California Leads the Way to Transform Consumer Privacy Protection in the U.S. – California Privacy Rights Act of 2020

As you may recall, Proposition 24 appeared on California’s 2020 ballot for the general election. On November 23, 2020, California voters approved Proposition 24, or officially the California Privacy Rights Act of 2020 (CPRA).

The United States has followed a so-called “sectoral” approach in regulating privacy issues, with federal laws directed only to specific industries and state laws that further address data protection practices and personal information security regulation on a local level. Guaranteeing privacy as “an inalienable right” in the constitution and being home to world-class computer technologies, California continues to spearhead the transformation and management of consumer privacy protection, especially privacy protection of online communications and other electronic data.

For consumer privacy protection, California currently has the California Consumer Privacy Act (CCPA), which generally applies to big companies and data brokers and went into effect on January 1, 2020. The CPRA updates and strengthens the CCPA by giving consumers more control over how companies use consumer data, establishing a new enforcement agency, creating a new category of sensitive data, expanding consumers’ opt-out rights to include information sharing, requiring businesses to provide additional mechanisms for individuals to access, correct, or delete data, with a particular focus on data used by automated decision-making systems, and imposing additional compliance requirements for businesses. Overall, the CPRA pushes California privacy practices yet another step closer to European Union (EU) privacy legislation and particularly the EU General Data Protection Regulation (GDPR).

We present below some of the key changes, amendments and/or additions introduced by the CPRA to the existing privacy law in California:

  1. The CPRA creates a new state agency – the California Privacy Protection Agency (CPPA) –with full power to enforce and implement the CPRA, while the CCPA was enforced by the Attorney General. The CPPA will be the first agency in the U.S. charged solely with enforcing privacy rights.

  2. The CPRA expands a consumer’s right to opt-out of data “sharing”, not just data “sale” as required under the CCPA. The opt-out right applies to sharing of personal information used for “cross-context behavioral advertising”. In addition, the opt-in right for minors is strengthened – as with the opt-out right, businesses must wait twelve months before asking a minor for consent to sell or share his or her personal information after the minor has declined to provide it.

  3. The CPRA defines “sensitive personal information” that includes government identifiers; financial account and login information; precise geo-location; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications (such as mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information. The CPRA imposes limitation on the use of sensitive personal information but does not require consent for processing such information.

  4. The CPRA requires businesses to better serve a consumer’s right to access, correct and delete personal information. Beginning January 1, 2022, the CPRA will extend the existing twelve-month access window, allowing California consumers to request access to all categories of personal information collected by companies, indefinitely. The CPRA also enables consumers to request any correction of inaccurate personal information held by a business, which is an extension of the consumers’ right available under the CCPA. Additionally, the CPRA requires businesses to handle a consumer’s request to delete not only data collected from the consumer but also data bought or received from third parties (with few exceptions), and to notify the third parties of the request in this case.

  5. The CPRA allows consumers to request meaningful information regarding the logic involved in a decision-making process and a description of the likely outcome based on that process.

  6. The CPRA imposes fines of $7,500 for each violation involving personal information of consumers under the age of 16. The CPRA also eliminates the thirty-day period to cure any noncompliance, granting the CPPA at most discretionary power to provide a business with a time period to cure.

Though the CPRA will not enter into force until January 2023, plenty of preparations are required in the near-term and over the next two years. Companies doing business in the state of California or using data of California residents should take appropriate measures to ensure compliance with the CPRA requirements. Importantly, with all the obligations imposed by the CPRA, businesses in the next two years need to seek compliance wisely and strategically, focusing on internal practices of data collection, use, retention, and categorization. Moreover, businesses should continue to have an up-to-date privacy notice that is properly enforced, a dedicated team that is responsible for privacy operation and management, and technical and administrative measures necessary to achieve effective consumer privacy protection. We are here to help!

Categories: Uncategorized