California Voters Pass Proposition 24 – the California Privacy Rights Act
As expected, Californians voted on November 3, 2020, to adopt the California Privacy Rights Act (CPRA), better known as Proposition 24. The CPRA amends the California Consumer Privacy Act (CCPA) in subtle and significant ways that will require careful analysis and sufficient time to implement.
While the CPRA provides more time for businesses to come into compliance than the CCPA did, it also creates new complications for existing requirements, and imposes new responsibilities. The amended law will require businesses to offer an opt-out from most types of personalized or targeted advertising, and imposes new obligations for data minimization and limiting data retention. The CPRA also creates a new state agency, the California Privacy Protection Agency (the Agency), which will have rulemaking and enforcement authority.
Here is what you need to know now:
The Implementation Timeline Is Complex
The CPRA has two key dates: it becomes effective January 1, 2023, but is not enforceable until July 1, 2023, and only as to violations that occur after that date. However, businesses should start planning now because there will be a lot of activity in the years preceding enforcement.
First, the law applies to personal information (PI) collected after January 1, 2022, which means businesses may need to differentiate between PI collected before and after that date. Second, the Agency's leadership must be appointed by February 1, 2021, (90 days after the election) and the Agency is must create and publish final regulations by July 1, 2022. This timeline gives businesses effectively one year to come into compliance with the rules.
A More Holistic Data Protection Statute
Some criticized the CCPA for focusing too narrowly, in their view, on specific consumer rights and not enough on data governance. The CPRA addresses this perceived shortcoming by borrowing a number of information governance concepts from the European Union's General Data Protection Regulation (GDPR). For example, the CPRA requires businesses to:
- Adopt data minimization measures to limit the "collection, use, retention, and sharing" of PI to what is reasonably necessary and proportionate to achieve the purposes for which it is collected (see GDPR Article 5);
- Disclose retention periods for each category of PI they collect (see GDPR Article 13);
- Adopt reasonable security measures with respect to all PI (see GDPR Article 32), not just more sensitive PI covered by California's data breach notification law;
- Comply with regulations to be developed that will limit ability to use PI for automated decision-making (see GDPR Article 22); and
- Comply with regulations to be developed that will require risk assessments where processing presents a "significant risk to consumers' privacy and security."
Businesses therefore will need to think critically about how they track, use, and dispose of data and implement information lifecycle management on an ongoing basis. For large enterprises, such an undertaking could take years.
New Twists to Existing Obligations
The CPRA amends the CCPA in a number of ways that will require businesses to redo compliance work they completed for the CCPA.
- New Category of "Sensitive Personal Information": The CPRA creates a new category of Sensitive Personal Information that includes precise geolocation and the contents of communications. When businesses process such information to "infer[] characteristics about a consumer," the CPRA gives consumers the right to limit its use to when "necessary to perform the services or provide the goods reasonably expected by an average consumer" or to perform certain "business purposes" defined in the law.
- Right to Opt Out of "Sharing" and New Options for Formatting the Consumer Opt-Out Link: The CPRA expands the regulation of businesses' disclosures of PI by giving consumers the right to opt out of a new activity called "sharing." "Sharing" means the disclosure of PI to a third party for cross-context behavioral advertising, i.e., targeting based on a user's behavior across the internet, whether or not money is exchanged.
This expansion of the consumer's right to opt out is clearly designed to address some businesses' efforts to define "sale" narrowly to avoid publishing a "Do Not Sell My Personal Information" link on their websites and apps. However, recognizing that the word "sell" has a negative connotation in this context, the CPRA gives businesses the option to create a single link that businesses can label with less controversial language. - New Contracting Requirements: The CPRA requires businesses to include specific provisions in their contracts with service providers, contractors (a new category), and third parties (not previously subject to any contracting requirement). For example, businesses must identify the "limited and specified" purposes for which the recipient of personal information processes that information, and they must prohibit service providers and contractors from combining the information they receive from the business with information received from other entities.
Businesses that created service provider agreements with companies providing website and app analytics and tracking services likely will need to reevaluate whether those contracts are effective under the CPRA. - Clarification of Thresholds Required to Be a "Business": For entities subject to the CCPA solely due to the volume of PI collected, the CPRA increases the numerical threshold from 50,000 to 100,000 and drops the reference to devices.
This creates a bizarre framework, however, where entities may be subject to the CCPA until 2023, then no longer have to comply. The CPRA also clarifies that the revenue threshold is based on revenue that a business generates during the preceding calendar year.
- Clarification of the Exception for Publicly Available Data: The CPRA expands the scope of "publicly available" information to include "information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience."
The CPRA also excludes information that is "lawfully obtained, truthful information that is a matter of public concern." Because publicly available information is not PI, and therefore not subject to the CPRA, this update will likely provide some flexibility where information is obtained from social media platforms and other sources where consumers frequently post information about themselves. However, the CPRA does not clarify whether publicly available information becomes personal information if a business combines it with personal information. - More Flexible Definition of "De-Identified:" De-identified information is now information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer.
Furthermore, information will be considered de-identified only if the business that "possesses" the information takes reasonable measures to ensure the information cannot be associated with a consumer or household; publicly commits to maintaining the information in a de-identified form and not attempt to re-identify it; and contractually obligates recipients of the de-identified information to take reasonable measures to maintain it in de-identified form and not re-identify it. This change aligns the definition with the FTC de-identification standard.
What Are the Next Steps?
While it may be tempting to delay compliance efforts until the CPPA issues its regulations, this would be a mistake, as the core requirements of the law are both unlikely to change and will take time to implement.
Building a data map, implementing end-of-data-lifecycle management, and designing a privacy impact assessment process will take most organizations several years. Further, businesses will have an opportunity to participate in the rulemaking process, but will only be able to do so if they have evaluated the operational impact of the law in areas where rulemaking is expected.