, including by expanding consumer rights; creating a new category of “sensitive personal information,” such as financial information (although the Gramm-Leach-Bliley Act exemption is retained); and creating a new state agency to regulate and enforce privacy laws. Businesses should be aware of how the CPRA may modify the CCPA so they can plan now for changes to their compliance plans and privacy practices. Here, we highlight six key changes the CPRA would effect:

1. New and Expanded Consumer Rights

The CPRA preserves consumer rights central to the CCPA, such as the right to delete, know and opt-out of sale of personal information. But the CPRA also builds on these consumer rights in a few key areas:

The Right to Correct

The CPRA would provide consumers with a new right to correct inaccurate personal information, which would require a business to use commercially reasonable efforts to correct the inaccurate personal information upon request. This right mirrors Article 16 of the European Union’s General Data Protection Regulation, which grants a data subject the right to correct inaccurate personal data and complete incomplete personal data. This right also is similar to that provided under the Fair Credit Reporting Act (FCRA), which grants consumers the right to dispute incomplete or inaccurate information in the credit reporting context.

The Right to Opt Out of Sharing

The CCPA permits a consumer to opt out of the sale of their personal information to third parties; the CPRA goes a step further to allow consumers to opt out of the sharing of their personal information with third parties, although the definition of “sharing” is limited. Under the CPRA, which has been revised to remove reference to sharing to another business, a “sale” is defined as transferring or making available, etc., a consumer’s personal information to a third party for monetary or other valuable consideration, subject to certain exceptions. The CPRA also revises certain of the exemptions to the definition of “sale.” In addition, the CPRA would add to the CCPA the definition of “sharing,” meaning transferring or making available, etc., a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. However, certain transfers of personal information would not constitute “sharing,” including where the consumer directs the business to intentionally disclose personal information.

The Explicit Prohibition of Retaliation

The CPRA largely preserves the CCPA’s nondiscrimination provisions, and also would explicitly prohibit retaliation against an employee, applicant for employment or independent contractor for exercising their rights. This enhanced safeguard aligns with the ballot initiative’s intent to grant individuals greater power to control the use and access to their personal information.

2. Changes in Entity Coverage

The CPRA would make several changes to the definition of a “business” that may result in fewer businesses subject to the CPRA. The CPRA would:

• Increase the threshold for the collection of personal information. A “business,” as defined by the CCPA, is a for-profit entity that, alone or in combination, annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices. The CPRA would increase the threshold to 100,000, and the threshold would only apply to consumers or households and not extend to devices.
• Clarify when monetary thresholds should be calculated. A monetary threshold of $25 million would be determined as of January 1 by measuring the gross revenues of the preceding calendar year.
• Add to the definition of “business” a joint venture or partnership composed of businesses in which each business has at least a 40 percent interest. The joint venture or partnership and each business that composes the joint venture or partnership would separately be considered a single business.

The CPRA also would make changes to the definition of “service provider” and “third party,” and would add the definition of “contractor:”

• Service Provider: The CPRA would amend the definition of a “service provider” to, for example, require a written contract between the service provider and the business to expressly prohibit combining personal information that the service provider receives from or on behalf of the business with personal information that it receives from other persons or collects from its own interaction with the consumer. It also removes the requirement that the service provider contract include a certification. These changes may require a review of service provider agreements that currently comply with the CCPA.
• Third Party: The CPRA would clarify the definition of “third party” to specifically exclude service providers, contractors and the business with whom the consumer intentionally interacts. Significantly, the CPRA would require a business that shares or sells personal information to a third party to have an agreement with the third party that imposes the same restrictions as a service provider agreement. Among other things, the agreement would specify that the personal information is sold or disclosed by the business “only for limited and specified purposes.” This change corresponds with the revision to the definition of “sale” to limit its definition to sales between a business and third parties and not a business and any other entity.
• Contractor: The CPRA would add the definition of a “contractor” — a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract with the business, provided that the contract imposes certain restrictions on the contractor’s ability to sell, share, retain, use or disclose the personal information. The required contract terms between a business and a contractor are similar to those required for a service provider, although the contractor is supposed to certify compliance.

3. Addition of “Sensitive Personal Information” Definition

The CPRA would create a new “sensitive personal information” definition, which would include, among other things, some financial information (e.g., financial account, debit card or credit card number, in combination with a required security or access code), precise geolocation, the consumer’s racial or ethnic origin, the contents of a consumer’s mail and electronic mail (unless the business is the intended recipient of the communication) and the consumer’s genetic data. The definition also would encompass processing of biometric information for purposes of identifying a consumer. Notably, sensitive personal information collected, processed, sold or disclosed subject to the federal Gramm-Leach-Bliley Act is still exempt from much of the CPRA.

