With the passage of the ballot initiative known as the Consumer Privacy Rights Act (CPRA or Act) in California, we are presenting several blog articles on different topics related to this new law. Last week, we wrote about the newly-added definition of sensitive information. This week we will focus on some key effective dates in the CPRA along with what it will mean to have a separate privacy rights enforcement agency.

CPRA Effective January 1, 2023

The good news is that the CPRA’s effective date is January 1, 2023, so businesses have some time to assess and get ready for the new law while the California Consumer Privacy Act (CCPA) is still in effect and enforceable. The CPRA functions like an overlay to CCPA. Once the CPRA takes effect in 2023, it will become the privacy law of the land in California.

There is one exception to the 2023 effective date and that is with respect to the right of access. The CPRA’s right to know or right of access applies to personal information collected by a business on or after January 1, 2022. The exemptions for employee information and business-to-business information remain in place until January 1, 2023. The CPRA also provides additional rulemaking authority, which may also take place prior to the effective date.

Creation of the California Privacy Protection Agency

Section 24 of the CPRA creates the California Privacy Protection Agency (CPPA or Agency), established in the state government of California. The Agency is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act. Section 1798.199.10(a) states that: “[t]he Agency shall be governed by a five-member board, including the Chair. The Chair and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.” Subsection (b) states that the initial appointments to the Agency shall be made within 90 days of the effective date of the Act.

The board will have the authority to appoint an executive director and the Agency will have broad powers to protect “the fundamental privacy rights of natural persons with respect to the use of their personal information.” Section 1798.199.40 (c). The CPRA allows individuals, businesses, customers, advocacy groups and vendors to file complaints with the Agency regarding the privacy practices of a business. The Agency will have the power to investigate complaints, to hold hearings to determine if a violation has occurred, and to issue orders to: cease and desist, and to pay an administrative fine up to $2,500 for each violation or up to $7,500 for each intentional violation as well as each violation involving the personal information of minor consumers. The Agency also has the power to bring a civil action in the superior court for the purpose of collecting unpaid administrative agency fines.

The Agency also is charged with providing guidance to both consumers and businesses regarding their rights and responsibilities under the CPRA. One final note is that Section 1798.199.100 states that the Agency “shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title.”

With the passage of the Consumer Privacy Rights Act (CPRA), we are presenting several blog articles on different topics related to the new law. We previously wrote about key effective dates and the newly-added definition of sensitive information. This week, we will focus on consumer opt-out rights and data profiling.

Consumer Opt-Out Rights

The CPRA created several new rights for consumers – one of which is the right to opt out of the sale or the sharing of their personal information. In order to understand this new opt-out right, we need to review the new definition of sharing personal information in the CPRA.

The CPRA differentiates between the sale of personal information and the sharing of personal information. Sharing personal information means disclosing it to third parties for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” Section 1798.140 (a)(h)(1).

What is cross-contextual behavioral advertising? Think about advertising targeted to the consumer based on their internet behavior. Contextual advertising might be an ad shown specifically to a consumer for a product related to that consumer’s internet search. If you are a California resident, the CPRA will give you the right to opt out of the sharing of your personal information in this way. How will a consumer exercise this right? The CPRA states that a consumer shall have the right, at any time, “to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information.” Section 1798.120(a).

Data Profiling – What is it?

Another consumer right related to the consumer opt-out rights found in the CPRA pertains to data profiling. Profiling is defined in the CPRA as the automated processing of personal information to “to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” Section 1798.140 (z). One bright note is that Section 1798.185 (a)(16) states that regulations will need to be developed “governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”

We will be following these opt-out rights closely – both from a consumer privacy standpoint and for businesses that use such targeted advertising technologies, including automated processing of personal information – to see how the regulations will address the logic involved in the decision-making process and its impact on consumers.

The California Privacy Rights Act (CPRA) expands the definition of personal information as it currently exists in the California Consumer Privacy Act (CCPA). The CPRA adds “sensitive personal information” as a defined term, which means:

(l) personal information that reveals:

(A) a consumer’s social security, driver’s license, state identification card, or passport number;

(B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;

(C) a consumer’s precise geolocation;

(D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;

(E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;

(F) a consumer’s genetic data; and

(2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer;

(B) personal information collected and analyzed concerning a consumer’s health; or

(C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

This is perhaps the broadest definition of personal information in the country as it now includes entirely new classes of personal information such as racial, ethnic origin, religious or philosophical beliefs or union membership, the content of a consumer’s mail, email and text messages, genetic data, biometric data, and data collected and analyzed concerning a consumer’s health or sex life or sexual orientation.

