Authors: Stacey Gray, Senior Counsel, Katelyn Ringrose, Christopher Wolf Diversity Law Fellow at FPF, Polly Sanderson, Policy Counsel, and Veronica Alix, FPF Legal Intern
Despite a day of election uncertainty, November 3, 2020 produced an important moment for privacy legislation: California voters approved Proposition 24 (the California Privacy Rights Act) (CPRA) (full text here). Garnering 56.1% of the vote so far, the initiative will almost certainly meet the majority threshold to become the new law of the land in California.
The CPRA amends key portions of the 2018 California Consumer Privacy Act (CCPA), which went into effect earlier this year. The CPRA gives additional rights to consumers and places additional obligations on businesses. The new law provides additional protections for sensitive personal information, expands CCPA’s opt out rights to include new types of information sharing, and requires businesses to provide additional mechanisms for individuals to access, correct, or delete data, with a particular focus on information used by automated decision-making systems.
What’s next? The new law is scheduled to become operative in 2023, but preparations will occur over the next two years: a new California Privacy Protection Agency will be established, funded, and tasked with taking over rulemaking from the California Attorney General; and businesses will need to interpret (and build systems to comply with) the law’s additional consumer privacy rights. The establishment of a dedicated Privacy Protection Agency is a major milestone for privacy in the US, and we expect the passage of the CPRA to energize efforts to pass comprehensive federal privacy legislation.
Next Steps for the New CA Agency: Funding, Rulemaking, and Enforcement
The CPRA transfers all funding, rulemaking, and enforcement authority from the Attorney General to the new California Privacy Protection Agency (PPA). Primary enforcement responsibilities remain vested with the state agency (rather than in a private right of action), with minor but significant changes. Specifically, the CPRA triples penalties for violations regarding minors under the age of 16 and removes the 30-day cure period that businesses can currently utilize under the CCPA. CCPA’s narrow private right of action for security breaches remains intact.
Absent amendment by the California legislature, the timeline for funding, rulemaking, and enforcement for the PPA will be:
- Certification that Proposition 24 Passed – Votes may continue to be received and counted as late as November 20, which is the deadline for the state to receive mail-in ballots postmarked by November 3rd. Analysts do not expect mail-in ballots to impact CPRA’s passage.
- Funding and Establishment of the Agency (2020) – In accordance with Section 31 of the CPRA and Article II, Section 10(a) of the California Constitution, the Act becomes effective five days after the Secretary of State “files the statement of the vote for the election.” This timeline means that the funding and establishment of the new California PPA is likely to begin soon, as early as December 2020.
- Adopting Regulations (2021-22) – According to Section 21 of the CPRA (amending Section 1798.185 of the Civil Code), the new PPA may begin exercising its rulemaking authority as early as July 1, 2021, or six months after the Agency provides notice to the Attorney General that it is prepared to begin rulemaking. The timeline for adopting final regulations required by the Act is set for July 1, 2022.
- Obligations Become Operative (January 1, 2023) – Substantive obligations for businesses are scheduled to become operative on January 1, 2023. Obligations will apply to personal information collected by a business on or after January 1, 2022.
- Enforcement (July 1, 2023) – The CPRA provides that all civil and administrative enforcement by the new Agency of the provisions in the CPRA shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date. Notably, there will be no gap between CCPA and CPRA enforcement – CPRA states that enforcement of CCPA provisions will continue “and shall be enforceable until the same provisions of [the CPRA] become enforceable.”
In the meantime, the California Attorney General has solicited broad public comments for the CCPA throughout 2019 and 2020, including as recently as October 2020 (in a third modified rulemaking). These rules will continue in effect and be supplemented by rules adopted by the new Agency.
Additional Consumer Privacy Rights and Business Obligations
In substance, the most significant changes in the CPRA are that the law expands the right to opt-out of sharing of information, and establishes new rights to limit businesses’ uses of “sensitive personal information,” a new term defined broadly to include, among other things: information about sexual orientation, race and ethnicity, precise geolocation, and health conditions.
