There is no doubt that this is an important election year. While the presidential election will receive the majority of the attention, Proposition 24, a California ballot initiative regarding the California Privacy Rights Act (CPRA) will be another important vote to watch.
If a California data privacy ballot initiative sounds familiar, that’s because it is. As a matter of background, on June 28, 2018, Governor Jerry Brown of California signed into law the California Consumer Privacy Act of 2018 (CCPA). As we previously reported, the ratification of the CCPA was the culmination of a dramatic showdown between the advocacy group Californians for Consumer Privacy, who had introduced a data privacy ballot initiative, and a coalition of large corporations in opposition to the ballot initiative. Californians for Consumer Privacy agreed to withdraw the ballot initiative in exchange for the ratification of the CCPA. Tech industry opponents of the legislation ultimately supported passage of the CCPA, viewing the legislation as a diluted version of the ballot initiative that would also be easier to amend down the road.
Fast forward two years, and Californians for Consumer Privacy has introduced another data privacy ballot initiative, the CPRA, which is on the ballot in California this election. In returning to the ballot, Californians for Consumer Privacy seeks to pass further data privacy protections without the concessions that were made in connection with the CCPA. The results of an August 2020 poll showed 81 percent support of the CPRA ballot initiative among California voters. That being the case, it is worthwhile for consumers and businesses alike to proactively review the CPRA to ascertain the new data privacy rights and responsibilities implemented by the CPRA. Should Proposition 24 pass, the CPRA would take effect on January 1, 2023.
Despite being spearheaded by a consumer privacy advocacy group, the CPRA is not a one-sided law. It imposes numerous limitations on consumer data privacy rights, in addition to its implementation of new consumer privacy protections. This blog post discusses the consumer privacy protections set forth in the CPRA, as well as the limitations.
New Consumer Privacy Rights and Protections
A. New Category of Data: “Sensitive Personal Information”
The CPRA defines a new category of personal information, “sensitive personal information,” as personal information relating to a consumer’s biometrics, health, or sexual orientation, or personal information that would reveal such information as 1) personal identification numbers (i.e. driver’s license or social security number); 2) login information to accounts or debit/credit card numbers, in combination with access codes, passwords, or credentials; 3) a consumer’s precise geolocation data; (4) information about a consumer’s race, ethnicity, religious affiliation, philosophical beliefs, or union membership; 5) a consumer’s genetic data, or 6) contents of the consumer’s mail, email, or text messages. This category of information is subject to all of the same protections as personal information, with the added privilege that consumers may, at any time, limit the business that collects the consumer’s sensitive personal information to only use or disclose such information for the purpose of performing the services or providing the goods sought by the consumer.
This provision resembles Article 9 of the GDPR, which designates “special categories of personal data.” The GDPR, however, manages such data much more strictly, broadly prohibiting the processing of such data, with only several enumerated exceptions.
B. “Limit the Use of My Sensitive Personal Information” Link
The CCPA requires businesses that sell consumer personal information to provide a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information.” In the same vein, the CPRA requires businesses that collect sensitive personal information to provide a clear and conspicuous link on their homepage titled “Limit the Use of My Sensitive Personal Information.” The link enables the consumer to limit the business that collects the consumer’s sensitive personal information to only use or disclose such information for the purpose of performing the services or providing the goods sought by the consumer.
C. Retention of Consumer Personal Information
The CPRA requires businesses to advise consumers of the length of time that the consumer’s personal information will be retained prior to or at the time of collection. If the retention period is not known at the time of collection, the business must advise the consumer of the criteria that will be used to determine the retention period. Additionally, the CPRA requires that businesses not retain consumer personal information for longer than reasonably necessary for the purpose disclosed, and not for any other purpose, unless notice of such a subsequent purpose is provided. The requirements in this regard are staples of the GDPR and principles of reasonably prudent data management policies for US businesses even if they are not subject to the GDPR or potentially the CPRA.
