California was the first state to implement comprehensive data privacy legislation in the form of the California Consumer Protection Act (CCPA), and it remains at the forefront of U.S. consumer data rights with a new law—the California Privacy Rights Act (CPRA)—that is scheduled to take effect January 1, 2023.
Companies that do business in California and are affected by the CCPA have spent the last couple of years building a compliance strategy. That strategy will now have to be revised in light of CPRA regulations that modify the CCPA. While not yet final, proposed CPRA rules have been published that offer a preview of how companies should be preparing for these upcoming legal changes.
The CPRA: How we got here and where things stand
In 2018, the California legislature enacted the CCPA, which became law January 1, 2020. The CCPA was a landmark moment not only for California but for the United States, as it was the first data protection law of its kind in the country. The CCPA conferred upon California residents a set of rights covering how their personal information is collected, used, sold, stored, and shared. It also imposed corresponding duties on businesses.
Several states have since followed California’s example but, not to be outdone, California passed its second data privacy law in 2020, before most other states even had one such law. The CPRA, approved by way of ballot initiative, amends the CCPA. It gives California consumers new rights, imposes new obligations on businesses, and creates a new government agency—the California Privacy Protection Agency (CPPA).
In May 2022, the CPPA issued a preliminary draft of proposed CPRA regulations. On July 8, 2022, the CPPA filed a Notice of Proposed Rulemaking, initiating a 45-day comment period that closes on August 23, 2022 and will be followed by a public hearing on August 24 and 25. If CPPA proposes material changes to the CPRA in response to public comments, there will be an additional 15-day comment period.
CPPA’s Executive Director said that final CPRA regulations are expected in Q3 or Q4 of 2022. The CPRA goes into effect on January 1, 2023, but won’t be enforced until July 1, 2023, giving businesses a six-month compliance window.
Key takeaways from CPRA draft regulations
Because formal rulemaking for the CPRA is ongoing, the final version of regulations could look significantly different from the first draft. However, the proposed regulations still provide useful guidance for businesses required to comply with the law. Some of the key changes in the CPRA draft are described below.
Creation of the CPPA
The CPPA is the new government agency responsible for implementing and enforcing the CPRA. Made up of a 5-member board with expertise in privacy, technology, and consumer rights, the CPPA has full administrative power, authority, and jurisdiction over the CCPA and CPRA. It may bring enforcement actions before an administrative law judge and is authorized to perform audits of businesses in some situations.
The CPPA replaces the Attorney General as the enforcement arm of California’s digital privacy laws, but the AG retains civil enforcement authority and can go to court to enforce the CPRA, according to the AG’s office.
A new classification of protected personal information
The concept of “sensitive personal information”—personal data that warrants enhanced protections due to its potential to harm consumers—is not covered under the CCPA, but it has a prominent place in the CPRA.
Sensitive personal information (SPI) includes data like a consumer’s Social Security number, government-issued ID number, financial information, genetic and biometric data, private communications (e.g., the content of emails and text messages), precise geolocation data, and race and religion. Companies that collect SPI are subject to enhanced disclosure, opt-out, and use requirements. For example, they must have a “clear and conspicuous” homepage link titled “Limit the Use of My Sensitive Personal Information.”
Changes to covered business criteria
The CCPA does not apply to all businesses, and neither does the CPRA. Although it retains the basic definition of “business” found in the CCPA—a for-profit legal entity that conducts business in California and collects consumers’ personal data—the CPRA introduces new criteria for which businesses are covered by the law.
Companies that derive more than 50% of their annual income from “sharing” personal information—in addition to selling it—are now covered. So are businesses that buy, receive, sell, or share the personal information of “100,000 or more consumers or households,” replacing the CCPA language of “50,000 or more California residents, households, or devices.” IAPP notes that this change should mean that more small and medium-sized enterprises will not have to comply with the CPRA.
A GDPR-like audit requirement
Not only does the CPRA give CPPA the authority to conduct agency audits at its discretion, but businesses engaged in processing high-risk data would be subject to annual cybersecurity audits and regular risk assessments.
Several factors would be used to determine which processing criteria would warrant such audits, including the size and complexity of the business and the nature and extent of the processing. These CPRA rules are similar to those found in the GDPR’s required data protection impact assessments (DPIAs). IAPP calls the CPRA’s audits and risk assessments one of its most impactful provisions.
New consumer rights
The CPRA gives Californians several new data rights, including:
The right to opt-out of the sharing of personal information (not just the sale of information). This covers third-party data transfers for the purpose of “cross-context behavioral advertising,” such as the use of third-party advertising cookies.
The right to correct and delete their personal data. If a business shares such data with third parties, the business must notify those parties of the amend/delete request as well.
The right to know how long a business intends to retain each category of personal information, or, if a specific retention period cannot be provided, then a description of the “criteria used to determine such period.”
The right to opt-out of a business’s use of “automated decision-making technology,” which includes consumer profiling. The San Francisco law firm Orrick says that this could impact businesses’ use of targeted advertising and artificial intelligence.
Enhanced Penalties for Violations Involving Minors
The CPPA will have the ability to impose administrative fines of $2,500 per violation or $7,500 per intentional violation, amounts that are unchanged from the CCPA. However, the CPRA imposes an automatic $7,500 fine for violations involving the personal data of a person under age 16 (if the business has “actual knowledge” that the consumer is younger than 16). In addition, the CPRA gets rid of the 30-day cure period that the CCPA gives companies to amend compliance violations.
Expanded liability for data breaches
An aspect of the CCPA that sets it apart from data privacy laws in other states is that data subjects have a private right of action (i.e., the ability to file a lawsuit for violations of the law). While the CCPA’s private right of action is limited to data breaches, the CPRA expands the definition of what constitutes a data breach. That definition now extends to unauthorized disclosures of email address/password combos, or an email address combined with a security question. This could result in far more lawsuits against companies that do not impose reasonable data security measures.
Other important aspects of the CPRA
These are just a few of the amendments that could be coming to California’s data privacy laws. Additional areas addressed in the CPRA that are worth keeping an eye on are:
Expanded contractual obligations for service providers, third parties, and contractors
Avoiding “dark patterns” when collecting consumer consent
Data minimization principles introducing necessity-based limitations on the collection, use, retention, and/or sharing of a consumer’s personal data
Privacy policies, disclosure requirements, and opt-out links
Moratorium on employee data extended to January 1, 2023
Introduction of the terms “disproportionate effort” and “unstructured” to limit some types of consumer deletion and access requests that may be overly burdensome to companies
Consent management and CPRA compliance
An economic impact statement from the CPPA estimates that more than 66,000 businesses—including nearly 44,000 small businesses—will be affected by CPRA regulations.
Complying with data privacy laws is becoming an increasingly complex and costly task as more jurisdictions pass legislation enshrining consumers’ digital rights. But in business, as in nature, success is strongly correlated with the ability to adapt to change.
Giving customers more choices about how their data is used means the loss of some valuable marking data via opt-outs. But what businesses lose in data quantity they more than make up for with data quality.
Data collected through consent is much more valuable because it is based on compliance and voluntary disclosure, both of which increase trust. The more customers trust you, the more information they’ll share with you. Compliance equals trust, and trust equals more business opportunities.
A Consent Management Platform from Didomi helps you comply with hundreds of privacy laws worldwide, with a single tool. Our CMP supports the CCPA and will support the CPRA as soon as rules are finalized. In the meantime, talk to one of our experts to learn more: