California Voters Pass the Privacy Rights Act – What “CCPA on Steroids” Means for Businesses and Consumers
November 15, 2020 Comment off
By Richard B. Newman. He is an advertising practices attorney at Hinch Newman LLP. He regularly handles complex digital marketing issues, such as FTC and state attorneys general lawsuits and investigations, TCPA and spam email litigation defense, online intellectual property infringement, performance marketing agreements and tech related matters.
On November 3, 2020, California voters approved Proposition 24 – the California Privacy Rights Act of 2020 (“CPRA”). The CPRA amends and revises certain provisions of the 2018 California Consumer Privacy Act (“CCPA”).
When the CCPA was enacted in 2018 it created new data privacy rights for certain California-based “consumers” and required covered “businesses” and “service providers” to comply with its onerous privacy framework. The nature and the extent of the CPRA’s regulatory requirements greatly exceed those of the CCPA.
In effect, the CPRA has directly made several substantive amendments to the CCPA. Without limitation, the CPRA imposes new responsibilities, obligations and liabilities on businesses and service providers, establishes new data privacy rights for California residents, requires businesses to offer an opt-out from most types of targeted advertising and creates a privacy protection state regulatory agency empowered to enforce California privacy law and prosecute non-compliance.
CPRA Statement of Intent
The CPRA includes a statement of intent that provides some general guidance as to what it aims to accomplish. Generally, the purpose and intent of the CPRA is to further protect consumers’ rights, including the constitutional right of privacy.
The CPRA is guided by the following principles:
(i) Consumer rights to know who is collecting their personal information and that of their children, how it is being used, and to whom it is disclosed, so that they have the information necessary to exercise meaningful control over businesses’ use of their personal information and that of their children;
(ii) Consumers should be able to control the use of their personal information, including limiting the use of their sensitive personal Information, the unauthorized use or disclosure of which creates a heightened risk of harm to the consumer, and they should have meaningful options over how it is collected, used, and disclosed;
(iii) Consumers should have access to their personal information and should be able to correct it, delete it, and take it with them from one business to another;
(iv) Consumers or their authorized agents should be able to exercise these options through easily accessible self-serve tools;
(v) Consumers should be able to exercise their rights without being penalized for doing so;
(vi) Consumers should be able to hold businesses accountable for falling to take reasonable precautions to protect their most sensitive personal information from hackers and security breaches;
(vii) Consumers should benefit from businesses’ use of their personal information; and
(viii) The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses.
Service providers are more restricted on the face of the CPRA in their processing activities than those that are permitted under the CCPA, including with respect to the combination of PI of other customers. However, this may be subject to expansion when the privacy protection agency issues regulations as to which “business purposes, including other notified purposes, for which service providers and contractors may use consumers’ personal information received pursuant to a written contract with a business, for the service provider or contractor’s own business purposes.”
Human resources and B2B data subjects are intended to be treated differently than traditional consumers under the CPRA. It is anticipated, prior to January 1, 2023, that there will be numerous revisions with respect to how those individuals’ “consumer” rights will be treated.
How Does the CPRA Amend the CCPA?
As touched upon above, the CPRA amends the CCPA in various ways and businesses must revisit previously implemented CCPA compliance measures.
The CPRA amends and clarifies the thresholds for the types of “businesses” covered by the CCPA by modifying the underlying criteria, including gross revenue and scope of data processing activities. For entities subject to the CCPA solely due to the volume of PI collected, the CPRA increases the numerical threshold from 50,000 to 100,000 and omits the reference to devices. Note, that some entities may now potentially be subject to the CCPA until 2023 and then no longer have to comply. The CPRA clarifies that the revenue threshold is based on revenue that a business generates during the preceding calendar year.
CCPA was “do not sell.” Now, it is also “do not share.” The CPRA provides consumers with the right to opt-out of “sharing” of personal information, through any means, to third parties, for “cross-contextual behavioral advertising” regardless of whether or not money or other valuable consideration changes hands. The broad definition of “share” is a significant restriction. Lead generators that engage in these activities may be required to display “prominently and conspicuously” on their Home pages a “Do Not Sell or Share My Personal Information” link to ensure that Californians can opt-out.
