As the business community takes stock of (and impatiently waits for) 2020 election results, it should place particular significance on the passage of Proposition 24, the California Privacy Rights Act (CPRA) by about a 12 percent margin. The CPRA makes significant changes to the California Consumer Privacy Act (CCPA), which was originally passed by the California legislature in 2018. However, the CPRA does not take effect until January 1, 2023, giving businesses a bit more than two years to prepare.
The CPRA adds new obligations on both businesses and service providers, adds some important new definitions, and creates new liability risks, while clarifying some operationally difficult aspects of the CCPA. Importantly, it also mandates the creation of a new agency to enforce privacy violations, which should increase enforcement. Finally, the CPRA limits the ability of the legislature to amend the law.
The CCPA originally passed the legislature in June 2018 because Alistair MacTaggart, a politically active real estate developer, prepared a ballot initiative and leveraged the legislature into passing a slightly scaled-down version of that initiative the week prior to the initiative being certified for the ballot. Unsatisfied with the ultimate outcome of the CCPA, MacTaggart introduced the CPRA in the fall of 2019 and followed through on his promise to bypass the legislature by obtaining enough signatures for a vote on the measure.
Here are quick highlights of the sprawling and sometimes confusingly drafted 52-page initiative:
The CPRA introduces key new definitions that focus on digital advertising and sensitive data.
In the first bucket of new definitions, there is a new definition of “advertising and marketing,” “sharing” (which avoids the CCPA requirement that businesses call many non-sale data sharing arrangements “sales”), “profiling,” and “cross-context behavioral advertising.” The clarifications address some key ambiguities in the current CCPA regarding Internet advertising.
A second bucket of new definitions undergird new sensitive data requirements: definitions of “sensitive personal information,” “precise geolocation,” and “consent,” which includes a novel and broad definition of “dark patterns” aimed at simplifying consumers’ ability to control their online preferences.
There are several positive developments in the CPRA for businesses. Although the main portions of the act do not go into effect until 2023, there is an immediate, two-year extension of the Employee and B2B moratoria until its implementation date. Compliance teams may be relieved to find an exception to the deletion and access rights for many types of unstructured data, which are often very difficult to retrieve in response to a rights request. And the CPRA expands on existing exemptions, providing for household data exemptions to some consumer rights, a broader security exemption, and a broader exemption for publicly available data to include online public profile data.
Conversely, the CPRA places some increased, GDPR-like obligations on businesses and service providers. For businesses, the CPRA adds a GDPR-like right to correct inaccurate personal information, and purpose specification and data minimization requirements. It also adds a separate opt-out process for sensitive data. Additionally, the CPRA removes the 30-day right to cure, adds data breach class action risk for personal and work email account credential breaches, and increases the penalties for violations of children’s privacy.
For service providers, there will be direct liability for CPRA violations in which they are involved, and increased obligations to cooperate with consumer rights requests.
The first US state data protection authority: enforcement and rulemaking authority
Finally, the act establishes a California data protection agency, which will be largely funded through fines for statutory violations. The membership of the agency will be appointed by legislative leadership, creating potential conflicts of interest and questions of politicization of the authority. Much to compliance lawyers’ dismay, the agency, along with the Attorney General, is also required to conduct a wide range of rulemakings, which are to conclude in July 2022, six months before enforcement can begin.
Unlike many ballot initiatives in California, the CPRA specifically provides that its provisions can be amended by a legislative majority, instead of the supermajority normally required. However, it also provides that a simple majority is permitted only if the act is amended in ways that further the purposes set forth in Section 3 of the act. This will make it procedurally very difficult for businesses to obtain relief from requirements through the legislative process going forward.
Learn more about the implications of the California Privacy Rights Act for your business by contacting our data privacy team at PrivacyGroup@dlapiper.com.
Jim Halpert, Andrew Serwin, Andrew Kingman