California Privacy Rights Act (CPRA)

Not that long ago, in January 2020, the California Consumer Privacy Act (CCPA) entered into force. Shortly after that, a proposition was made to amend the CCPA, introducing a new privacy law in California, the CPRA. We reported here. Californians once more voted in favor of a new data protection law on November 3, 2020, and the new California Privacy Rights Act (CPRA) will take effect on January 1, 2023.

CCPA, CPRA – What’s The Difference?

The CPRA amends the CCPA in that it works as an addendum to it. After January 1, 2023, when the CPRA becomes effective, the CPRA will effectively replace the CCPA.

While both Acts have in common that they apply to businesses with an annual gross revenue of more than $25 million, a significant difference is, that while the CCPA applies to business that derive at least 50% of annual revenue from selling consumer personal information, the CPRA is applicable to entities that derive at least 50% of their annual revenue from selling or sharing consumer personal information. This significantly amplifies the scope of applicability. On the other hand, the threshold number of affected consumers or households was increased from 50,000 to 100,000 per year.

These changes may have as a consequence that some small or midsize businesses may not fall under the scope of the CPRA, while still having to comply with the CCPA. The increase in numbers of households as a threshold criterion may mean that less businesses will fall under that scope. On the other hand, the newly introduced criterion of “sharing” may potentially increase the number of businesses that would fall under that scope, mainly larger companies that rely more heavily on the collection and sharing of personal information.

What’s New?

While some called the CCPA a “GDPR light” when it entered into force, the CPRA truly bears some resemblance with GDPR requirements. For instance, it codifies the principles of data minimization, purpose limitation, and storage limitation – all of which are also GDPR principles. Businesses will now also be required to disclose, at the time of data collection, the retention periods for each data category and are further prohibited from retaining personal information for longer than is “reasonably necessary” for each disclosed purpose.

a. New category of personal information “sensitive personal information”

The CPRA introduces the new category of “sensitive personal information”. Consumers now have the right to limit the use of their sensitive personal information. This new category bears some resemblance with Art. 9 GDPR. Sensitive personal information according to the CPRA means personal information that reveals:

Government-issued identification (such as social security number, driver’s licenses or passport number);
financial account and login information (such as credit or debit card number together with login credentials);
precise geolocation;
racial or ethnic origin, religious or philosophical beliefs, or union membership;
contents of nonpublic communications (mail, e-mail and text messages);
genetic data;
biometric or health information; and
information concerning sex life or sexual orientation.

b. New and expanded consumer privacy rights

The following rights are new under the CPRA:

Right to Correction: consumers may request correction of their personal information held by a business if that information is inaccurate.
Right to Opt-Out of Automated Decision-Making Technology: consumers have the right to opt-out of the use of automated decision-making technology, including profiling, in connection with decisions related to work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Right to Access Information about Automated Decision-Making: consumers may make access requests seeking meaningful information about the logic involved in the decision-making processes and a description of the likely outcome based on that process.
Right to Restrict Sensitive Personal Information: consumers may limit the use and disclosure of sensitive personal information for certain secondary purposes, including prohibiting businesses from disclosing such information to third parties.

Some of the already existing rights from the CCPA have been expanded or modified, for example:

Businesses now have a notification obligation towards third parties to delete consumer personal information they bought or received.
The right to opt-out of the selling of personal information to third parties is now expanded to the sharing of personal information for cross-context behavioral advertising.
The opt-in rights for minors and consumers in general have been strengthened, requiring businesses to wait for at least 12 months before requesting an opt-in after consent was declined, respectively after an opt-out.
Administrative fines for violations where the data subjects are minors were increased to $7,500 regardless of whether the violation was intentional.

While the fines in comparison to the GDPR’s possible monetary sanctions seem rather low, one must consider that the CCPR sanctions are for each violation, i.e., per affected consumer.

c. New requirements for websites

Along with the CPRA come new requirements for links on websites:

The CPRA amends the CCPA’s “Do Not Sell”-button, so that websites will have to provide a link titled “Do Not Sell Or Share My Personal Information”.

The CPRA also creates a new, similar requirement for websites to provide a link titled “Limit The Use Of My Sensitive Personal Information”.

In addition, the CPRA encourages businesses to create “a single, clearly-labeled link” that easily allows consumers to simultaneously opt-out of sale or sharing of personal information and limit the use or disclosure of their sensitive personal information.

d. New data protection authority

While the CCPA is presently enforced by the California Office of the Attorney General, the CPPA establishes a new enforcement agency, the California Privacy Protection Agency (CPPA), vesting it with investigative, enforcement and rulemaking powers.

Exemptions and Timeline

The CPRA extends the employee and business-to-business exemption to January 1, 2023. After that, the exemptions will expire and the CPRA becomes fully enforceable, retrospectively for data collected after January 1, 2022. Enforcement is scheduled to begin on July 1, 2023. The 30 days cure period of the CCPA, in which businesses could avoid penalties by taking rectifying measures after having been notified by the Attorney General, will no longer apply.

What does it Mean for European Companies?

The CCPA applies to companies that do business in California and fall under the scope of Act. They must comply with the requirements regarding transparency and data subjects’ rights. European companies will be familiar with the requirements which are similar to those of the GDPR, so that in some cases only minor adjustments may be needed in order to be compliant with the Californian rules. However, companies should be vigilant and review the new requirements of the CPRA and adjust their processes accordingly as early as possible, so as to be prepared when the new law takes effect and to avoid incompliancy and possible sanctions or claims for damages.

Wiebke Kummer | 16. August 2021 | Internationaler Datenschutz | California Consumer Privacy Act, California Office of the Attorney General, California Privacy Rights Act, CCPA, CPPA, CPRA, Data Protection Authority, English Posts, GDPR, General Data Protection Regulation, Sensitive Personal Information

The New California Privacy Rights Act (CPRA)