What’s New in the CPRA (CCPA 2.0)? More Than You Think.
The California Privacy Rights Act of 2020 (CPRA) is on the ballot this November, and California voters are widely expected to approve the initiative. With some exceptions, the CPRA expands privacy protections afforded under the current California Consumer Privacy Act of 2018 (CCPA), giving consumers more rights over their personal information and requiring greater transparency and obligations from businesses. Beyond new rights, the CPRA establishes a privacy enforcement agency - the California Privacy Protection Agency - that would be the first of its kind state agency dedicated to privacy enforcement. The CPRA also reaches areas of digital privacy untouched by the CCPA, including dark patterns, behavioral advertising, and profiling.
In addition to these remarkable changes, the CPRA significantly amends existing rights and responsibilities presently enforced under the CCPA. The CPRA’s amendments serve to clarify ambiguous areas of the CCPA and, if passed, will better align the law’s text with its intent. By understanding these changes now – and not waiting until the new law takes effect – businesses will gain a leg up on meeting their existing compliance obligations under the CCPA while priming themselves for the future of privacy enforcement under the CPRA.
So, what’s new in the CPRA? A lot more than you think. Definitions are a good place to start.
The CPRA adds new defined terms and clarifies existing ones.
Brand New Terms
Among the new terms added in the CPRA – and not currently defined in the CCPA – are:
- Cross-context behavioral advertising
- Dark pattern
- Intentionally interacts
- Non-personalized advertising
- Security and integrity
- Sensitive personal information
A few of these new terms warrant a closer look, in order of significance.
Sharing. The most significant addition might be the inclusion of “sharing,” defined as the disclosure of personal information to a third party for purposes of cross-context behavioral advertising (itself a new defined term), also known as targeted or interest-based advertising. “Sharing” therefore includes activity commonly viewed as fitting the definition of a “sale” under the current CCPA, although this has been a gray area of the law. CPRA helps resolve this ambiguity by regulating the activity in its own right, and, as explained below, granting consumers identical rights as they have with regard to a “sale” of their personal information. A business that has sat on the sidelines during the initial months of CCPA enforcement and declined to call this type of sharing a “sale” is well-advised to treat it as such given that CPRA makes clear that consumers are entitled to have a say when their personal information is used for this purpose.
Contractor. Perhaps easily overlooked, “contractor” may not mean what you think it does. Under CPRA, a contractor is similar to a service provider in that a contractor is not a third party, and it is bound by a written contract limiting its use of personal information that a business discloses to it. However, rather than processing information for the business, a contractor is a person to whom the business makes available personal information for a business purpose. The significance of this seemingly subtle distinction is not immediately apparent. But the big takeaway is that the cast of characters under CPRA would include: the consumer; the business; services providers; contractors; and third parties.
Sensitive personal information. One of the most significant changes in the CPRA is that it adds an entirely new category of personal information – sensitive personal information – the collection of which triggers new rights and obligations described below. Sensitive personal information includes the contents of a consumer’s mail, email and text messages (unless the business is the intended recipient of the communication), a consumer’s genetic data, racial or ethnic origin, and personal information collected and analyzed concerning a consumer’s sex life or sexual orientation, among others. This change will better conform California’s privacy law to GDPR, which similarly recognizes a special class of highly sensitive personal data.
Profiling. “Profiling” relates to automated processing of personal information used, for example, to analyze or predict aspects concerning a person’s performance at work, economic situation, personal preferences, and more. Like sensitive personal information, the regulation of profiling – which will be forthcoming as the CPRA only references, but does not establish, the new rules – would likewise conform California privacy law to more robust protections afforded by GDPR.
Dark pattern. Along with the newly defined term “consent” - a term relevant any time an opt-in is required, such as for selling or sharing the personal information of consumers under 16 years old - is the prohibition on obtaining consent through manipulation via the use of “dark patterns,” or user interfaces designed to impair user autonomy.
Changes to Existing Terms
In addition to adding new definitions, the CPRA amends defined terms that already exist in the current CCPA. Of these changes, the following are most significant.
Business. The thresholds for a business to be subject to regulation under the law would include buying, selling or sharing the personal information of 100,000 or more consumers or households. This amends - and relaxes - the previous threshold related to 50,000 or more consumers, and clarifies that (1) collection alone does not trigger this threshold, and (2) devices do not count toward the number of consumers, as they did under CCPA. Notably, the amended definition of “business” also expressly contemplates voluntary self-certification with – and agreement to be bound by – the CPRA for businesses that do not meet any of the threshold requirements. Self-certification might become a future badge of honor for businesses of all sizes – and consumers may come to expect compliance, regardless of annual revenue.
Business purpose. The CPRA’s amendments somewhat clarify the CCPA’s vague reference to “short-term, transient use” and add a new business purpose of “providing advertising and marketing services.” The new purpose expressly excludes cross-context behavioral advertising, meaning that such advertising is not considered a “business purpose” under the law.
Deidentified. The CPRA substantially revises this definition to address that deidentified information cannot be used to make inferences about the consumer. The new definition requires a public declaration by the business that it will maintain and use the information in deidentified form, and contractually requires any recipients to comply with this.
Personal information. This definition is largely the same except that, as amended, it applies to information that is “reasonably capable of being associated with” a consumer, which weakens the required connection between the consumer and the information. Practically speaking, however, this change is unlikely to have a big impact. The amended definition also, of course, includes the additional category of sensitive personal information described above.
Significantly, the CPRA excludes certain additional information from “personal information”:
- Lawfully obtained, truthful information that is a matter of public concern. This exclusion appears to exempt speech protected under the First Amendment.
- In addition, “publicly available” information excluded from the definition of “personal information” would include – in addition to information lawfully made available in government records – information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.
