The CPRA and Recent Privacy Patchwork
While the U.S. still does not have a federal privacy law, the laws in various states are changing. California was, of course, first, and even its law has changed. Following in 2023 are privacy laws in Virginia, Colorado, Connecticut and Utah.
January 1, 2023 is the compliance date for the California Privacy Rights Act (CPRA), which significantly expands the California Consumer Privacy Act (CCPA) granting additional rights to users, sunsetting the partial employee exemption, removing the 30-day cure period and covering business-to-business transactions – all of which will now be subject to the CCPA. The previous exemption expires at the end of this year.
Who is covered under the CPRA? The CPRA’s amends the CCPA business definition to include:
- any entity that has annual gross revenues over $25 million; annually processes the personal information of 100,000 or more California residents or household; or derives 50% or more of its annual revenue from selling California residents’ personal information, and
- any entity that controls or is controlled by a covered business and shares common branding with a covered business, such as a shared name, service mark, or trademark.
A business that operates in California and is not statutorily covered under the CPRA may voluntarily agree to the CPRA’s jurisdiction and become certified by the California Privacy Protection Agency (CPPA).[1]
What does not change is if you are a non-profit, you are not subject to the CCPA, even as amended by the CPRA.
New consumer rights. TheCPRA establishes six new rights as of January 1, 2023:
- To know what personal information about the consumer was collected, sold, and shared for cross-context behavioral advertising, or disclosed about them.
- To opt-out of the sale or sharing of the employee’s personal information by their employer and employer’s vendors.
- To correct inaccurate personal information.
- To delete personal information.
- To restrict the use of sensitive personal information.
- Not be subject to discrimination for choosing to exercise any of their rights under the CPRA (no retaliation right).
Enforcement. The CPRA will continue to be enforced by California Attorney General. The CPRA also establishes the CPPA to enforce the law via administrative proceedings with fines ranging from $2,500 to $7,500 per violation. The CPRA expands a limited private right of action that now additionally authorizes consumers to bring lawsuits arising from data breaches involving an email address in combination with a password or security question and answer that would permit access to the consumer’s account.
The CPRA eliminated the 30-Day Cure Period the CCPA allowed for businesses to cure alleged violations before any administrative enforcement by the Attorney General, and clarifies that “the implementation and maintenance of reasonable security procedures and practices [. . . ] following a breach does not constitute a cure.”[2]
If you are impacted by these changes – below is an Action Plan for your consideration:
- Develop/update your privacy policy and update notices of collection for employees, job applicants, independent contractors,[3] and other workers.
- Develop internal processes to respond to work force Data Subject Access Requests (DSARs) and new consumer rights, i.e., make sure you have sufficient staff and the company is able to timely honor deletion, correction and data portability requests by storing personal information in a format that enables easy transfer upon consumer request.
- Develop/update your data retention policy and ensure the personnel responsible for CPRA compliance are properly trained and knowledgeable.
- Update your privacy policy and update notices of collection with information about sensitive personal information, retention periods, new CPRA rights, etc.
- Incorporate link(s) to the company website “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” (applicable only when the company sells personal information or collects sensitive information, respectively. This link should not be incorporated if the privacy policy does not address the possibility of sale or collection of sensitive personal information).
- Update processing agreements with service providers, i.e., to include the right to audit the service provider. The CPRA imposes an obligation to enter into written contracts containing specific provisions whenever the company shares or sells personal information to a third party or discloses personal data to a service provider or contractor for a business purpose.
- Regularly monitor the regulations promulgated by the CPPA and update legal documents accordingly (the regulations are still being updated as we go to press).
- Evaluate whether the company processes high-risk data that requires risk assessment and adjust training and security measures accordingly .
Practical notice. More data protection laws are just around the corner: the Virginia Consumer Data Protection Act (VCDPA) becomes effective January 1, 2023, the Colorado (CPA) and Connecticut (CTPA) Privacy Acts are effective July 1, 2023, and the Utah Consumer Privacy Act (UCPA) comes into force on December 31, 2023. Be on the lookout for our legal updates regarding these acts.
Meeting the CPRA extended obligations and updating company’s security and data management routines will help to prepare for these additional privacy acts and we are also happy to assist.
[1] For example, if a company wants to purchase personal information from a CPRA-covered business, see Cal. Civ. Code § 1798.100(d)(2).
[2] See Cal. Civ. Code § 1798.150(b).
[3] CPRA defines independent contractor as a natural person who provides any service to a business pursuant to a written contract.