Note that the CCPA previously provided a “service provider” designation for businesses to use to process personal information collected by another company without the “sharing” of that data being considered a “sale.” However, because the CPRA expressly discusses “cross-context behavioral advertising,” the service provider designation (e.g., ad tech vendors) is no longer a valid exemption for this purpose and, without limitation, downstream vendors will also have to comply with data subject requests.
“De-identified” information is now defined in a more flexible manner, to wit, information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer. Information will be considered de-identified only if the business that “possesses” the information takes reasonable measures to ensure the information cannot be associated with a consumer or household, publicly commits to maintaining the information in a de-identified form and does not attempt to re-identify it, and contractually obligates recipients of the de-identified information to take reasonable measures to maintain it in de-identified form and not re-identify it.
Next, the CPRA imposes new contracting requirements. Specifically, it requires businesses to have agreements in place with parties to whom they disclose information, such as service providers and contractors (a new category), and third parties (not previously subject to any contracting requirement) to which they sell or with which they share PI.
Such agreements must include specific provisions. For example and without limitation, in order to satisfy other data protection laws or in preparation for when the CCPA exemption period expires, organizations should ensure that B2B contracts incorporate limited use clauses, clauses that address the exchange and use of contact and professional information related to employees and agents, clauses creating rights for the parties to use such data for business purposes, clauses establishing obligations that employee contact data be accurate, and clauses that address breach notice and remediation.
Consistent with responsible lead generation and legitimate data use best practices, businesses must identify the “limited and specified” purposes for which the recipient of personal information processes that information, and they must prohibit service providers and contractors from combining the information they receive from the business with information received from other entities.
The CPRA also more clearly describes “sensitive personal information.” It includes SSN, credit card numbers, sexual orientation the contents of communications and, notably, geolocation. Consumers possess the right to limit its use to when “necessary to perform the services, provide the goods reasonably expected by an average consumer” or to perform specifically defined “business purposes. Opt-out links may also be required to comply with the CPRA.
Additionally, the CPRA provides California residents the right to request that businesses correct any “inaccurate” personal information in their custody and control. Californians must be provided with notice of this right and businesses must “use commercially reasonable efforts” to comply with data correction requests in the event that the data is inaccurate based on the context and purpose for which it is being processed.
The CPRA also clarifies that the CCPA’s clauses that prohibit businesses from providing different prices or discounts in exchange for personal information, will not prohibit the offering a loyalty, premium feature or discount program. However, opt-in consent for such programs shall be required and businesses are required to wait no less than twelve months before they can request that consumers join if they have previously declined.
The CPRA extends the employment-related personal data compliance exemption deadline until January 1, 2023, and prohibits businesses from retaliating against employees, job applicants or independent contractors for exercising their rights under the law. By way of reminder, with some exceptions, the personal information that employers collect from their employees is exempt from the CCPA, provided the personal information is collected and used within the context of the employment relationship. However, the CCPA still requires businesses to formally notify employees, job applicants and contractors as to the categories of personal information they are collecting and the purpose for which it would be used. The CCPA also largely exempts from its scope certain personal information that is derived from written communications or transactions between a business and an individual that is acting on behalf of a third party, provided the communications or transactions solely relate to conducting due diligence, or providing or receiving a product or service to, or from, the third party. However, businesses must still provide such individuals with notice of the right to opt-out of the “sale” of their personal information, if applicable.
The CPRA also clarifies the exception for publicly available data by expanding it to include “information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.” It also excludes information that is “lawfully obtained, truthful information that is a matter of public concern.” Publicly available information is not necessarily PI. However, it can potentially be considered PI if combined with personal information.
The CPRA’s new regulatory agency – the California Privacy Protection Agency (“PPA”) – is empowered to implement and enforce the CCPA. The CPPA is also empowered to investigate and conduct compliance hearings over businesses, service providers and contractors, administer fines and engage in rulemaking.
