New California Privacy Rights Act Expands Consumer Privacy
California voters recently passed into law the California Privacy Rights Act (“CPRA”) which is set to take effect on January 1, 2023. The CPRA is a consumer privacy law intended to improve and expand the protections afforded to consumers under the California Consumer Privacy Act of 2018 (“CCPA”), which went into effect on January 1, 2020. Many of the new standards and requirements set forth in the CPRA reflect stringent consumer protection principles that are akin to Europe’s General Data Protection Regulation (“GDPR”).
As businesses review the scope and compliance obligations of the CPRA, the following changes could be most pertinent to review:
More Businesses Will Be Subject to CPRA
The CPRA will bring more businesses under the California data regulation’s umbrella. The law expanded the definition of covered “businesses” to include businesses that derive more than half of their annual revenue from the selling or sharing of consumers’ personal information. Additionally, the CPRA will apply to joint ventures and partnerships comprised of covered businesses that hold at least a 40% interest in the venture or partnership.
Consumers Enjoy Additional Protections under CPRA
The CPRA expands many of the consumer rights and protections established by the CCPA and adds some entirely new protections. Under CPRA, consumers have the right to request that a business correct any inaccurate information that the business maintains about the consumer. Under CCPA, consumers are currently only allowed to request access or deletion of their data.
The CPRA also creates a new category of personal information: “sensitive personal information,” which includes: race, ethnicity, religious or philosophical beliefs, union membership, sexual orientation, geolocation, financial account information, and biometric or health information. Although this information was impliedly covered under the CCPA, this information is now explicitly covered under the CPRA and afforded additional protections like disclosure, opt-out, opt-in, and purpose limitation requirements.
CPRA Imposes Additional Compliance Obligations for Businesses
Disclosure obligations increase for businesses that are subject to the CPRA. Some of the new obligations include (1) complying with consumer requests to restrict the use or disclosure of any sensitive personal information a business collects; (2) adding a description of the retention policies for each category of personal information to its privacy notice; (3) alerting consumers of their new right to correct personal information; and (4) disclosing whether personal information is sold or shared.
Although the CCPA already requires businesses to include specific language related to privacy in their service provider contracts, the CPRA expands that obligation. Contracts with both “contractors” and “service providers” must contain restrictions on the selling, sharing, retaining, and disclosing of personal information. The term “contractor” was added by the CPRA to expand the reach of the Act. A contractor refers to a person or entity that receives personal information from a business pursuant to a written contract, whereas a service provider is one who processes information for the business. For contracts that a business enters into with a contractor, additional requirements come into play. The contractor agreement must require the contractor to certify that it understands and will comply with the CPRA’s restrictions, and will allow the business to monitor the contractor’s compliance with the contract.
A Newly Created State Agency Will Enforce the CPRA
The CPRA created the California Privacy Protection Agency, which holds the administrative power and authority to enforce the Act. The agency will have the authority to investigate complaints, hold hearings, issue cease and desist orders, levy fines, and bring civil actions to collect unpaid fines.
Although the CPRA does not go into effect for some time, it is never too early to start assessing your company’s data privacy obligations and begin working toward compliance. Koley Jessen will continue to monitor developments related to the CPRA and advise as updates become available. If you have questions on whether your business needs to comply with the CPRA and what steps you must take to comply with the CPRA, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.