A team from Reed Smith summarise the effect of the California Privacy Rights Act which will come into force following an overwhelming vote for the new law by the Californian public.
Before the dust has even settled on many California Consumer Privacy Act (CCPA) compliance projects, California voters have welcomed the future of privacy by overwhelmingly approving Proposition 24: The California Privacy Rights Act (CPRA). Building off of the CCPA framework, the CPRA expands the rights of California consumers, adds new responsibilities for both business and service providers, and creates a new state agency, the California Privacy Protection Agency (the Agency), to take over enforcement from the state Attorney General. Here are the notable changes:
First, every business will be happy to know that the B2B and employee information sunsets (which exempts some data from the scope of the existing CCPA) have been extended until January 1, 2023 (after being extended by another year until 2022 by the legislature).
Next, the CPRA establishes new rights for California consumers:
- SSN, driver’s license, state ID card or passport
- Account log in or financial account information in combination with security codes or passwords
- Precise geolocation (radius of 1,850 feet)
- Racial or ethnic origin, religious or philosophical beliefs, or union membership
- Contents of a consumer’s mail, email or text messages unless the business is an intended recipient of the communication
- Genetic data
- Biometric data processed to identify a consumer
- Personal information collected and analysed concerning a consumer’s health, sex life, or sexual orientation
Similar to HIPAA’s minimum necessary rule and the GDPR’s data minimization principle, the CPRA codifies data minimization principles: The collection, use, retention and sharing of personal information must be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” The new law also requires notice of retention periods, and those retention periods must be “no longer than reasonably necessary” for each disclosed purpose.
The CPRA has new obligations for businesses selling, sharing, or disclosing data, requiring applicable agreements to include provisions:
Service providers will have direct responsibilities under the new law, many of which businesses already impose through their existing privacy terms in agreements with third parties. While service providers do not need to respond to consumer requests (if they only have access to data due to their role as service providers), the law states they must cooperate with the business in responding to a consumer request, including deleting and having its service providers or data recipients delete any personal information. They also have an obligation to notify the business regarding their use of subcontractors and have their subcontractors enter into written contracts binding them to similar terms to which the service provider is bound.
There are a few other notable changes as well:
With the creation of the California Privacy Protection Agency, California is the first state to shift privacy responsibilities away from the state’s attorney general, the typical regulator of general privacy violations at the state level. The new Agency has significant powers, including responsibility for creating future regulations and the right, for businesses “whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security,” to require those businesses to both (a) perform an annual cybersecurity audit and (b) submit a privacy risk assessment addressing their processing of sensitive information and weighing the benefits to the business, consumer, public and other stakeholders against the risks to the rights of the relevant consumers. Similar discussions of the creation of an independent privacy agency have occurred at the federal level; this division of power may be a harbinger of regulatory structure for privacy laws in other states as well.
The CPRA goes into effect on January 1, 2023 – slightly more than two years away. More will come from the Agency, especially as the seats on the five-member board are filled and will likely provide more interpretation and guidance related to the regs. Still, as companies that grappled with GDPR and CCPA know, data governance and security compliance programs require time, attention and effort from all aspects of a business. Now is the time to begin – or begin revising – your data governance projects and establish systems with an eye towards CPRA.
This article was first published on Reed Smith’s Technology Law Dispatch blog and is reproduced here with permission
Sarah Bruno is a partner at Reed Smith and advises in all areas of data security and privacy, including the California Consumer Privacy Act (CCPA), the SHIELD Act, and the EU General Data Protection Regulation (GDPR). She is a Certified privacy professional (CIPP/US) and a member of IAPP.
Divonne Smoyer is a partner at Reed Smith with a particular interest in privacy and data-loss issues, and is an IAPP (International Association of Privacy Professionals) Certified Information Privacy Professional (CIPP/US).
Alexis Cocco is an Associate privacy, data security and consumer class action defence lawyer in Reed Smith's IP, Tech & Data Group and is designated as a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals (IAPP).