The CPRA Borrows a Number of Concepts From the GDPR
The CPRA borrows a number of information governance concepts from the GDPR.
For example, adoption of data minimization measures to limit the “collection, use, retention and sharing” of PI to what is reasonably necessary and proportionate to achieve the purposes for which it is collected.
Disclosure of retention periods for each category of PI collected.
Adoption of reasonable security measures with respect to all PI, not just more sensitive PI covered by California’s data breach notification law.
Compliance with regulations to be developed that will limit ability to use PI for automated decision-making.
Compliance with regulations to be developed that will require risk assessments where processing presents a “significant risk to consumers’ privacy and security.”
The primary distinction between the CPRA and GDPR is that the CPRA is an opt-out regime, whereas GDPR is structured around opt-in consent. Although, some revisions of consequence open the door to a possible opt-in regime.
“Contractor,” “Cross-Context Behavioral Advertising” and “Sharing” Defined
The CPRA has added a defined category of party called “contractor” in addition to the existing “service provider.” It reflects an undefined type of vendor articulated in the CCPA as not being a third party. So, there are two types of regulated vendors with subtle differences between them. Arguably, for the majority of vendors, service provider will still be the proper classification. However, businesses should consult with regulatory compliance and defense counsel to properly assess vendor classification.
“Cross-Context Behavioral Advertising” is defined as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application or service with which the consumer intentionally interacts.” This definition clearly covers traditional interest-based advertising activities and is directly invoked in the new concept of “sharing.”
The concept of “sharing” has been introduced and includes the same transfer activities in the definition of sale (e.g., “making available”), but applies only in the context of cross-context behavioral advertising. There is no requirement for consideration for a transfer of PI to be considered to have been “shared.” Arguably, by creating a distinct regulated activity rather than clarifying that this activity is type of “sale”, many cross-context behavioral activities (i.e., those without valuable consideration provided directly in exchange for the data disclosure), might potentially be excluded from the definition of “sale” and implicate only sharing and not sales.
Consumer Rights and Business Obligations
New consumer rights include the right to correction of inaccurate information and the right to opt-out of sharing in the context of “cross-context behavioral advertising.” Businesses are required to have a button or link that states “Do not Sell or Share My Personal Information,” but the CPRA seems to also provide the option of stating only “Do Not Share My Personal Information” if the business does not also sell PI. Consumers also have the right to limit businesses’ use of sensitive PI to certain processing activities (certain internal business purposes, and expressly excluding advertising and marketing). There will also be control over profiling and sharing, the latter limited to cross-context behavioral and does not require consideration.
The CPRA does not resolve the debate between the Internet Advertising Bureau and the Digital Advertising Alliance as to whether publishers/lead generators or AdTech companies are responsible for the corresponding opt-out when utilizing cookies and other tracking technologies. There exists no industry consensus as to how publishers/lead generators and tracking technologies operators should comply with a consumer’s do-not-sell opt-out request. Until further regulatory guidance from the California OAG is provided, it is probably best practice that privacy notice and consumer rights request messaging clearly explain the approach being taken, along with the scope and limitation of consumer choice offered thereby.
Interestingly, businesses are exempt from certain opt-out requirements if they allow “consumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal.” Apparently, the CPRA would permit businesses to disregard global opt-out signals sent by platforms or other mechanisms if they offer the traditional Do Not Sell/Share options on their online properties.
Importantly, the CPRA would make opting-in to downstream sales and sharing more viable. Under the CCPA, disclosures are excluded from sale if the “consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title.” Under the CPRA, the prohibition against onward sales – and now also sharing – has been removed.
Businesses are also now required to notify all parties to whom personal information was disclosed regarding a deletion request, not just service providers. In fact, service providers and contractors must pass notice down to any service providers, contractors or third parties with whom they have shared the information. While the CPRA discusses exceptions for service providers’ and contractors’ deletion obligations after receiving a request from a business, it is silent as to third parties’ deletion obligations.
