By now, many of you have likely heard of the California Consumer Privacy Act (the “CCPA”). The law, passed by California’s State Legislature in 2018, became effective on January 1, 2020. The CCPA gives California residents more control over the personal information that businesses collect about them, granting residents the right to know how businesses use/share their personal information, the right to request that a business delete their collected personal information, and the right to opt-out of the sale of their personal information. The CCPA borrows many of its provisions from the European Union’s General Data Protection Regulation (“GDPR”). While many believed that the GDPR (adopted by the EU in 2016) would serve as a catalyst for the United States to enact a similar data privacy law, the U.S. has yet to pass, or even seriously consider, any comparably comprehensive data privacy legislation at the national level.
While several other states have passed data privacy and protection laws since 2018, arguably none have enacted laws as extensive as the CCPA. However, due to revisions California’s legislature made to the original text of the CCPA, as well as certain language included in the Final CCPA Regulations published by California’s Office of the Attorney General (OAG) earlier this year, many Californians and consumer advocacy groups do not believe the CCPA goes far enough to protect consumers’ personal information. Thus, on election day this year, California voters approved ballot initiative “Proposition 24” – the California Privacy Rights Act of 2020 (the “CPRA”). The CPRA gives additional rights to California residents and further limits businesses ability to use/sell/share personal information, amending and expanding upon the CCPA.
Most of the CPRA’s substantive provisions will not become effective until January 1, 2023. However, businesses may begin preparing for compliance with the CPRA by familiarizing themselves with the following highlights of the new law:
- Applicability – Just because the CCPA was or was not applicable to your business does not mean the same for the CPRA. For example, the CPRA will cover businesses that buy, sell, or share over 100,000 consumers’ personal information (up from 50,000 under the CCPA), reducing the applicability of the law to small and midsize businesses.
- Enforcement – The CCPA is currently enforced by California’s Office of the Attorney General (OAG). However, the CPRA establishes the California Privacy Protection Agency, which will have investigative, enforcement, and rulemaking powers instead of the OAG. The CPRA also removes the 30-day cure period businesses have under the CCPA and increases maximum penalties for violations concerning minors.
- New category of “sensitive personal information” – The CPRA will keep the existing categories of personal information defined in the CCPA, but will add a new category for “sensitive personal information.” Californians will have increased rights when their sensitive personal information is involved.
- Expanded contractual requirements – The CPRA limits the use of personal information by service providers and contractors and adds contractual requirements regarding relationships between businesses and such third parties.
- Modifying/adding new consumer rights – New rights include the CPRA’s expansion of an individuals’ private right of action for certain types of data breaches and requires that covered businesses provide consumers with two or more methods for submitting requests to correct inaccurate personal information.
- Regulates “sharing” in addition to “selling” personal information, to include cross-context behavioral advertising – The CPRA expands upon the CCPA’s limitations on businesses’ “sale” of consumers’ personal information to cover the “sharing” of consumers’ personal information even if such information is not being sold for monetary value. Specifically, this will regulate “cross-context behavioral advertising,” defined by the CPRA as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.” Businesses that share personal information, including in the cross-context behavioral advertising context, will need to provide an opt-out choice for consumers, such as “Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising.”
The above highlights, as well as the other provisions of the CPRA, bring California’s data privacy laws closer to resembling the GDPR. It will be interesting to see whether other states follow suit in 2021. While Virginia established a task force to study data privacy issues last General Assembly session, it has not yet passed any data privacy law as comprehensive as the CCPA/CPRA. The Commonwealth, as well as numerous other states, will likely consider data privacy legislation next year.
In the meantime, while the effective date of the CPRA may seem far away, California’s OAG continues to publish updates to the CCPA Regulations and to enforce existing law. For example, while the Final Text of the CCPA Regulations was published in August, the OAG released a fourth set of modifications to the Regulations on December 10, 2020. The latest modifications include further clarifications on the CCPA, including much-awaited guidance on the “Do Not Sell My Personal Information ‘Button.’” Thus, businesses still need to regularly review their CCPA compliance while they prepare for the CPRA. You can find more information on the CCPA, including updates, here: https://www.oag.ca.gov/privacy/ccpa. Gavin Law Offices will continue to track data privacy-related issues in California, Virginia, and across the U.S. and abroad, and are here to help you navigate this complex field of law.
– Courtney Reigel, Esq.