D. Agreement with Third Parties
The CPRA requires a business that collects a consumer’s personal information and then sells or shares that personal information with a third party or discloses it to a service provider or contractor to enter into an agreement with the third party, service provider, or contractor limiting the usage of the personal information by the third party, service provider, or contractor to certain specified purposes. Additional requirements for the agreement further serve the interest of the business and the third party, service provider or contractor protecting the consumer’s personal information.
E. Duty to Maintain Reasonable Security
Under the CPRA, businesses that collect a consumer’s personal information must implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the information from unauthorized or illegal access, destruction, use, modification, or disclosure. While not required under the CCPA, it has been common sense for businesses to hold themselves to a reasonable security standard for some time now. Businesses that have not done so already will have to do so now. For the businesses that already follow this standard, the new requirement will cause little or no change to their data practices.
F. Right to Correct Inaccurate Personal Information
The CCPA gives consumers the right to request deletion of their personal information, but it makes no mention of a right to correct inaccurate personal information. The CPRA changes that, implementing the consumer right to correction. One of the less publicized data subject rights under the GDPR, the right to rectification is the subject of a recently filed complaint by noyb against the low cost European airline Wizz Air in connection with the airline’s refusal to update consumer personal information to reflect name changes. While this rule could conceivably cause a minor inconvenience to businesses in certain situations, in the vast majority of instances, businesses would prefer to have accurate consumer information, thereby making the right to correction a consumer right that businesses will generally be happy to honor.
G. “Sharing” of Personal Information
The CCPA regulates the sale of consumer personal information. The CPRA amends many of those provisions to impose the same obligations on businesses that “share” consumer personal information. This change apparently extends data privacy obligations to business conglomerates and businesses that otherwise share personal information without the exchange of payment or other compensation. Some businesses that eluded the data privacy obligations under the CCPA may now face significant California data privacy obligations, however, many of the businesses that share data without selling it are sophisticated and likely already have implemented substantial measures regarding consumer data privacy, thereby reducing the scope of businesses that will be burdened by the expansion of the rules to include shared data.
H. Quiet Period for Requesting Opt-In Consent
Under the CPRA, if opt-in consent is denied by a consumer, the business may not again request opt-in consent from that consumer for twelve months. This new requirement may have a negative impact on marketing initiatives for some businesses, however, the burden of taking steps to ensure that consumers who deny an opt-in request are put aside for twelve months so as not to be asked again during that time should be minimal.
I. Definition of Consent
The CPRA defines “consent” as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which he or she . . . signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.” By contrast, the CCPA does not define consent at all. The definition of consent in the CPRA resembles that in the GDPR. This version of “consent” is very different than that typical to US law. For example, under the GDPR, there is a strong presumption that consent cannot be “freely given” by an employee to an employer due to the inherent power imbalance. If the provision of the CPRA is to be interpreted in a similar way, disfavoring power imbalances for example, it could signal a substantial change in the way consent is viewed within the American legal system, at least in the data privacy context. Businesses that already comply with the GDPR will likely be well-positioned to adjust seamlessly, but others should consult with counsel to ensure that if their data practices rely on consumer consent, the consent is appropriately obtained.
J. The California Protection Agency
The CPRA creates the first state agency dedicated exclusively to privacy enforcement: the California Protection Agency. This is similar to the Data Protection Authorities (DPA) that enforce the GDPR in each EU member state. The California Protection Agency would relieve the state Attorney General of the continually increasing burden of enforcing consumer data privacy rights, and could lead to more aggressive enforcement of consumer data privacy rights. Additionally, on or after July 1, 2021, the agency will take over from the Attorney General rulemaking responsibilities in connection with the CPRA.
