While the world is watching the United States in anticipation to hear the final outcome of this week’s presidential election, the privacy community is looking at California. On 3 November, the Golden State voted in favor of Proposition 24, thus expanding the State’s privacy legislation with a new set of rules. The law passed with 56.1% of the vote, despite being debated heavily and civil rights organizations including the ACLU coming out in opposition of the Proposition. As of 1 January 2023, the California Consumer Privacy Act (CCPA) will be succeeded by the California Privacy Rights Act (CPRA).
What does the new law entail?
As was the case with the CCPA, there are still a lot of details to be ironed out in the coming months to ensure the CPRA can be fully operational in 2023. However, quite a few of the changes are already clear.
- Sensitive personal information: CPRA introduces the concept of sensitive personal information, that requires a higher level of data protection than regular personal information. Sensitive information includes identification numbers, like the social security, driver’s license, identity card or passport number, account credentials, credit card details, the precise geolocation of a consumer, the content of communications via mail, email and text messages (if a business is not the recipient of the communication), as well as GDPR-aligned data elements like religious or philosophical beliefs, union membership, health, genetic and biometric data, and information related to an individual’s sex life or sexual orientation. Under the CPRA, a consumer will have the right to direct a business not to use or disseminate their sensitive information. If so directed, the business may only use the bare minimum of already collected sensitive personal information that would be needed to deliver the agreed goods or services to the consumer.
- The Right to Deletion that is already included in the CCPA will be extended, among other things to ensure service providers will cooperate with the deletion of personal information, and allowing business to keep a confidential record of deletion requests for future reference.
- A Right of Correction is introduced, allowing consumers to request the correction of inaccurate personal information.
- It is further clarified that businesses may not ‘punish’ a consumer for exercising their individual rights under the CPRA. The exception to allow businesses to run loyalty programs and offer premium discounts, in return for personal information, is made more explicit in the law.
- Consumers will be able to get access to more data than just the data collected in the 12 months preceding their request. This does not mean that companies will be forced to retain data longer than they usually do, but it may mean that if personal information is retained for 24 months, access will also need to be provided for all data collected and used during those 12 months. This obligation will apply to all data collected after 1 January 2022. The intended retention period for personal information needs to be disclosed in the privacy notice.
- CPRA introduces the concept of purpose limitation into the law, ensuring personal information can only be processed for pre-determined specific, explicit, and legitimate purposes. Data collection will also need to be limited to what is necessary and proportionate.
- Another new limitation relates to cross-context behavioral advertising and the use of so-called dark patterns. Cross-context behavioral advertising means that advertising publishers can build a profile of an individual, to use as part of their advertising efforts. Under CPRA, individuals will get the possibility to opt-out of such data collections, also because the definition of a sale is expanded to also include the sharing of information without payment. In short: individuals get a right not to be tracked online if they so wish. To make this even easier, consumers may not be nudged towards accepting the processing of their personal information by the visual presentation of privacy preferences (e.g. offering a large, bright Colored “accept all” button, and a much smaller and less conspicuous link to change data collection preference).
- The data breach requirements are extended. Personal information that is both non-encrypted and non-redacted, as well as the combination of an email address and password or security question and answer allowing access to an account that is subject to unauthorized access, is considered a data breach. Under the CPRA, individuals have the right to claim compensation and other relief that is considered necessary by a court. Companies may also face administrative enforcement for breaches caused by insufficient data security.
- From the enforcement perspective, the CPRA introduces a new enforcement agency in California, comparable to data protection supervisory authorities elsewhere in the world. The California Privacy Protection Agency (CPPA) will consist of the five persons board, two of which will be appointed by the California Governor and the other members by the California Assembly, the Senate and the Attorney General. The CPPA will, among other things, be allowed to investigate violations of the law, conduct hearings and compel testimony, issue cease and desist orders as well as issue monetary sanctions. The CPPA will also provide further guidance on the application and implementation of the CPRA.
How to prepare for the CPRA?
Although some of the supporting provisions of the CPRA, including the establishment of the CPPA, will come into force in the weeks following the certification of the election results, the main criteria won’t apply under 2023. This includes an extension of the current exception for employee data in the CCPA, until 2023. In the coming months, TrustArc will provide further guidance on how to get ready for the CPRA in further blogs, webinars and podcasts, and will also ensure our privacy management platform is supporting our customers in preparing for the CPRA. Businesses don’t need to do anything right now, but are recommended to bear in mind the forthcoming changes when reviewing their privacy policies and practices. As a starting point, the documentation of the purposes of data processing, as well as which personal information would be necessary and proportionate to achieve that purpose, could be undertaken. In addition, businesses could start to document which categories of sensitive personal information are being processed.