What does this mean for a business that is covered by the CPRA? In a previous post, we provided a detailed overview of  the CPRA, but suffice it to say that if the business had to comply with CCPA, it also will likely be covered by CPRA. Given this new definition of sensitive personal information, one of the first steps in thinking about CPRA compliance will be to think about data mapping to determine whether the business collects any of these new categories of sensitive personal information. The CPRA is still very much a consumer-focused law with the goal of expanding consumer knowledge about the types of personal information businesses collect about consumers and how that personal information is used, sold, or shared. It will be a critical first step for businesses to understand the data and personal information they collect about consumers and whether they collect any sensitive personal information under this new definition.

According to the Los Angeles Times and other media outlets, Californians passed Proposition 24, also known as the California Privacy Rights Act of 2020 (CPRA). With 71.61 percent of precincts reporting, the measure passed with 56.1 percent of the vote. We wrote about the CPRA last week, and we provided an overview of this new privacy law in California that expands on the California Consumer Privacy Act (CCPA).

The CPRA has some new privacy provisions that pull from other privacy laws. Of particular interest in the CPRA are provisions to expand the restrictions on the sale of personal information to include the sharing of personal information, the regulation of automated decision making, the requirement of additional security and risk assessments for certain businesses, additional requirements for third parties, and the creation of a new regulatory agency for enforcement actions.

We will continue to review the CPRA and will provide more details soon regarding this new California privacy law and what it means for businesses.

Although the Presidential race is unconfirmed at the time of this writing, there are several data privacy and security laws to put on your radar following the election this week.

Here is a brief list of laws that passed that we are aware of so far. We will provide more information as news breaks, but in this ever-changing area, we want to alert you to some important changes in the state law landscape following the election.

California’s Prop 24

 This proposition updates California’s CCPA, now referred to as California Privacy Rights Act (CPRA). In addition to other provisions [view related here and here], from a compliance perspective, it establishes a first-of-its-kind enforcement agency, the California Privacy Protection Agency, which will oversee enforcement of CPRA, and further establishes fines and penalties for violation of the law. The law goes into effect on January 1, 2023, for all data that are collected starting on January 1, 2022. Keep this one on your compliance radar and we will update you further.

Maine Approves Referendum on Limiting Use of Facial Recognition Technology 

Maine voters approved Referendum Question B, which strengthens the ban on the use of facial recognition surveillance technology by police and public officials. 

Massachusetts Votes in Favor of Ballot Question 1 

Massachusetts voted in favor of Ballot Question 1, which would require car manufacturers to equip vehicles using telematic systems with an open-access data platform starting with the model year 2022.

A detailed analysis of Ballot Question 1 is here.

Michigan Amends Constitution to Require Warrant for Access to Electronic Data

In Michigan, it appears that voters have approved an amendment to the state constitution to require search warrants for law enforcement to access electronic data and communications. The measure amends that part of the constitution that provides for the protection against unreasonable search and seizure.

Staying abreast of new state laws and regulations is a complex process for those charged with compliance adherence. We will continue to update you on the most significant changes to assist you in your compliance efforts.

Proposition 24 is known as the California Privacy Rights Act of 2020 (CPRA). It is on the ballot in California on November 3, and if it passes it will amend and expand certain provisions of the California Consumer Privacy Act (CCPA). Some say it’s CCPA 2.0, however, there are some provisions that make the CPRA look more like the General Data Protection Regulation (GDPR) – the European data regulation that reshaped privacy rights in the European Union. Two provisions in particular are very GDPR-like; specifically, the creation of the California Privacy Protection Agency (CPPA), which will become the regulator charged with implementing and enforcing both the CCPA and CPRA, and the expanded definition of sensitive personal information. CPRA would become effective Jan. 1, 2023, with an enforcement date of July 1, 2023. Here are some key highlights of Proposition 24.

