Gearing Up for Comprehensive Data Privacy and Security Legislation Across the States | California Consumer Privacy Act & California Privacy Rights Act
In June 2018, California passed the California Consumer Privacy Act (CCPA), becoming the first state in the country to pass a comprehensive consumer data and privacy law. The CCPA was loosely based off of the General Data Protection Regulation (GDPR) implemented by the European Union, but took a broader view than the GDPR.
More recently, on November 3, 2020, California voters approved the
California Privacy Rights Act (CPRA), which amends and expands the CCPA. Although the CPRA took effect on December 16, 2020, most of the provisions amending the CCPA will not go into effect until January 1, 2023.
This edition of our “Gearing Up” for privacy law compliance series will discuss key changes brought on by the CPRA, outline some key modifications in the proposed regulations, and give information on how the law will be enforced.
CPRA’s Scope and Threshold Requirements
The CCPA only applied to businesses, service providers, and third parties, but the CPRA adds a fourth entity—contractors—to the list of obligated entities.
A contractor is similar to a service provider—they are bound by the terms of a written contract with restrictions and prohibitions on the use of personal information. However, a contractor must certify that it understands these restrictions and prohibitions and that it will comply with them.
In order to comply with the CPRA, contractors must adhere to the terms of their contract and use personal information only to perform services on behalf of a business, implement security safeguards, not combine personal information received from a given business with any personal information received from other businesses, and notify the business regarding their use of subcontractors (who are bound to the same contractual terms as the contractors).
The CPRA did not make changes to the CCPA’s threshold requirements. Thus, the CCPA/CPRA continues to be applicable to entities that:
- Conduct business in the state of California that collects, shares, or sells California residents’ personal data; and
- Satisfy one of the following:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50 percent or more of their annual revenue from selling California residents’ personal information.
Proposed Regulations
The CPRA created a new agency—the California Privacy Protection Agency (CPPA)—that was given rulemaking and enforcement authority. On May 27, 2022, the
CPPA released a preliminary draft of its proposed regulations. Of note, the draft focuses on creating a more consumer-friendly experience. While these proposed regulations will likely undergo changes following the notice and comment period, some key points from the draft are outlined below.
Under the CCPA, consumers have six specific rights: (1) the right to know and request disclosure; (2) the right to delete; (3) the right to opt out of the sale of personal information; (4) the right to opt into the sale of personal information of consumers under the age of 16; (5) the right to non-discriminatory treatment; and (6) the right to initiate a private cause of action. The CPRA and the proposed regulations create two additional rights:
- The right to correct inaccurate personal information;
- The right to limit use and disclosure of sensitive personal information (e.g., SSN, DLN, financial information, geolocation, racial or ethnic origin, religious beliefs, union membership, contents of physical or electronic communications, genetic data, etc.).
Some other notable changes are listed here:
- New requirements for user interface design that obtain valid consent through the use of dark patterns.
- Several new and modified provisions impacting service providers and vendors that expand the applicability of service provider provisions while excluding cross-contextual advertising services, add product or service improvements to the list of reasonable uses of personal information, and institute explicit and specific requirements for contracts with service providers and contractors.
- Additional contractual requirements for third parties that receive personal information from an entity other than the individual to whom the personal information belongs.
- Controllers must conduct due diligence on service providers, contractors, and third parties to determine whether these entities are compliant.
- Consumer notification for third-party involvement in the collection of personal information.
- Data minimization requirements that require businesses to collect, use, retain, and/or share consumers’ personal information only in a way that is “reasonably necessary and proportionate” to the original purpose for collecting it. This standard is governed by the expectations of the average consumer, although the draft does not illustrate or delineate how those expectations will be determined.
- Requirement that businesses process consumer opt-out preference signals (i.e., do-not-track signals) that meet certain requirements.
- Cookie banners or cookie controls will no longer be sufficient on their own as opt-out or limit mechanisms.
What Your Business Can Do
Enforcement on the CPPA’s final regulations will begin in July 2023. Because the CPPA has published its proposed regulations, there is a 45-day (minimum) public comment period. Entities are encouraged to comment on the proposed regulations. Additionally, entities should stay apprised of changes to the CPPA’s proposed regulations.
Enforcement
While the original CCPA gave enforcement authority to the California Attorney General, the CPRA gave the CPPA “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA/CPRA. However, the CPRA does not limit the Attorney General’s power to enforce the CCPA. Additionally, the CCPA/CPRA is unique in that it allows residents a private right of action.
In the event of non-compliance, the CCPA provides for civil penalties, damages (in actions brought by consumers), non-monetary relief, and injunctions brought by the Attorney General.
Connect with Ice Miller’s Data Privacy and Cybersecurity Attorneys
Ice Miller has extensive experience assisting companies with navigation and compliance relating to domestic privacy legislation and regulation. Our team includes
Reena Bajowala (CIPT, CIPP/US, CIPM), a partner in Ice Miller’s Chicago office and Chair of the Data Security & Privacy and Information and Software Disputes practices; and
Angad Chopra (CIPP/US), a Certified Privacy Professional and associate in
Ice Miller’s Data Security & Privacy Group. Former Summer Associates Miranda Greene, Zenas Shi, and Christopher Williams contributed to this publication.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.