California Privacy Rights Act (CPRA) amends CCPA

Introduction

While the revolutionary California Consumer Privacy Act (CCPA) just finished the long road to enforcement on July 1, 2020, the state is already evaluating significant changes to its brand new privacy law.  The CCPA was a first of its kind law in the US providing a broad set of rights to California consumers.  This law expanded the definition of “personal data” and allowed for the enforcement of penalties on businesses that handle California resident data despite where that business may be located (more on CCPA in our overview here).

“CCPA 2.0” or the California Privacy Rights Act (CPRA) drastically amends the CCPA.  The amendments address shortfalls of the law that many feel were not originally included due to the short timeframe available to draft CCPA.  The CPRA will officially be on the ballot in November 2020 and, if passed, changes would take effect January 1, 2023

What’s Changing with CPRA

In an effort to avoid the year-long battle of amendment development and voting experienced with the CCPA, backers of the CPRA have worked with various special interest and business groups in order to incorporate lessons learned from both parties.  The result is a series of amendments, outlined below, that support expansion of consumer rights, while also incorporating considerations to ease the burden on businesses.

Consumer Focused Enhancements

  • New Enforcement Agency: Creates a dedicated privacy agency that focuses on enforcement, issuing new rules, and education. This agency would gradually take over responsibility from the State Attorney General’s office.
  • Special Treatment of Newly Defined “Sensitive Data”: Generates a relatively broad new subcategory of personal data including data elements such as precise geolocation data, government identifiers (e.g., SSN), biometric data, and account logins. If a business collects this data, they would have additional requirements for activities such as data minimization and managing opt-out preferences.
  • Risk Assessment and Audits: Businesses performing “high risk processing” would be required to meet an annual set of risk assessment and independent audits, including a cybersecurity audit. The exact definitions of these businesses and audits would be provided by regulation guidance from the new enforcement agency.
  • Expansion on Data Breach Liability: Definition now includes loss of e-mail address in combination with passwords and/or security questions.
  • Expanded fines for breach of data on minors: All violations carry a $7500 per incident penalty.
  • Additional Consumer Rights: Provides consumers with the right to correct data about themselves, the right to access and opt-out of automated decision making and profiling.
  • Data Retention: Businesses must inform consumers of the length of time they will retain personal data and cannot retain information longer than specified in this notice.
  • Removes Right to Cure: Removes the CCPA defined window of 30 days to cure an identified gap in the businesses’ privacy processes before the enforcement agency can take action.

Business Friendly Revisions

  • Extends Moratorium on Business-to-Business (B2B) and Employee Data: Expands on CCPA amendment to extend moratorium on business related data until January 1, 2023.
  • Expands Exemptions: Highlights that organizations don’t need to acquire new technology to identify personal data when responding to data deletion and access requests for many types of unstructured data. Provides exemptions for providing data that would qualify as trade secrets or used as insights for security and fraud analysis.
  • Loyalty Club Allowance: Explicitly notes that businesses can provide rewards clubs.
  • Clarifies Important Definitions: Aligns “de-identification” definition to Federal Trade Commission’s (FTC). Provides certain cases where sharing information with ad tech is not explicitly a sale. Removes scoping consideration for device counts and raises minimum threshold of consumers to 100,000.
  • Self-Certification: Provides option for small businesses outside the threshold of the law to self-certify their alignment to the law as a business differentiator.
  • Third Party Considerations: Provides definition and obligations for newly added “contractors”. Also presents groups like service providers with new requirements to support businesses with meeting their privacy obligations.
What’s Next

The above contains a lot of what-ifs that depend on voter response come November.  On the one hand, privacy regulations have consistently polled at all-time highs across the state (Close to 9 out of 10 residents would vote for it).  Backers of the law were able to gather over 900,000 signatures from residents even during the COVID health crisis.

On the other hand, California faces a significant budgetary crisis and a full docket of pressing health, social, and economic issues this year.  It will be important to track the outcome of this vote. Either way, action may be required by businesses across the globe.  If it passes, organizations will need to address the CPRA’s additional privacy requirements.  If it fails, there will be significant considerations to manage B2B and employee data once the CCPA moratorium on this data expires on January 1, 2021.

What to Do to Prepare

There is only one certainty in the landscape of data privacy these days; the only constant in this field is change.  Therefore, to be prepared for the potential impact of CPRA and other laws, it is important to establish a comprehensive data privacy program that can ingest and rationalize these requirements as they develop in the coming years.  The building blocks for this type of program include:

  • Inventory the personal data your organization collects and shares with others.
  • Build a rationalized framework of data privacy requirements that harmonizes your requirements across potential multiple laws and jurisdictions.
  • Name a leader who will be accountable for the direction of your privacy program.
  • Establish an enterprise policy regarding how you will support the privacy of user data. Train your enterprise on this policy and their roles to support it.
  • Perform a risk assessment against your current state environment to build a prioritized list of gaps for remediation for items such as notices, policies, contracts, privacy impact assessments, security controls, and responding to data subject rights.
  • Perform on-going record keeping of your privacy operations and perform recurring maintenance on documents to align with business.
We Can Help

Elliott Davis can help you to evaluate and outline the impacts of emerging data privacy law on your operations.  Please reach out to a member of our Data Privacy team for additional insights.

The information provided in this communication is of a general nature and should not be considered professional advice.  You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change as a result of rapidly evolving legislative developments and government guidance.