Despite already having the strongest privacy law in the United States and vocal opposition from groups like the ACLU of California and the ad-tech industry, California has voted to approve Proposition 24 which sets in motion the California Privacy Rights Act. This new law revises the current California Consumer Privacy Act, building on the rights and protections citizens already have and putting new obligations on companies doing business in the state.
Under the current CCPA, California citizens have a right to access and delete personal information that companies hold about them. They also have the right to direct companies not to sell their personal information. CPRA will buttress those rights and add to them the right to rectification and a right to prohibit the sharing of information — something we have yet to see in other privacy laws.
A Quick Overview of the Changes:
Rectification rights: Similar to rights provided under GDPR, the CPRA would give California consumers the right to correct inaccurate or out-of-date information a company holds about them.
Right to opt out of sharing: While Californians currently have the right to opt out of the sale of their personal information (we won’t go into what “sale” means) they will now have the right to opt of sharing as well. This right has obligations for companies similar to those of do-not-sell, including notification of the right and a prominent link on the landing page of websites and apps.
Sensitive personal information: Another concept the CPRA adopts from the GDPR is a classification of certain types of more sensitive data where additional controls will be required. These data types align with “Special Categories” of data under GDPR. Companies that process sensitive personal information would be obligated to provide consumers more control over that data.
Consent: Once again, CPRA looks to GDPR when defining consent, using the language “freely given, specific, informed and unambiguous,” the definition closely mirrors that in the GDPR and may signal the beginning of the end of “opt-out consent” as a concept in the US.
Retention limitation: CPRA requires that companies only retain personal information for as long as necessary for the purpose it was collected. This is not something explicitly stated in CCPA, but is a central concept of the GDPR and other privacy laws around the world.
Extension of B2B and employee exemptions: The CPRA would extend the CCPA’s exemptions for employee data and personal information collected in the business-to-business context until January 1, 2023. There has been talk of a stand-alone privacy law to cover employee data, and this extension gives lawmakers an additional two years to develop it.
Additional fines for children’s data: CPRA would triple the fines allowed under CCPA when organizations violate the privacy rights of children under 16 years of age.
Expanded definition of breach: CCPA includes a private right of action for certain data breaches. The CPRA increases the types of breaches for which consumers have a private right of action to those that include an email address in combination with authenticating information that would allow access to the account.
Establishes the California Privacy Protection Agency: CPRA would establish the first dedicated privacy enforcement body in the U.S. While the U.S. Federal Trade Commission has been considered the de-facto privacy enforcer in the U.S., the California Privacy Protection Agency would be the first tasked specifically with protecting individuals’ privacy rights.
Change in scope: For companies that do business in California to find themselves within the current scope of the CCPA they need to meet at least one of three criteria:
- Process the personal information of 50,000 or more California consumers;
- Gross revenue of over 25 million; or
- 50% of annual revenue from sharing or selling California consumers
CPRA increases the first of the criteria above to 100,000, meaning some small and medium businesses will no longer be within scope for the law.
CPRA will go into effect Jan. 1, 2023, with a look back to Jan. 1, 2022, giving companies just over a year to get their privacy practices in order. Sentinel has developed an extensive gap analysis and work plan to help companies get to and maintain compliance — no matter what state your program is in today.