What’s new for California consumers in CPRA? CPRA creates a new category of data, similar to GDPR, for sensitive personal information. CPRA also adds several new rights for consumers:

  • to restrict the use of sensitive personal information;
  • to correct inaccurate personal information;
  • to prevent businesses from storing data longer than necessary;
  • to limit businesses from collecting more data than necessary;
  • to know what personal information is sold or shared and to whom, and to opt out of that sale or sharing of personal information;
  • CPRA expands the non-discrimination provision to prevent retaliation against an employee, applicant for employment, or independent contractor for exercising their privacy rights.

What do businesses need to know regarding CPRA? It creates a new data protection agency with regulatory authority for enforcement of both CCPA and CPRA. Some new key provisions for businesses are:

  • the CPRA creates a Chief Auditor, who will have the authority to audit businesses data practices;
  • the CPRA also requires high risk data processors to perform regular cybersecurity audits and regular risk assessments;
  • the CPRA adds provisions regarding profiling and automated decision making;
  • the CPRA adds restrictions on transfer of personal information;
  • the CPRA requires businesses that sell or share personal information to provide notice to consumers and a separate link to the “Do Not Sell or Share My Personal Information” webpage and a separate link to the “Limit the Use of My Sensitive Personal Information” webpage or a single link to both choices;
  • the CPRA triples the fines set forth in CCPA for collecting and selling children’s private information and requires opt-in consent to sell personal information of consumers under the age of 16;
  • the CPRA expands the consumer’s private right of action to include a breach of a consumer’s email address and password/security question and answer.

The CPRA also changes the definition of “business” to more clearly define the annual period of time to determine annual gross revenues, which specifies that a business must comply with CPRA if, “as of January 1 of the calendar year,” the business had annual gross revenues in excess of twenty-five million dollars “in the preceding calendar year,” or alone or in combination annually buys or sells or shares the personal information of 100,000 or more consumers or households, or derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

In addition to these criteria, CPRA adds somewhat puzzling language that states that a business would also be defined in the CPRA as a person that does business in California, that is not covered by one of the criteria described above, who may voluntarily certify to the California Privacy Protection Agency that it is in compliance with and agrees to be bound by CPRA.

The CPRA adds the new term “contractor” in addition to service provider. A contractor is a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract with the business. The CPRA contains specific provisions to be included in the contract terms, and the contract must include a certification that the contractor understands the restrictions and will comply with them. The CPRA adds several new definitions, including definitions for cross-context behavioral advertising, dark pattern, non-personalized advertising, and profiling, and makes some changes to the definition of personal information. The CPRA eliminates some of the CCPA language regarding the “categories” of personal information.

The CPRA also adds “sensitive personal information” as a defined term which means:

(l) personal information that reveals: (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

The CPRA retains the CCPA exemptions for medical information governed by the California Confidentiality of Medical Information Act or protected health information collected by a covered entity or business associate under HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act), personal information collected as part of a clinical trial or other biomedical research study, activity involving the collection of personal information bearing on a consumer’s credit worthiness, and personal information collected, processed, sold or disclosed subject to the Gramm-Leach-Bliley Act or the federal Driver’s Privacy Protection Act of 1994.

The CCPA’s limited exemptions for employment information and so-called business-to-business information are also continued in the CPRA, however these provisions shall expire on January 1, 2023.

The CPRA provides authority for the CPPA to create extensive regulations, including a requirement for regulation of businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent; and (B) to submit to the CPPA on a regular basis a risk assessment with respect to the processing of personal information.

The private right of action under CPRA is expanded to include that consumers whose email address in combination with a password or security question and answer that would permit access to the account be able to institute a civil action and to recover damages or other injunctive relief. The CCPA 30-day cure period after notice of a breach is eliminated and administrative fines for violation of the CPRA increase to not more than $2,500 for each violation or $7,500 for each intentional violation or violations involving the personal information of consumers that the business has actual knowledge is under 16 years of age. The CPPA will have broad powers of investigation and enforcement for violations of the CPRA.

We will follow the progress of Proposition 24 on election day and provide an update here next week.

The California Consumer Privacy Act of 2018 (CCPA) currently exempts from its provisions certain information collected by a business about a natural person in the course of the person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor of a business. This exemption is set to expire on December 31, 2020. In addition, the so-called business-to-business exemption for transactions and communications with the business that occur solely within the context of the business conducting due diligence regarding or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency is also set to expire on December 31, 2020.