With respect to access and right to know/correction requests, the lookback period is extended beyond 12 months by regulation, as is already the case with deletion. However, the PPA is supposed to issue regulations addressing the issue of whether providing beyond 12 months would be “impossible or would involve a disproportionate effort.”
Under the CPRA, service providers and contractors are expressly required to assist in consumer requests. Under the CCPA, this was only explicitly required where negotiated in agreements with businesses.
Consistent with Federal Trade Commission recommendations for businesses, a business’ collection, use, retention and sharing of a consumer’s PI must be reasonably necessary and proportionate to achieve the purposes for which the PI was collected or processed or for another disclosed purpose that is compatible with the context in which the PI was collected and not further processed in a manner that is incompatible with those purposes.
The foregoing is also consistent with FTC attorneys’ perspectives on lead generation as it pertains to transparency and reasonably anticipated use of consumers’ information. A business must disclose how it collects and uses personal information, its intended retention period by category of PI (if not possible, the basis for calculating retention periods), and how Californians can exercise their rights and choice. A business should only collect consumers’ personal information for specific, explicit and legitimate disclosed purposes, should not retain it for longer than reasonably necessary for the purposes disclosed at the time of collection, and should not further collect, use, or disclose consumers’ personal information for reasons incompatible with those purposes.
Businesses should provide consumers or their authorized agents with easily accessible means to allow consumers and their children to obtain their personal information, to delete it, or correct it, and to opt-out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive personal information.
Businesses should not penalize consumers for exercising these rights, and should take reasonable precautions to protect consumers’ personal information from a security breach. Penalties will likely be higher when violations affect children.
Enforcement Authority
The CPRA provides that “[b]usinesses should be held accountable for violating the law through vigorous administrative and civil enforcement.”
Any “person” – any individual or organization – has the ability to bring a CPRA complaint about a business’s privacy practices to the Privacy Protection Agency. Consumers, competitors, vendors, customers, consumer advocacy groups and other parties.
The Privacy Protection Agency may also investigate possible violations on its own initiative, and will have discretion “not to investigate or decide to provide a business with a time-period to cure the alleged violation.” There is a five-year statute of limitations for the PPA’s administrative actions, which can be tolled if violations were fraudulently concealed.
Both the California AG and the PPA will have enforcement authority. The PPA can fine businesses $2,500 per violation of the CPRA, or $7,500 for what it deems are “intentional violations” or those that involve minors. However, the OAG cannot bring a civil action based on a violation that has been the subject of an administrative decision or order.
CPRA’s Key Dates
The CPRA becomes effective January 1, 2023. However, most of the CPRA is not enforceable until July 2023, and only as to violations that occur after that date. However, businesses should start planning now because there will be a lot of activity in the years preceding enforcement and the core provisions will take time to implement. For example, the CPRA applies to personal information collected after January 1, 2022. Thus, businesses may need to differentiate between PI collected before and after that date.
Miscellaneous
The CPRA also introduces the concept of a third party controlling the collection of PI. The third party controller can meet its pre-collection notice obligations by providing the required information prominently and conspicuously on the Home page of its Internet website – similar to how data brokers would meet their obligations without the registration requirement.
Summary:
The CPRA amends and replaces the CCPA in a number of ways that both removes numerous areas of ambiguity for lead generators and shifts the ground below companies that are trying to comply. The CPRA is set to take effect on January 1, 2023, but will apply to data collected from January 1, 2022. The CPRA requires businesses to redo compliance work they completed for the CCPA. Those covered by the law should promptly begin to modify CCPA compliance programs to conform with CPRA’s new requirements. Lead generators should begin to think critically about how they track, use, dispose of and manage data on an ongoing basis. For some, data mapping and implementing an operational privacy impact assessment this could take months or even years. Query whether the CPRA ultimately provides the basis for other state privacy laws and/or federal data privacy legislation.
Informational purposes only. Not legal advice. May be considered attorney advertising.