K. Anti-Avoidance Provision
The CPRA contains a provision empowering a court or the California Protection Agency to disregard intermediate steps or transactions taken by a business or otherwise with the intention of avoiding the requirements of the CPRA. This provision emphasizes the importance of compliance by subject businesses and underscores that chicanery intended to work around the requirements of the CPRA will not be tolerated. Businesses are well-advised to consult with legal counsel to determine, first, if they will be subject to the CPRA, and if so, second, how to implement the necessary procedures and protocols to be in full compliance with its requirements.
Limitations on Consumer Privacy Rights
A. Default Request for Preceding Twelve Months
The CCPA establishes the consumer right to know their personal information that a business collects and sells. Building upon those rules, the CPRA establishes as a default that the business’s response to the consumer request must cover the preceding twelve-month period. Notwithstanding this default rule, a consumer may request disclosure of personal information extending back earlier before the preceding twelve-month period, however, the business will not be required to provide such information if doing so is impossible or “involves a disproportionate effort.” Additionally, requests extending beyond the preceding twelve months will only apply to personal information collected on or after January 1, 2022. This provision will assist businesses by substantially limiting the scope of information that they will need to provide in response to consumer right to know requests and allowing businesses to build the mechanisms for retrieval of personal information within their computer systems to be substantially forward-looking rather than looking back into archives of old data preceding January 1, 2022. In any case, businesses should review their data retention policies with counsel and consider disposing of data that they no longer need.
B. Limitation of Liability for Misuse of Personal Information by Third Parties, Service Providers, and Contractors
As discussed above, the CPRA requires an agreement between businesses and their service providers, contractors, and third parties to establish the responsibilities of the parties with respect to protecting consumer personal information. While it may be burdensome to some businesses, for example, to incorporate the required terms into their vendor contracts, that burden should be more than offset by a limitation of liability. Specifically, under the CPRA, if a consumer does not opt-out of disclosure of their personal information, a business that discloses consumer personal information and enters an agreement with the recipient of the personal information containing the appropriate CPRA-required terms in the interest of protecting the consumer personal information will be immune from liability under the CPRA if the third party, service provider, or contractor misuses the personal information, so long as the business did not have actual knowledge or reason to believe that such misuse would occur.
This limitation of liability is a boon for businesses that should, to some extent, offset the new burdens imposed on businesses by the CPRA.
C. “Business” Redefined
A commonly overlooked aspect of the CCPA is that it does not apply to all businesses and was intended to exempt small businesses that are not in the field of selling personal information. One of the thresholds for the CCPA to apply to a business is if the business annually buys, sells, or shares or receives for commercial purposes the personal information of 50,000 or more consumers, households, or devices. The CPRA modifies this threshold to exempt a greater number of small and medium-sized businesses. Specifically, the CPRA amends this threshold to apply to businesses that annually buy, sell, or share the personal information of 100,000 or more consumers or households. While this amendment will in theory unburden many small and medium sized businesses from the CPRA’s requirements, those same businesses will still have substantial responsibilities with respect to consumer data protection under other statutes and may owe a legal duty of care. Businesses should consult with counsel to determine whether the CPRA applies to them and to ascertain their responsibilities regarding consumer data privacy otherwise.
D. Law Enforcement and Government Agencies
The CCPA discusses law enforcement just once, stating that it does not restrict a business’s ability to cooperate with law enforcement agencies concerning conduct that the business reasonably and in good faith believes violates the law. The CPRA delineates business responsibilities regarding law enforcement investigations involving consumer personal information much more thoroughly. The CPRA provides that in connection with an investigation, law enforcement agencies may direct a business not to delete a consumer’s personal information for a period of ninety days. The law enforcement agency may further direct the business to continue to retain the personal information for subsequent ninety-day periods.
Further, the CPRA permits business cooperation with government agency requests for emergency access to consumer personal information when there is a risk of death or serious physical injury to a person—a topic on which the CCPA is entirely silent. A business may provide personal information to a requesting government agency in such emergency circumstances if: 1) the request is approved by a high-ranking government officer; 2) the request is based on the agency’s good faith determination that it has lawful grounds to access the information on a non-emergency basis; and 3) the agency agrees to petition a court for an appropriate order within three days and to destroy the information if the order is not granted.
