On January 1, 2023, the California Privacy Rights Act (CPRA) went into full force and effect, heralding a new era of statewide personal information (PI) regulation. The CPRA provides even more protection for California consumers’ privacy rights than previously established under the California Consumer Privacy Act of 2018 (the CCPA).
The CPRA is an addendum to the CCPA, functioning as a series of significant amendments to the existing law. The CCPA applies to any for-profit entity doing business in California that collects, shares, or sells California consumers’ personal data and meets at least one of the three following criteria: (i) gross revenues exceed $25 million (total, not just in California); (ii) it possesses the PI of 50,000 or more California consumers, households, or devices; or (iii) it earns more than half its annual revenue from selling California consumers’ PI.
The CPRA extends the threshold reach of California’s requirements to any entity that owns, is owned by, or shares common branding with a covered business. It also extends its regulatory reach to a third group of applicable entities: joint ventures or partnerships made up of businesses in which each business has at least a 40% interest. The joint venture or partnership itself, and each business that composes the joint venture or partnership, will be separately considered a single business for purposes of CPRA enforcement. Furthermore, the CPRA holds businesses responsible for how third parties use, share, or sell PI when the business was the one to collect the PI in the first place.
The CPRA also creates a new category of PI—sensitive PI (SPI), regulated separately from normal PI. SPI includes: data on race and ethnicity; religious beliefs, political and philosophical convictions; data on sex life and sexual orientation; genetic and biometric data; health data; geolocation data; social security and driver license numbers; and financial information.
The CPRA introduces four new consumer privacy rights and expands the five existing rights under the CCPA. The four new CPRA rights are:
- Right to correction: California residents can request to have inaccurate PI and SPI corrected;
- Right to know about automated decision-making: California residents can request access to and knowledge about how a business’s automated decision technologies work and the probable outcomes of using such technologies;
- Right to opt-out of automated decision-making: California residents can opt-out of their PI and SPI being used to make automated inferences (e.g., profiling, behavioral advertising, etc.); and
- Right to limit use of SPI: California residents may restrict a business’s use of SPI (particularly in regard to third-party sharing).
The five modified CCPA rights are:
- Right to delete is expanded to require businesses to notify third parties of California residents’ requests to delete PI
- Right to know what PI is collected by a business is extended past the previous 12-month collection timeframe in the CCPA
- Right to opt-out is expanded to not only allow California residents to opt-out of the sale of PI, but also to opt-out of a business sharing and selling PI specifically for behavioral advertising
- Rights of minors are extended to require that minors opt-in to a business’s sharing of PI for behavioral advertising
- Right to data portability is expanded to allow California residents to request to have their PI transported to other businesses or organizations
Practically speaking, businesses will need to get California consumer consent in more scenarios than before. The CPRA revamps the CCPA’s previous requirements for how businesses’ websites enable consumers to opt-out of having their PI sold or shared, and adds requirements around how websites enable users to exercise their right to limit SPI use. Businesses should consult legal counsel to ensure compliance with the CPRA. Enforcement is set to begin by the newly established California Privacy Protection Agency (the CPPA) on July 1, 2023, with a look-back period to data collected from January 1, 2022. The CPPA can investigate possible violations on its own initiative, administering fines as penalties on a per-violation basis.
At both the state and federal level, there is no shortage of legislative and regulatory activity surrounding data privacy. Businesses should continue to consult with legal counsel to ensure compliance with the CCPA, the CPRA, and other relevant privacy regulations.
This client alert is prepared for the general information of our clients and friends. It should not be regarded as legal advice. If you have any questions regarding this update, or for more information about this topic, please contact any of the attorneys in our Information Privacy & Security Practice Group, or the attorney with whom you normally consult.