California Approved a New Privacy Act
5 November 2020
05/11/2020
Technology & eCommerce Regulation in the Spotlight
On 3 November, Californian voters have approved the California Privacy Rights Act (“CPRA“). The CPRA will considerably revamp California’s data protection legislation, changing the current California Consumer Privacy Act (“CCPA“), both materially and procedurally (consequently being commonly referred to as “CCPA 2.0”).
The CPRA was the subject of Proposition 24 in California’s recent ballot, and following its approval will enter into force on 1 January 2023.
The CPRA also creates a new authority, the California Privacy Protection Agency (“CPPA“), to enforce the new act and to issue further regulations. Currently, the California Attorney General has this mandate with regard to the CCPA. California would be the first US state to establish an enforcement agency that is specifically dedicated to privacy.
Below are some of the key changes under the CPRA:
- Noticeable new and revised definitions:
- Sensitive personal information: the CPRA introduced a new definition of “sensitive personal information”. This definition includes, inter alia, race, religion, sexual orientation, social security number and precise geolocation
- “Share” and not just “sell“: the CCPA includes various provisions that apply to the selling of personal information. The CPRA introduced a new definition of sharing which is distinctively different than selling personal information. According to the new act, sharing would mean communicating data subjects’ personal information for “cross-context behavioral advertising” (meaning information that is acquired across different services), regardless of whether or not it is done for a monetary or other value.
- Revised scope of applicability: the CPRA amends the CCPA’s thresholds for applicability. While more small businesses are expected to be excluded following the change, other businesses that were excluded as their activity did not amount to sale may be included due to the new amendments related to sharing of personal information. Under the new scope of applicability, the CPRA will cover businesses that conduct business in California, if one of the additional conditions apply:
- The business’ annual gross revenues in excess of $25 million (no change in this condition comparing to the CCPA); or
- The business annually buys, sells or shares personal information of more than 100,000 Californian residents or households (as opposed to the CCPA’s original scope, which applied in case of 50,000 resident or more, and devices are not included in this count); or
- The business derives over 50% of its revenue from selling or sharing Californian consumers.
- Data minimization and purpose limitation: covered businesses would specifically be prohibited from retaining, collecting and using personal information for beyond necessary with respect to the purpose for which it was originally collected or processed for.
In addition, pursuant to this amendment privacy policies would need to specifically explain the duration of retention for each category of personal information.
- Partners’ obligations and data processing agreements: covered businesses will need to enter into written contractual agreements with entities who receive personal information from the business (such the newly defined “Contractors” and service providers). Consequently, such entities would need to bind their subcontractors to the same written terms, and notify the business of any engagement with a new subcontractor. In these agreements, the business’ partners will need to adhere to the CPRA’s requirements, including separate retention of data obtained by them for advertising and marketing purposes from other data.
- Additional data subjects’ rights added by the CPRA:
- Correction: data subjects will be given the option to correct inaccurate personal information held about them by businesses;
- Automated decision-making: data subjects will be provided with a right to access information regarding the logic behind automated decision-making, as well as its likely outcome. Data subjects will also be able to opt out of having their personal information used for such automated decision-making, where it relates to various evaluations about them, including, inter alia, their economic and health situation and work performance;
- Expanded data portability: data subjects will be able to request direct transmission of specific pieces of their personal information to another entity in a structured, commonly used and machine-readable format. The CCPA’s data portability only allowed data subjects to personally receive their personal information, following an access requests, in such manner that would allow its portability.
- Right to restrict use of sensitive personal information: data subjects will be provided with an option to place limitations on the use and disclosure of their sensitive personal information for certain purposes. This option would also need to be displayed to data subjects through an opt out link.
- Opt out of sharing: data subjects will have a right to opt out of the sharing of their personal information to third parties for cross-context behavioral advertising. This will also be reflected in the current CCPA opt out of sale links, which will be changed to “Do not sell or share my personal information”.
- Expanded access right: covered businesses would need to provide access to any information collected after 1 January 2022, unless it would prove impossible or involve a “disproportionate effort”. This modifies CCPA’s access right, that limited the access to a 12-months’
- Security of personal information: The CPRA specifically requires covered businesses to implement reasonable security measures and procedures. Entities that are involved in high risk activities would need to regularly submit risk assessments to the CPPA. The specifics of these provisions are likely to be expanded upon in further regulations.
- Minors’ personal information: the CPRA triples the fines for violations, when these are in connection with minors’ personal information, therefore these could amount to $7,500 per violation, even if those are unintentional (in the CCPA fines of 7,500$ are solely in connection with intentional violations).
- Expanded private right of action: under the CPRA the consumers’ private right of action is expanded compared to the CCPA, and includes a breach of an email address alongside its respective password, or security question and answer.
Until the CPRA’s entry into force, the current language of the CCPA will remain fully in effect. In parallel, the approval of the CPRA extends the existing CCPA exemptions for employment and business-to-business personal information. These exemptions will expire a year later, namely in 1 January 2023.
As with the CCPA, regulations to further develop the CPRA are expected, and their adoption deadline is July 2022. While the act may be revised by its initial date of enforcement, changes might only make it more stringent, as according to its text any amendment would need to be consistent with its purpose and intent and further them.
Although the entry into force of the CPRA is still distant, companies should get acquainted with its provisions in order to adequately prepare for its new obligations, which require significant adjustments, including to existing procedures and contracts.
Please feel free to contact us with any further question or comments regarding the effect and implications of the CPRA, and how it may affect your compliance efforts.
********************
Feel free to contact us with any further question or comments regarding the update and subjects detailed above.
Kind regards,
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation
Herzog Fox & Neeman