Under these new exclusions, it appears that a business would no longer disclose when it collects widely available information such as a consumer’s social media handle or online profile.
Sell. The definition of “sell” includes several changes, but the most notable is the removal of the service provider exception. That exception, however, no longer appears necessary, as the definition now only pertains to disclosures of information involving third parties – and therefore, not service providers or contractors. It still is not clear under the CPRA whether all disclosures of information to third parties necessarily constitute a “sale” of information. Arguably they would not, as the definition retains the requirement of “monetary or other valuable consideration.”
Service provider. Under CPRA, service providers can be legal or natural persons - a change from CCPA, which applies the term only to legal entities. The amended definition expressly precludes a service provider from selling or sharing personal information a business discloses to it – a change that harmonizes the law’s text with its clear intent – and prohibits service providers from combining information received from a business with information they receive from another business or from the service provider’s interaction with the consumer. The amended definition, however, references future regulations that will allow for certain exceptions to this rule for limited business purposes.
It’s no secret that the CPRA creates several new privacy rights for consumers. Here they are:
Right to Correct Inaccurate Information. This right is self-explanatory, but notably the law endeavors to balance the consumer’s right with burdens on businesses by simply requiring businesses to use “commercially reasonable efforts to correct the inaccurate information.”
Right to Access. This is actually a right that already exists under the CCPA - the right to know specific pieces of information a business has collected about a consumer - but the CPRA introduces the new “access” terminology, which helps distinguish a request for specific information from a general request for categories of personal information.
Right to Opt-Out of Sharing. Along with the new concept of “sharing” information for purposes of cross-context behavioral advertising is the consumer’s right to opt-out of such sharing.
Right to Limit Use and Disclosure of Sensitive Personal Information. Alongside the establishment of “sensitive personal information” is the consumer’s right to limit a business’s use of such information specifically where the information is used to infer characteristics about a consumer. This new right would not apply when a business uses sensitive personal information for purposes other than inferring characteristics.
The CPRA makes numerous changes to the compliance obligations of businesses. Here’s a rundown of the more meaningful ones.
- Like the guiding principles of the GDPR, the CPRA injects certain reasonableness and proportionality standards into the law. Specifically, a business’s collection, retention, and disclosure of personal information must be necessary and proportional to achieve the intended purpose for collecting and processing it.
Notice at Collection
- The CPRA clarifies that if a business involuntarily accesses personal information, it need not provide notice of that collection at or before the point of collection.
- If a business collects sensitive personal information, it must disclose that fact.
- A business must disclose not only the business purposes for which it collects personal information, but also the purposes for which it sells or shares it.
- A business must disclose the length of time it intends to retain information collected, or, if not feasible to do so, the criteria used to determine the length of time.
- CPRA imposes obligations on businesses to have in place contractual agreements with not only service providers and contractors, but also third parties to whom the business sells, or with whom the business shares, personal information.
- The law makes clear that a business generally will not be liable for any violations committed by these other parties if such agreements are in place.
- The CPRA requires that the contract cover several grounds, including compliance with CPRA and granting the business the right to ensure that the service provider, contractor, or third party is using personal information in a manner consistent with the business’s obligations under the CPRA. In this way, the CPRA contemplates annual audits and similar automated or manual checkups by businesses.
- The CCPA currently includes a private right of action for security breaches and references definitions and rules set forth in a different part of the Civil Code – Section 1798.81.5. CPRA adds a new requirement for businesses that collect personal information: they must implement reasonable security measures to prevent unauthorized access or disclosure of personal information in accordance with Section 1798.81.5. This change more closely links the law’s affirmative requirements with the private right of action it establishes.
Handling a Request to Delete
- Businesses are required to notify not only service providers and contractors, but also third parties, about deletion requests - triggering those parties’ obligation to delete information in their possession, and directing their service providers and contractors to do the same - unless it proves “impossible or involves disproportionate effort.”
- The CPRA removes the general, catchall exception to deletion that currently exists under the CCPA at Section 1798.105(d)(9). Arguably, this exception was overbroad, unnecessary, and abuse-prone to begin with.
Handling a Request to Know
- In response to individual consumer requests, a business must disclose categories of third parties involved in selling or sharing, and also categories of service providers and contractors. This clarifies an ambiguous area of the CCPA, which appears to require that businesses categorize third parties only.
- As noted above, businesses that “share” information must respect the same consumer opt-out rights that exist for a “sale” of personal information under the CCPA. Relatedly, the CPRA also requires businesses to include a “Do Not Sell or Share My Personal Information” link on their homepage where consumers can exercise this right.
- Similarly, a business that collects sensitive personal information must also provide a clear and conspicuous link titled “Limit the Use of My Sensitive Personal Information.”
- Significantly, the CPRA gives businesses an alternative manner of satisfying these “conspicuous link” requirements: they can allow consumers to opt-out through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism based on forthcoming technical specifications to be published by the Office of the Attorney General.
- The CPRA adds new provisions permitting exemptions from the law where necessary to comply with court orders, subpoenas, and directions from law enforcement, including in emergency situations.
- The CPRA clarifies how the exemption for the Fair Credit Reporting Act applies, and adds an exemption for the Federal Farm Credit Act of 1971.
- It also adds exemptions for discrete circumstances involving education information and where a business has incurred a financial expense in reliance on a consumer’s consent to create a physical object, like a yearbook, or where compliance with a request to delete or opt-out would not be commercially reasonable.
- Importantly, the CPRA makes clear that the B2B exemption - which CPRA would extend to January 1, 2023 - would not apply to opt-out or non-discrimination rights.
Passage of the CPRA is sure to trigger a new set of compliance questions, such as how to meet CCPA obligations until CPRA is enforced, what to do until new regulatory guidance is issued, and how a business can navigate through differences in the two laws.
Need help thinking through these issues?