Insights
Publications

Top 10 Practical Business Implications Arising From the Passage of the CPRA

December 03, 2020 Articles
The Recorder

California’s Proposition 24 passed as expected, and the new California Privacy Rights Act will change the privacy landscape created by the California Consumer Protection Act (CCPA), which went into effect only months ago. While the CPRA won’t go into effect until Jan. 1, 2023, with enforcement (concerning data collected from Jan. 1, 2022 and later) beginning no sooner than July 1, businesses should already be in a position to comply.

In short, the difficult work in marshaling the data subject to the CPRA will need to have been undertaken in connection with CCPA compliance. As such, assuming a business has taken efforts to comply with the CCPA, the new law will require evolution rather than revolution of companies’ privacy practices. That does not mean, however, there is not work to be done, and companies subject to the CPRA should be taking steps to comply sooner rather than later.

Applicability

(1) It should be noted that the CPRA amends, incorporates, and replaces the CCPA. The definition of companies subject to the new act is narrowed, and so those that would not be subject to the CCPA will similarly not be subject to the CPRA. Certain companies currently subject to the CCPA will not be subject to the CPRA, and after Dec. 31, 2022 will no longer have to comply with the requirements of the CCPA (or, obviously, the CPRA). This would mainly include companies who collect and use the personal information of more than 50,000 but less than 100,000 California data subjects. Such companies should continue satisfying the requirements of the CCPA through at least the end of 2022. Action item: Determine applicability of CCPA and CPRA to identify compliance regime.

(2) The CPRA has extended the deadlines under the CCPA concerning personal information of employees and business-to-business contacts until Jan. 1, 2023. Thus, companies subject to the CCPA that will not be subject to the CPRA need not take steps to bring the collection and use of this specific data into compliance with the applicable provisions of the CCPA. Action item: Determine whether employee and b2b data and the associated deadlines are relevant to your company’s compliance.

Further Refinement of Data Identification and Treatment

(3) The CPRA will require companies to further segregate certain “Sensitive Personal Information” and treat such data differently than other personal information. Consumers will need to be given heightened notice and be able to limit the use or disclosure of such information, which is defined to include things like Social Security, driver’s license, state ID card, or passport numbers, log-in or financial information in combination with any required information enabling access to such information, geolocation information, contents of the consumer’s communications with third parties, racial, genetic, or ethnic information, biometric information used for identification (e.g., fingerprint or facial recognition access methods), health information, and sex life and sexual orientation information. Action item: Determine Sensitive Personal Information within Personal Information and account for differing treatment.

(4) Companies will need to ensure the collection, use, retention, and sharing of personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed,” and disclose a data retention policy reflecting this along with the requirement that data not be retained for longer than reasonably necessary given the applicable disclosed purpose. Action item: Identify purposes of collection and use, and the period for holding of personal information and period for storage of information; prepare data retention policy to account for and reflect same.

(5) Where personal information is shared with third parties, the home page of the business must include a button enabling consumers to opt out of such sharing. Many companies already required to have a “Do Not Sell My Personal Information” will either need a second button regarding sharing or a combination “Do Not Sell or Share My Personal Information” button. Action item: Determine which buttons will be required and incorporate into the website.

(6) In addition to their rights currently offered consumers under the CCPA, the CPRA requires companies to enable consumers to correct errors in their personal information and have that personal information transferred to a third party. Action item: Update Privacy Policy to reflect additional rights.

Effects on Third-Party Agreements Regarding Sharing and Use of Personal Information

(7) The CRPA requires that those companies that share personal information with service providers and other third parties contractually obligate such recipients to process the personal information with the CPRA-required level of protection. Action item: Review and amend forms and existing contracts to incorporate such provisions.

Enforcement

(8) The CPRA removes the 30-day cure period for government enforcement, and companies will no longer be able to rely on the notice and cure period to avoid liability for noncompliance. Action item: Generally incorporate proactive compliance behaviors.

(9) The CPRA expands the private right of action currently limited to data breaches resulting from unreasonable security practices to also apply to the unauthorized access to and/or disclosure of an “email address in combination with a password or security question and answer that would permit access to an account” where reasonable security practices were not in place. Action item: Ensure proper security practices, policies, and tools are in place.

Insurance

(10) While neither the CCPA nor the CPRA includes any provisions concerning insurance, the willingness of insurance companies to offer policies limiting liability for damages arising from the acts, whether in the form of government penalties and fines or private actions, is evolving. Action item: Review insurance policies and discuss available coverage with your broker.

California law continues to define and expand consumer protections around privacy rights in personal information. While this landscape will continue to evolve, whether from additional state law or potential federal legislation, it is important that corporate legal, marketing, and IT teams coordinate to stay current on and compliant with the law to best ensure new requirements result in reasonable compliance steps rather than costly and potentially insurmountable sea changes.

Reprinted with permission from the December 3, 2020 issue of The Recorder. © 2020 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Firm Highlights

Publication

Employee Data under the CCPA: Expiration of Employer Exemptions Requires Compliance as of January 1, 2023

Since the California Consumer Privacy Act (“CCPA”) was passed in 2018, employers have been watching carefully to see how the law will apply to data collected and maintained about their employees. Up until now, ...

Read More
Publication

Continuing Use of CGL Policies to Cover Data Breach Losses

Our lives and the products and devices we use become more dependent on data by the day. As a result, cyberattacks and data breaches present everchanging risks to companies and individuals, and the importance...

Read More
Publication

California AG Signals Enforcement of the Global Privacy Control Under the CCPA

As companies prepare for the provisions of the California Privacy Rights Act (“CPRA”) to come into effect in January 2023, California Office of Attorney General (“OAG”) has signaled that companies should not wait to...

Read More
Publication

California Passes Landmark Privacy Protections for Children With Big Implications for Online Providers

Governor Newsom recently signed into law AB 2273 , the California Age-Appropriate Design Code Act (CA AADCA), making California the first state to pass broad privacy protections for children. The CA AADCA is modeled...

Read More
Publication

Using Multi-Factor Authentication as a Prerequisite to Cyber Liability Coverage

Multi-factor authentication (MFA) is more than an annoying popup or text message when logging onto a company’s website or platform. Not only is using MFA a sound security practice and good business, it is frequently...

Read More
Publication

Cybersecurity Regulation: Key Takeaways From an Unusual FTC Order That Will Follow CEO for a Decade

The FTC recently issued a proposed order that would settle an enforcement action against Drizly, LLC and its co-founder and CEO, James Rellas, arising from data breaches in 2018 and 2020 that affected over...

Read More
Publication

The War Exclusion in a Time of War

The “war” exclusion has gotten more attention over the past couple of weeks in light of Russia’s invasion of Ukraine. For good reason. This exclusion, common in property and liability policies alike, typically eliminates...

Read More
Publication

Caught in the Crossfire — How Will the War Exclusion Affect Commercial Policyholders?

The war exclusion has received a lot of attention over the past year, particularly since Russia invaded Ukraine in February. Policyholders’ concern that insurers will assert the exclusion as a basis to deny coverage...

Read More
Publication

Uber’s Former Chief Security Officer Found Guilty of Obstruction For Coverup of Data Breaches

On October 5, 2022, after a monthlong jury trial, former Uber Chief Information Security Officer Joseph Sullivan was found guilty of obstructing proceedings of the Federal Trade Commission (FTC) and misprision of a felony...

Read More
Publication

Maximizing Your Insurance Coverage for Data Privacy Liability

With news of massive data breaches making headlines in recent years, the handling of personal data has become a focus for legislators and regulators around the world. Compliance with data privacy regulations such as the...

Read More