Less than a year after the California Consumer Privacy Act (CCPA) took effect, California voters approved a ballot initiative to revise and supersede the CCPA significantly. The initiative (known as the California Privacy Rights Act (CPRA) builds on the CCPA but modifies—and extends—it in important ways.
One of the more immediately noticeable results of the CPRA will be the creation of a brand new regulatory agency—the California Privacy Protection Agency—that will replace the California Attorney General’s Office and have responsibility for implementing and enforcing the CPRA (and, until the CPRA takes effect, the CCPA). The agency, which will have five members as well as supporting staff, is to be created within the next 90 days and will take over rulemaking and administrative enforcement responsibilities.
Although the regulator will be established quickly, many of the substantive provisions will not take effect until January 1, 2023, leaving businesses with time to adjust their operations to comply with the law. Until then, the CCPA will remain in force. However, many of the key details of the new law will be defined by future regulations adopted by the new California Privacy Protection Agency, requiring that affected businesses remain vigilant.
Among other more important changes made by the CPRA are:
1. A redefinition of businesses to which it applies. The CPRA will apply to a “business” in California that also satisfies one or more of the following:
- Annual gross revenues of $25 million in the preceding year (a slight clarification of the CCPA);
- Annually buys, sells, or shares the personal information of 100,000 or more consumers or households (raising the threshold from 50,000 in the CCPA); or
- Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information; or
- A person that does business in California but does not meet either of the preceding criteria, but voluntarily certifies to the California Privacy Protection Agency that it agrees to comply with the CPRA.
- Moreover, the CPRA will require that business entities sharing common control and common branding must also share personal information. This was a gray area under the CCPA that may impact consumer-facing businesses with a substantial number of affiliates with common ownership that may separately interact with consumers.
Consistent with a recent amendment to the CCPA, the CPRA also exempts the personal information of job applicants, employees, and independent contractors from the law until January 1, 2023.
Although the CPRA will take effect on January 1, 2023, some of its consumer rights provisions will “look back” to personal information collected by businesses up to a year before, so data systems need to be in operation by January 1, 2022.
- Review how it collects and uses consumer personal data and identify the purpose for doing so;
- Confirm or, if necessary, modify its practices so that it retains only personal information that is “necessary and proportionate” for processing;
- Identify what “sensitive personal information” (including precise geolocation data) it possesses and treat it appropriately;
- Possibly revise its IT system to implement the new obligations, including the new “right to correct”;
- Negotiate written contracts with nearly every business to which it sells or shares consumer personal information;
- Review its arrangements with digital marketing providers to assess their ability to comply with the opt-out of targeted marketing based on personal profiles;
- Review and as needed strengthen their data security.
Businesses that have already reviewed and modified their operations to come into compliance with the CCPA will still need to make some changes, but the CPRA does not require them to discard what they have already done. Businesses opening in California will have to make more substantial adjustments, but if an entity has already acted to come into compliance with the European Unions General Data Protection Regulation it will find much of the CPRA to be familiar. Businesses should consider a timetable now for establishing their compliance and ensure that they have the resources available to do so.
Note: This publication is distributed with the understanding that the author, publisher and distributor of this publication and/or any linked publication are not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.