In the new year, comprehensive privacy laws go into operation in five states: California (January 1), Virginia (January 1), Colorado (July 1), Connecticut (July 1), and Utah (December 31). Subsequent blog posts will cover each of these laws in detail. In this post, we begin a series analyzing the impact of the California Privacy Rights Act (“CPRA”) in greater depth.
The CPRA will go into operation on January 1, 2023 and will be enforceable by the newly created California Privacy Protection Agency (“CPPA”) beginning on July 1, 2023. Passed by ballot initiative in November 2020, the CPRA amends and expands the California Consumer Privacy Act (together with the CPRA, the “CCPA/CPRA”), already the most far-reaching privacy legislation currently in operation in the United States. As amended, the CCPA/CPRA expands consumer privacy rights and data processing obligations, creating new rights to limit the use of sensitive personal information and to correct personal information stored by a business. It implements certain “principles of processing” like the purpose limitation, requiring businesses to evaluate their uses of personal information to ensure they are proportionate to the requirements of disclosed business and commercial purposes. It also enhances opt-out rights in the context of cross-context behavioral advertising and requires that businesses enter into new contractual terms with service providers to which they disclose the personal information of California residents.
In the lead up to CCPA/CPRA effectiveness, many companies are struggling to understand how it will impact them. What is the CCPA/CPRA? What does it change? How should businesses respond? While each company’s situation is different, we will try to answer these questions over the course of several blog posts, beginning with the law’s status and scope.
Does the CPRA apply to my company?
The CPRA applies to “businesses” that are for-profit companies that “do business” in California, that determine the “purposes and means” of processing (i.e., how and why the personal information of California residents is used), and that meet one of the following threshold criteria: (1) has annual gross revenues in excess of $25 million in the prior calendar year; (2) annually buys, sells, or shares the personal information of at least 100,000 California consumers or households; or (3) derives at least 50% of annual revenues from “selling” or “sharing” California residents’ personal information. Because “selling” and “sharing” are broadly defined and include many disclosures for web analytics or cross-context behavioral advertising, it may be easier for some businesses to fall within the law’s scope than it may first appear.
What about service providers and contractors?
In addition to “businesses,” the CCPA/CPRA also has direct application to some service providers and contractors. Service providers are entities that process personal information “on behalf of” a business and enter into specified contractual terms. Contractors are entities to which a business “makes available” personal information for business purposes, that enter into required contractual terms, and that certify to their compliance with such terms. Both service providers and contractors are required to comply with a business’s instructions regarding data subject rights requests, limit their use of personal information to specified business purposes, not “sell” or “share” personal information, grant the business audit rights, and alert the business if they can no longer comply with their obligations, among other things. Service providers and contractors must also pass down required contractual terms to their own vendors and subcontractors that will process personal information on behalf of a business.
Does the CPRA apply to publicly available information?
This is one way that the CPRA actually reduces the CCPA/CPRA’s scope. Currently, the CCPA applies to a broad range of personal information and only excludes “publicly available” information when it is lawfully made public from government records. Beginning in January, the CPRA will expand this exception to include any information that a business “has a reasonable basis to believe” is made available to the general public “by the consumer or from widely distributed media.” That means that the CCPA/CPRA will not apply to information posted on public websites or in news articles. Businesses should still be wary, though, because privacy settings or other controls may restrict access to data, meaning that certain data, while accessible to some, may not actually be “available to the general public.”
What other exceptions apply?
The CCPA/CPRA retains and clarifies most of the CCPA’s current exceptions. This includes personal information subject to the Gramm-Leach-Bliley Act applicable to financial institutions; “protected health information” that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules under HIPAA and HITECH; and certain clinical trial data. One notable change is that the CPRA eliminates the CCPA’s current exception for employee and business-to-business (“B2B”) information.
What is the California Privacy Protection Agency (CPPA) and when will it issue regulations?
The CPPA is a first-of-its-kind U.S. state agency dedicated solely to protecting the privacy of consumers. It is responsible for enforcing the CCPA/CPRA and issuing implementing regulations. As an agency dedicated to privacy enforcement, we expect the CPPA to more actively pursue potential violations; although, it is notable that the California attorney general itself (currently tasked with CCPA enforcement) has already sent over 40 notices of alleged non-compliance and settled a CCPA enforcement action against Sephora, Inc. for $1.2 million.
The CPPA is close to finalizing its first batch of regulations, which were initially released in the CPPA’s Notice of Proposed Rulemaking on July 8, 2022 and modified on November 3, 2022. The current draft regulations are only a start—they do not cover many issues that we expect to see covered in the regulations eventually, such as rights regarding automated decision-making. We expect further developments soon.
When does enforcement begin?
Even though the CCPA/CPRA is operational on January 1, 2023, enforcement does not begin until July 1, 2023. There is no look-back period, meaning that businesses are given a six-month grace period. During that time, though, the current terms of the CCPA are still enforceable, and there is no doubt that regulators will be aware of prior violations even if those violations are not directly enforced.
One important set of new obligations that will be enforced beginning January 1, 2023, however, relates to employee and B2B data. The CCPA exempted such information from many of its requirements. The CPRA eliminates those exemptions, and because the CCPA itself is currently (and will remain) enforceable, businesses will need to have updated their compliance programs to address such data by then. In our next blog post on the CCPA/CPRA, we will further examine the law’s impact on employee and B2B data.