California voters appear to have approved Proposition 24, a proposal to adopt the California Privacy Rights Act of 2020 (CPRA). As of this posting, California voters had voted “yes” on the measure by a 55-44% margin with 71% of precincts reporting. Most major media outlets have projected that the measure will pass, signaling what appears to be a decisive win at the ballot box in spite of opposition from privacy advocates who claimed it did not go far enough.
The CPRA more closely aligns California’s data privacy laws with the European Union’s General Data Protection Regulation (GDPR) by making sweeping changes to the California Consumer Privacy Act of 2018 (CCPA), which took effect on January 1, 2020. The new requirements that businesses face under the CPRA do not take effect until January 1, 2023. In addition, the law will give businesses more time – until January 1, 2023 – to comply with most CCPA requirements applicable to personal information about company personnel and business-to-business contacts (we previously described the HR exemption here and the business-to-business exemption here). Other provisions with immediate effect establish and fund the California Privacy Protection Agency (CPPA), a new regulatory body tasked with enforcing the CPRA, and give rulemaking authority under the CPRA first to the California Attorney General, and ultimately, to the CPPA.
Some of the CPRA’s notable provisions include:
- Restrictions on sharing data – The CPRA gives California residents the right to opt-out of sharing of their personal information for the purposes of “cross-context behavioral advertising”. This right moots the debate about whether Californians can block such sharing by exercising their right under the CCPA to opt-out of the “sale” of personal information.
- Sensitive personal information – The CPRA creates a new category of “sensitive personal information” (including government-issued identification numbers, payment card data, account credentials, precise geolocation, race, ethnicity, religious or philosophical beliefs, union membership, content of private communications, genetic data, health data, biometric data and sex life/sexual orientation information) and gives California residents a right to restrict a business’s ability to use and sell that information.
- Higher fines for violations involving children – The CPRA provides for administrative fines of up to $7,500 per violation where the business has actual knowledge that affected individuals included children under 16 years of age.
- New governance requirements – The CPRA imposes a number of new governance requirements that emulate the GDPR, including requirements to adopt and disclose data retention periods, undergo independent cybersecurity audits with respect to certain higher risk data processing to be defined in future regulations, and to submit risk assessments about such data processing to the CPPA.
- New individual rights – Again emulating the GDPR, the CPRA expands Californians’ rights under the CCPA by adding a right to correction of inaccurate personal information and a right to be informed about, and opt-out of, use of personal information for certain automated decision-making and profiling.
- New contracting requirements – The CPRA specifies data protection provisions that must be included in a business’s contracts with vendors and partners entrusted with access to personal information.
- Greater small business relief – The CPRA excludes from the definition of a regulated “business” any business that does not (i) have annual gross revenues of more than $25 million, (ii) annually buy, sell or share personal information of 100,000 or more California residents, or (iii) derive 50 percent or more of its annual revenues from selling or sharing California residents’ personal information. These thresholds will exclude from the CPRA’s scope many businesses currently subject to the CCPA, which applies not only to any “business” as defined in the CPRA, but also to any for-profit entity or sole proprietor that does business in California and annually buys, receives for commercial purposes or sells personal information of 50,000 or more California residents or households.
Businesses have a little more than two years to prepare for the CPRA’s substantive provisions to take effect. However, given the considerable challenges posed by the new requirements, businesses would be well-advised to start addressing the CPRA as part of their 2021 compliance initiatives. Look for additional coverage of CPRA developments and guidance on how to address the CPRA’s requirements in future posts.