California privacy rights act

California Privacy Rights Act & what it’s bringing to the table

March 23, 2023 Leave a comment

Introduction

In 2019, during the Facebook F8 Developer Conference, Facebook (now Meta) CEO- Mark Zuckerberg said something which was never been said before by any big techs, he said: “the future is private.” Based on this statement we can understand it’s not just Facebook alone or any other big techs, who are working in order to come in line with privacy, as privacy is the only hope available for tech companies to survive in this competing market today. We have seen and witnessed the rise in privacy-related concerns raised by millions of people, organizations, activists, lawyers, institutions, and other governmental agencies. This has only been possible due to the recent changes in the market, earlier the concept of privacy and the laws relating to privacy weren’t common, but due to global awareness about data & privacy of the individuals, lawmakers around the world have tried to accommodate legislations on data protection & privacy, one such example is of the General Data Protection Regulation (GDPR). 

The GDPR has truly influenced many nations to formulate their own laws regulating the flow of personal data in and outside their economy. As rightly said, “data is the new oil of the digital economy.” Having a regulation along with a regulatory authority becomes an essential part to monitor and safeguard the rights of the individuals as well as flow of this new oil in this digital era. 

In light of the above, California is one such state in the United States that has been successful in formulating a law on data protection & privacy for the residents of California, it was called the CCPA or California Consumer Privacy Act. It came into effect on 1st January 2020. But what we all need to know about this Act is that in November 2020, the voters in California approved and voted for an amended version of the CCPA and very soon this Act will get replaced by its successor called the CPRA or California Privacy Rights Act. In this blog we will dive into the new legislation i.e., the CPRA  and what all it brings to the table.

What is CPRA?

The California Privacy Rights Act (CPRA) is an extension or a successor to the former law on data protection & privacy also known as the California Consumer Privacy Act (CCPA). The CPRA will be effective from 1st January, 2023. However, some of its provisions have already been in action since 1st January, 2022, such as the consumers’ data collected by businesses and organizations on or after 1st January, 2022, CPRA will apply to such entities. Hence, it is advised that organizations and businesses that fall under the ambit of this new legislation should comply with its requirements starting from 1st January, 2022.

If we compare CPRA to its earlier version- CCPA, then the current Act in some way is more friendly toward small-businesses. Additionally, the CPRA widens the scope of the following-

  1. Consumers under this law get more rights;
  2. Fines for violating the provisions pertaining to children’s privacy have tripled;
  3. Limitation in the use of “sensitive personal information” of the users;
  4. Prevents and restricts businesses and organizations from knowing the users’ geolocation;
  5. Restricts businesses and organizations from profiling the users;
  6. Establishes a new agency- California Privacy Protection Agency, in order to ensure rigorous enforcement of the law;

However, we will be discussing all the new changes brought into this law in the later part of this blog.

CPRA applies to which entities?

The present law- CPRA, applies to only for-profit businesses & organizations that are either located in the State of California or do business with the residents of California. The essential ingredient that needs to be satisfied here is that- even if your business is not located in the State of California but if you have users’ from California, and your business is involved in collecting their data, your business would fall under the ambit of CPRA. Further, any one of the following requirements needs to be fulfilled in order to make sure, that CPRA applies to your business/organization-

  1. The entity needs to have annual gross revenue of $25 million or more;
  2. The entity should be involved in selling, sharing, or buying of 100,000 or more users’ personal information who are residing in California per year;
  3. The entity earns 50% or more of its annual gross revenue by way of sharing or selling the personal information of its California users/customers.

The following entities will also fall under the ambit of the current legislation-

  1. Joint ventures & partnerships- When each business has at least 40% or more interest, in such scenarios, each business/entity who falls under this category will be considered as a separate entity in itself.
  2. Moreover, if any entity/business who wishes to comply with CPRA, may do so, even if such entity doesn’t fulfill the above requirements.
  3. Even commonly controlled entities fall under the ambit of this legislation. Controlled entity is either controlled or controls a covered entity; Shares common branding with such entity; or has access to the covered entity’s consumers’ personal information.