These provisions represent significant exceptions to the consumer protections within the CPRA and may be at risk for abuse. Ambiguities abound, including who qualifies as a high ranking government officer and what constitutes a good faith determination in an emergency situation. However, the exceptions serve important public health and security interests. The California Protection Agency will likely keep an eye out for abuse of these provisions by law enforcement and government agencies, and if it occurs, amendments and further regulations designed to eradicate the abuse can be expected.
E. Employee Requests
The CPRA does not apply to personal information provided by persons such as job applicants, employees, directors, officers, medical staff members, or independent contractors of a business to the extent the personal information is collected and used in the context of the person’s role with that business. While the CCPA did not expressly contain this language, it is a logical exception in that a person acting within the scope of their work for a business is not functioning as a consumer and therefore cannot exercise consumer data privacy rights in that context.
F. Education-Related Personal Data
The CCPA is silent regarding whether businesses are exempt from having to comply with requests relating to education-related personal information. Under the CPRA, businesses are explicitly not required to comply with a consumer request to delete a student’s grades. This cures a glaring potential issue of students or their parents potentially abusing consumer data privacy rights to compel the deletion of poor grades.
G. Household Data
The obligations imposed on businesses in connection with the CPRA’s rights to deletion, correction, to know what personal information is collected, and to know what personal information is sold or shared do not apply to “household data.” This presents an opportunity for businesses to develop and analyze a particular category of information, pertaining to households rather than individual consumers, that will not be subject to deletion or correction and the disclosure, sale or sharing of which will not be subject to disclosure to a consumer.
H. Personal Information Used to Produce Physical Items
Under the CPRA, businesses do not have to comply with deletion and opt-out requests if the consumer has consented to the business’s use, disclosure, or sale of that information to produce a physical item if: 1) the business has incurred significant expense in reliance on the consumer’s consent; 2) compliance with the consumer’s opt-out or deletion request would not be commercially reasonable; and 3) the business complies with the consumer’s request as soon as commercially reasonable to do so. The text of the CPRA provides an example scenario where a school yearbook is produced. It would cause an unreasonable burden, for example, to have to reprint the yearbook every time a student or their parent requested that the student’s photograph be deleted. This exception provides an important protection for businesses that may largely want to comply with the CPRA yet would face unmanageable financial burdens in the absence of this exception.
I. Trade Secrets
The CCPA contained one mention of trade secrets, indicating that the Attorney General should adopt a regulation exempting trade secrets from the CCPA. The CPRA addresses trade secrets more explicitly, repeatedly stating that businesses are not required to disclose trade secrets to comply with the law.
Significant but Not Unmanageable Changes to US Data Privacy Law
Should Proposition 24 pass, the CPRA will undoubtedly change the data privacy space across the United States, and its impact will likely be felt abroad as well. Nevertheless, the consumer protections implemented by the CPRA are not unprecedented on the global stage. Some provisions, such as the definition of consent, closely mirror the GDPR, whereas others, like those concerning sensitive personal information, still are far less stringent on businesses than the corresponding rules under the GDPR. Many large businesses, which have already brought their data policies in compliance with the GDPR, will have little problem complying with the CPRA. For many small and medium sized businesses that are subject to the CPRA, there will be some inconvenience during the process of bringing their data privacy procedures into compliance. However, in the process of making those changes, such businesses will naturally reduce their risk of a data incident and liability in connection with consumer data privacy.
Accordingly, businesses should not fear the CPRA. They are well-advised, however, to consult with counsel about whether they are subject to California’s data privacy laws currently or may be in the future and to review their data privacy policies and procedures with counsel to ensure compliance.
*Karl Rumph, a law student intern in Morrison Mahoney's Cybersecurity, Data Privacy and Protection Practice, also contributed to this article.