Recent legislation passed in California would extend both of the exemptions until January 1, 2022. Assembly bill 1281, (AB 1281) which was presented to Governor Gavin Newsom on September 8, 2020, extends the one-year exemption for employee information and business to business information for another year until January 1, 2022. The bill also provides that the extension of these exemptions is contingent upon voters not approving the ballot Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA). Should the CPRA pass on November 3, it would extend these exemptions until January 1, 2023. Some other highlights of the CPRA include the creation of a new category of sensitive personal information (SPI) that would give consumers the power to restrict its use, a provision that allows consumers to prohibit businesses from tracking their precise geolocation to a location of approximately 250 acres, and the addition of email and passwords to the list of defined “personal information” included in a data breach.

The key takeaway here is that if AB 1281 is enacted or if Proposition 24 passes, employee/job applicant information as well as business-to-business communications will continue to be exempt from the CCPA. Both AB 1281 and AB 713 regarding medical information, which we wrote about recently here, are currently on Governor Newsom’s desk.

The California Privacy Rights Act (CPRA) recently qualified for the November 2020 ballot, and if California voters approve this initiative, the CPRA will expand the rights of California residents under the current (stringent) California Consumer Privacy Act (CCPA), beginning on January 1, 2023.

So what will change under the CPRA?

  1. Creation of the California Privacy Protection Agency (CPPA): If the CPPA is created, it would be the first of its kind in the United States. The CPPA would be governed by a five-member board that would have full administrative power, authority and jurisdiction to implement and enforce the CCPA (instead of the California Attorney General).
  2. Stricter Definitions: CPRA defines “sensitive personal information” more strictly than “personal information;” “sensitive personal information” includes government-issued identifiers (i.e., Social Security numbers, driver’s license numbers, passport numbers), account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages (i.e., mail, e-mail, text), genetic data, biometric information, and other types of information.

The CPRA also would create new obligations for companies and organizations processing sensitive personal information. It also would allow consumers to limit the use and disclosure of their sensitive personal information.

The CPRA would also expand consumer rights under the CCPA. Specifically, under the CPRA, consumers would have the right to:

  1. Correct personal information;
  2. Know the length of data retention;
  3. Opt-out of advertisers using precise geolocation; and,
  4. Restrict usage of sensitive personal information.

The CPRA also would extend the moratorium related to employee data until January 1, 2023; currently, under the CCPA, employee data are not covered until January 1, 2021. Note that California AB-1281, which was enrolled on September 1, 2020, extends the current exemption for employee data to January 1, 2022 in the event that the CPRA is not voted into law.

Lastly, in addition to the private right of action for data breaches under the CCPA, the CPRA would expand this private right of action to include the unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security safeguards.

While many companies are still grappling with the nuances of the CCPA, if the CPRA gets the green light from voters in November, it will bring yet another wave of compliance issues and implementation of new policies, procedures and processes for many businesses in and outside of the California. We will watch this ballot question closely as we near the November election.

The consumer group Californians for Consumer Privacy announced on May 4, 2020, that it was submitting well over 900,000 signatures to qualify the California Privacy Rights Act (CPRA) for the November 2020 ballot.

This new ballot initiative, which can be reviewed here, creates some additional consumer privacy rights and expands some areas already included in the California Consumer Privacy Act (CCPA) regarding consumer privacy rights, including:

  • A new definition of sensitive personal information, including information about health, finances and a consumer’s precise geolocation;
  • a right of correction to allow California residents to request that a business correct personal information that is inaccurate;
  • increased administrative fines of not more than $2,500 for each violation or $7,500 for each intentional violation involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge is under 16 years of age;
  • the creation of a new enforcement agency – the California Privacy Protection Agency – to enforce consumer privacy actions; and
  • changes to the private right of action, including a private right of action for personal information security breaches if the email address of a California resident – in combination with a password or security question and answer – is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

One of the stated purposes of the CPRA is that consumers should know who is collecting their personal information and that of their children, how that information is being used, and to whom it is being disclosed, so consumers will have the information necessary to exercise meaningful control over a business’ use of their personal information and that of their children. We will continue to follow the CPRA to track its progress.