Consumer rights under CPRA

  1. Right to opt-out- Under this new legislation, consumers now have the right to opt-in or opt-out in cases of collection, selling and/or sharing (with the third parties) of their sensitive personal information. Businesses that are involved in selling/sharing personal data with third-parties are required to add a “Do not sell my personal information” link on their homepage of their website. Moreover, businesses will also be required to add a “Limit the use of my sensitive personal information” link to comply with the CPRA’s requirement pertaining to limitation of using consumers’ sensitive information.
  2. Right to correct & delete personal information- The CPRA gives the consumer the right to both correct as well as delete their inaccurate personal information. Entities that fall under the ambit of this law, need to disclose this right to the users/consumers and fix all such errors/mistakes with respect to their personal information after receiving such requests from their users.
  3. Right to access data- Under this new legislation, consumers have the right to access their data by the entities who have collected it, and the time period is not restricted  or limited to 12-months, rather it goes beyond 12-month. The only exception to this right is that if doing so is impossible or requires disproportionate effort by the entity, in such scenarios the CPPA will determine what exactly “disproportionate effort” means as it could vary from case to case basis.
  4. Right to opt-out from automated decision making & profiling- Under this law, consumers have the right to opt-out from being part of both automated decisions & getting profiled by businesses and organizations based on their personal or sensitive personal data. Such organizations and businesses who are into collection of these data must notify the public or their users before such collection and also about how automated decision making works along with how it affects such individuals autonomy.
  5. Private right of action- Under this law, consumers have the right to sue and seek damages from the businesses and/or organizations who have collected their personal data and due to their negligence, the consumers’/users’ data get compromised or breached. In such cases, even an individual has a private right of action against such defaulting business/organization. Especially in cases when such user’s or consumer’s data exposes the following information:
  1. Email & password along with the security question and answer due to which it grants the attacker to easily access the user’s/innocent party’s account.
  2. In cases when the business or the organization is negligent in maintaining proper security standards as it is their responsibility and obligation to ensure reasonable security of the personal data of the consumers.
  3. Minors’ rights- The CPRA also aims to protect the privacy of children, as it specifically mentions that businesses and organizations must seek and obtain explicit consent before collecting, sharing or selling their data, how their data will be used and for how long it will be retained.

Note: Businesses and organizations who willfully neglect this criteria/exception, shall be deemed to have had actual knowledge about the consumer’s age.

Obligations for businesses under CPRA

  1. Reasonable implementation of security measures- The businesses and organizations that fall under the ambit of CPRA, are obliged to maintain and implement reasonable security measures in order to protect the personal information of their customers/users. Further, the businesses and organizations are advised to perform annual cybersecurity checks and are required to send the results to the CPPA for the auditing purpose.
  2. Contractual obligations- Under the CPRA, new obligations have been introduced for businesses that are into sharing, selling and/or disclosing personal data of their users/customers to their contractors/third party service providers, etc. In such scenarios, the business and the contractor/service provider must have a written contract stating the following (but not limited to)-
  1. Stating that the information disclosed or sold by the business to the third-party/service provider is only for limited purposes;
  2. Ensuring that both the contracting parties comply with the CPRA requirements;
  3. The third-party/service provider is obliged to notify the business if they are unable/no longer meet the CPRA compliance obligations;
  4. Lastly, the business has the right to take reasonable measures and actions in case of unauthorized access/use of the personal information.

3. Limited Defenses- The present act imposes certain limitation on the defenses used by the businesses, such as- from now businesses won’t be able to reply on the defense of maintaining and implementing reasonable security practices and procedures after a data breach, as the same won’t be considered as a cure or defense for that breach.

4. Storage limitation & principle of data minimization- These two principles can be seen in the EU’s GDPR. The principle of storage limitation states that an entity or a business should not retain the personal data of its users’ no longer than its intended purpose, and once the purpose is met, the data should be discarded. On the other hand, the principle of data minimization states that a business should limit the collection of personal data and should only collect if its directly relevant and necessary to accomplish a required purpose.

California Privacy Protection Agency

One of the major differences between CCPA & the current legislation- CPRA, is it seeks to establish an independent agency known as the California Privacy Protection Agency (CPPA). This agency will initiate actions through the Administrative Law Court as compared to the earlier privacy legislation in California (CCPA), which gave the state court system the authority to enforce the privacy law. 

Whereas the Administrative Law Court would further provide an independent and neutral hearing, and these hearings would be less formal and more transparent.

The present change further shifts the responsibility to enforce the CPRA to the newly established agency i.e, the CPPA, whereas, for the earlier privacy legislation- CCPA, this responsibility was given to the Office of the Attorney General. The CPPA will also be responsible for educating and awaring the general public about their consumer privacy rights.

Penalties under CPRA 

There is a 3X (times) increase in the penalties as compared to the earlier privacy legislation in California. The entities covered under this legislation could be fined up to $7,500/- per intentional violation and even for violations pertaining to personal information of people under the age of 16. Whereas, for non-intentional violations, entities/businesses could still be fined up to $2,500/-. In the earlier legislation (CCPA), there was a 30-days cure period, wherein, the cure-period automatically starts once there is a charge or allegation against the business stating any kind of violation. However, this has been struck down and cannot be found in this new legislation. 

Moreover, under the CPRA, the agency (CPPA) will now decide regarding the cure period or how much time does the business have to correct such violations. 

Conclusion

From the above discussion, we can clearly draw out all the new features of this latest legislation on data protection & privacy for the State of California. The CPRA will be enforced in 2023, however, some of its provisions are in effect starting from 1st January, 2022. It becomes essential for every business and organization to check whether they fall under the ambit of this new legislation or not. Moreover, the legislation applies to all the personal data/information collected starting from 1st January 2022, making it essential for every business to start complying with all the requirements starting from 2022. 

Apart from checking the applicability and scope of this legislation, businesses are further required to update their privacy policies, review and update their contracts with their vendors and other service providers in compliance with the CPRA, and lastly, by updating their websites, and the method of processing in accordance with the upcoming legislation.