- Expanded Right to Opt-Out of Data “Sharing” (in Addition to Sale) — Under existing law, California residents can request to opt-out of the “sale” of their personal information. The CPRA expands this opt-out right to include both “sale” and “sharing,” including disclosing personal information to third parties “for cross-context behavioral advertising,” a clarification that brings greater certainty regarding how California law regulates online ad networks. Subject to interpretation and rulemaking by the new Privacy Protection Agency, businesses will likely be required to respect a global opt-out mechanism, or “opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications set forth in regulations . . .” (1798.135). So far, at least one draft technical specification has emerged, the Global Privacy Control introduced by privacy-focused tech companies, nonprofits, and publishers.
- Expanded Right to Access — Under the existing CCPA right to access, California consumers can request access to all categories of personal information collected by companies over the previous 12 months. The CPRA will extend that 12-month window indefinitely (beginning January 1, 2022), requiring that businesses provide access to all categories of personal information collected “unless doing so proves impossible or would involve a disproportionate effort.”
- Right to Correct Inaccurate Information – Under the CPRA, a consumer has the right to request a business to correct inaccurate personal information that a business maintains. Further, the business collecting this personal information must (1) disclose the consumer’s right to request a correction, and (2) “use commercially reasonable efforts” to correct the inaccurate personal information upon request.
- Right to Limit Uses of Sensitive Information — The CPRA contains a new consumer right to limit the use and disclosure of sensitive personal information, including information concerning health, race and ethnicity, sexual orientation, precise geolocation, and more. Upon request, covered entities must not only stop selling or sharing sensitive information, but also limit any internal uses of such information. Service providers must also comply with this limitation if they receive an opt-out request or signal from a business associate, and have actual knowledge that the personal information they are using and/or processing is sensitive.
- Data Minimization and Purpose Limitation — The CPRA establishes a new general obligation (1798.100) that a business’s collection, use, retention, and sharing of a consumer’s personal information “shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed In a manner that is incompatible with those purposes.”
- Additional Notification Obligations — Covered businesses that collect information must still, pursuant to the CCPA, inform consumers of the categories of personal information collected. Additionally, under the CPRA, covered businesses that collect information must inform consumers of the categories of sensitive personal information collected; for what purposes; if that information is sold or shared; and the length of time the businesses intend to keep each category of information.
- Clarification on Loyalty Programs — Under existing law, companies cannot retaliate against consumers for exercising their privacy rights, but may offer differential pricing for digital services if the pricing is “reasonably related to the value provided to the business by the consumer’s data.” (1798.125(a)(2)). The CPRA further clarifies that the anti-discrimination provision “does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs.” (Sec. 11).
In scope, the CPRA retains the same basic structure as the CCPA, with minor changes to the kinds of businesses that are regulated. For example, the law doubles the CCPA’s threshold amount of personal information that must be processed for a business to be subject to the law, from 50,000 to 100,000 consumers or households. However, the law retains the CCPA’s applicability to for-profit businesses “doing business in California,” and the law’s exemption for the processing of “publicly available data.”
The CPRA also extends the California Legislature’s sunset provisions on rulemaking regarding employee and business-to-business obligations to January 1, 2023, and expands existing service provider obligations to contractors.
The establishment of a dedicated Privacy Protection Agency is a major milestone for privacy in the US, a development that could even potentially lead to discussions with EU officials regarding the adequacy and interoperability of California privacy law with Europe’s General Data Protection Regulation (GDPR). The CPRA expands consumer rights for Californians in important ways, including extending rights to access and correct information, opt-out of sharing and sale, and limit uses of sensitive information.
Most importantly, we expect passage of the California Privacy Rights Act to energize efforts to pass comprehensive federal privacy legislation. Congress and the next Administration will have an opportunity to pass privacy legislation that establishes national protections for all US consumers and gives businesses clear obligations.
We look forward to working with the new California Privacy Protection Agency as it establishes the state’s approach to allowable uses of health data, de-identification practices, and other challenging questions.
Stacey Gray is a Senior Counsel at FPF and leads FPF’s legislative analysis and policymaker education team. Katelyn Ringrose is the Christopher Wolf Diversity Law Fellow at FPF, Polly Sanderson is a Policy Counsel at FPF working on U.S. federal and state privacy legislation, and Veronica Alix is a Fall 2020 Legal Policy Intern. Contact us at [email protected].