The CPRA would grant consumers specific rights with respect to this category of personal information. In addition to opting out of the sale of their sensitive personal information, the CPRA would permit a consumer to limit the use and disclosure of sensitive personal information except as “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods and services,” among other things. A business would be obligated to post a clear and conspicuous link on its website titled, “Limit the Use of My Sensitive Personal Information” to enable a consumer to exercise this right.

4. Changes in Enforcement and Oversight

The CPRA would create a new privacy agency, the California Privacy Protection Agency (privacy agency), that would be responsible for administering, implementing and enforcing the CPRA, including by way of administrative actions for violations. The privacy agency would be governed by a five‐member board comprised of Californians with privacy, technology and consumer rights expertise, appointed by the governor, the California attorney general (AG), Senate Rules Committee and speaker of the assembly. The privacy agency would be tasked with providing guidance to businesses and consumers regarding their duties and rights, respectively, under the CPRA.

The privacy agency also would have the authority to fine entities that violate any provision of the CPRA up to $2,500 for each violation and or $7,500 for intentional violations. Further, each violation involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge is under 16 years old would incur a heightened administrative fine of $7,500. The AG would continue to have authority to file civil actions against entities that violate the CPRA and to recover civil penalties in the amounts described above. Notably, the CPRA would eliminate the CCPA’s 30-day cure period before a violation may be found.

5. Data Breach Private Right of Action is Modified

The private right of action under the CPRA would apply to nonencrypted and nonredacted personal information that is subject to a data breach. In contrast, the CCPA provides a right of action with respect to nonencrypted or nonredacted personal information that is subject to a data breach. Additionally, the CPRA extends the private right of action to a consumer whose email address, along with a password or a security question and answer that would permit account access, is subject to unauthorized access or similar disclosure as a result of the business’s failure to implement and maintain reasonable security practices and procedures. The CPRA would further clarify that the implementation and maintenance of reasonable security procedures and practices following a breach “does not constitute a cure with respect to that breach.” Taken together, these provisions may increase the potential for liability due to data breaches, placing an even greater emphasis on the need for encryption and redaction of personal information.

Separately, the CPRA would direct the AG to draft regulations requiring businesses whose processing of personal information “presents significant risk to the consumers’ privacy or security” to conduct annual cybersecurity audits. The business would be required to submit a risk assessment on a “regular basis” to the privacy agency that (1) notes whether the business processes sensitive personal information, and (2) identifies and weighs the benefits resulting from the processing to the business, the consumer and other stakeholders, and the public, against the potential risks associated with such processing. The goal of this analysis would be to restrict or prohibit processing “if the risks to privacy of the consumer outweigh the benefits resulting from processing[.]”

6. Exemptions Extended

While the CPRA would preserve many of the exemptions that already exist in the CCPA — including the GLBA and FCRA exemptions — it would make the following changes, among others:

• Personal information collected and subject to the Federal Farm Credit Act would be expressly exempt.
• With respect to the exemption for certain personal information collected from employees, owners, directors, officers, contractors of a business (i.e., the “employee exemption”), the sunset date for this exemption would be extended to January 1, 2023.
• The limited business-to-business exemption would also be extended until January 1, 2023.

Even if the CPRA does not pass in the fall, the California legislature recently passed Assembly Bill 1281, which would extend the employee exemption and business-to-business exemption until January 1, 2022, if voters do not approve the CPRA.

Conclusion

With the prospect of the CPRA passing in November, entities that use, collect, share or sell California consumers’ personal information should become familiar with the new obligations the CPRA would impose.

If the CPRA is approved, the newly formed privacy agency would be required to begin drafting regulations starting on July 1, 2021, with final regulations to be completed one year later. The CPRA itself would not become effective until January 1, 2023, with enforcement delayed until July 1, 2023. However, the CPRA contains a look-back provision (i.e., the CPRA will apply to personal information collected by a business on or after January 1, 2022).

[1] Secretary of State, Initiative: #1879, Related to Consumer Privacy – Eligibility for Ballot (June 24, 2020).

[2] Californians for Consumer Privacy, ICYMI: Summary of Key Findings from California Privacy Survey (2019).