On November 3, 2020, Californians passed the ballot initiative for the California Privacy Rights Act (CPRA) with a 56% vote. As discussed earlier, the CPRA significantly expands upon the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020, and whose regulations were approved on August 14, 2020 with subsequent proposed amendment in October 2020.
Most CPRA provisions will take effect on January 1, 2023, but its new obligations will apply to any personal information collected from California residents on or after January 1, 2022, a little over one year from passage.
As discussed below, the CPRA imposes several new obligations that are similar to requirements under the European Union General Data Protection Regulation (GDPR). The CPRA also immediately creates the California Privacy Protection Agency–a new state agency to oversee and enforce the CPRA.
GDPR-Like Provisions of the CPRA
Purpose Limitation – The CPRA requires that a business’s collection, use, retention, and sharing of personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” (CPRA § 1798.100(c)). Businesses seeking to collect and process personal information from California residents will need to contemplate and justify the needs and scope of collection from the outset and control the uses of the information over time. Collection of large datasets for later developed uses may be constrained under this provision of the CPRA.
This “purpose limitation” is one of its most novel requirements in the U.S., although it is a standard part of EU data protection regimes. It remains to be seen whether such a purpose limitation can withstand constitutional scrutiny in the U.S. given the strength of free speech rights in the U.S. system.
Sensitive Personal Information – The CPRA also creates a new category of Sensitive Personal Information (SPI) that is subject to heightened protections. (CPRA § 1798.140(ae)). SPI includes, among other things, including “precise” geolocation, race, ethnicity, religion, and health information. The CPRA requires a covered business to include a website link titled “Limit the Use of My Sensitive Personal Information” on its homepage if it intends to use SPI for any purposes not explicitly disclosed to California residents. (CPRA § 1798.121(b)).
Data Retention – The CPRA requires businesses to inform California residents about data retention practices in greater detail than GDPR. More specifically, a covered business must inform California residents about the length of time the business intends to retain categories of personal information, and more importantly would prohibit retaining personal information for “longer than is reasonably necessary” to achieve the disclosed purpose. (CPRA § 1798.100(3)). The CPRA will in effect require companies to convert their data retention policies into data retention and data deletion policies.
Other New Provisions of the CPRA
Opt out of “Sharing” – While the CCPA required covered businesses to provide California residents the right to opt out of broadly defined “sales” of personal information, the CPRA goes further to require the opt out of “sharing” of personal information. The CPRA defines “sharing” as communicating “a consumer’s personal information by the business to a third party for cross-context behavioral advertising.” This further opt-out provides California residents significant new controls over limiting the sharing of their personal information for such advertising, and may lead to profound shifts in the industry.
Right to Know – The CPRA expands upon the CCPA’s right to know by extending the 12 month look back period before the request to personal information collected on or after January 1, 2022, “unless doing so proves impossible or would involve a disproportionate effort.” (CPRA Section 1798.130(a)(2)(B).)
Third Party Obligations under Right to Delete – The CPRA expands upon the CCPA’s right to deletion, by requiring businesses to notify third parties to whom personal information has been disclosed or sold to delete that information. For many companies, this new obligation may require a refresh of service agreements to include such flow-through obligations as well as the ability to track which information has been sent to which vendors – a potentially burdensome task.
We will continue to monitor the developing privacy law in California. For more information or to discuss privacy or data security issues generally, please contact a member of our Data Practice group or visit https://www.ropesgray.com/en/practices/data-privacy-cybersecurity.