Insights
Publications

Top 10 Practical Business Implications Arising From the Passage of the CPRA

December 03, 2020 Articles
The Recorder

California’s Proposition 24 passed as expected, and the new California Privacy Rights Act will change the privacy landscape created by the California Consumer Protection Act (CCPA), which went into effect only months ago. While the CPRA won’t go into effect until Jan. 1, 2023, with enforcement (concerning data collected from Jan. 1, 2022 and later) beginning no sooner than July 1, businesses should already be in a position to comply.

In short, the difficult work in marshaling the data subject to the CPRA will need to have been undertaken in connection with CCPA compliance. As such, assuming a business has taken efforts to comply with the CCPA, the new law will require evolution rather than revolution of companies’ privacy practices. That does not mean, however, there is not work to be done, and companies subject to the CPRA should be taking steps to comply sooner rather than later.

Applicability

(1) It should be noted that the CPRA amends, incorporates, and replaces the CCPA. The definition of companies subject to the new act is narrowed, and so those that would not be subject to the CCPA will similarly not be subject to the CPRA. Certain companies currently subject to the CCPA will not be subject to the CPRA, and after Dec. 31, 2022 will no longer have to comply with the requirements of the CCPA (or, obviously, the CPRA). This would mainly include companies who collect and use the personal information of more than 50,000 but less than 100,000 California data subjects. Such companies should continue satisfying the requirements of the CCPA through at least the end of 2022. Action item: Determine applicability of CCPA and CPRA to identify compliance regime.

(2) The CPRA has extended the deadlines under the CCPA concerning personal information of employees and business-to-business contacts until Jan. 1, 2023. Thus, companies subject to the CCPA that will not be subject to the CPRA need not take steps to bring the collection and use of this specific data into compliance with the applicable provisions of the CCPA. Action item: Determine whether employee and b2b data and the associated deadlines are relevant to your company’s compliance.

Further Refinement of Data Identification and Treatment

(3) The CPRA will require companies to further segregate certain “Sensitive Personal Information” and treat such data differently than other personal information. Consumers will need to be given heightened notice and be able to limit the use or disclosure of such information, which is defined to include things like Social Security, driver’s license, state ID card, or passport numbers, log-in or financial information in combination with any required information enabling access to such information, geolocation information, contents of the consumer’s communications with third parties, racial, genetic, or ethnic information, biometric information used for identification (e.g., fingerprint or facial recognition access methods), health information, and sex life and sexual orientation information. Action item: Determine Sensitive Personal Information within Personal Information and account for differing treatment.

(4) Companies will need to ensure the collection, use, retention, and sharing of personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed,” and disclose a data retention policy reflecting this along with the requirement that data not be retained for longer than reasonably necessary given the applicable disclosed purpose. Action item: Identify purposes of collection and use, and the period for holding of personal information and period for storage of information; prepare data retention policy to account for and reflect same.

(5) Where personal information is shared with third parties, the home page of the business must include a button enabling consumers to opt out of such sharing. Many companies already required to have a “Do Not Sell My Personal Information” will either need a second button regarding sharing or a combination “Do Not Sell or Share My Personal Information” button. Action item: Determine which buttons will be required and incorporate into the website.

(6) In addition to their rights currently offered consumers under the CCPA, the CPRA requires companies to enable consumers to correct errors in their personal information and have that personal information transferred to a third party. Action item: Update Privacy Policy to reflect additional rights.

Effects on Third-Party Agreements Regarding Sharing and Use of Personal Information

(7) The CRPA requires that those companies that share personal information with service providers and other third parties contractually obligate such recipients to process the personal information with the CPRA-required level of protection. Action item: Review and amend forms and existing contracts to incorporate such provisions.

Enforcement

(8) The CPRA removes the 30-day cure period for government enforcement, and companies will no longer be able to rely on the notice and cure period to avoid liability for noncompliance. Action item: Generally incorporate proactive compliance behaviors.

(9) The CPRA expands the private right of action currently limited to data breaches resulting from unreasonable security practices to also apply to the unauthorized access to and/or disclosure of an “email address in combination with a password or security question and answer that would permit access to an account” where reasonable security practices were not in place. Action item: Ensure proper security practices, policies, and tools are in place.

Insurance

(10) While neither the CCPA nor the CPRA includes any provisions concerning insurance, the willingness of insurance companies to offer policies limiting liability for damages arising from the acts, whether in the form of government penalties and fines or private actions, is evolving. Action item: Review insurance policies and discuss available coverage with your broker.

California law continues to define and expand consumer protections around privacy rights in personal information. While this landscape will continue to evolve, whether from additional state law or potential federal legislation, it is important that corporate legal, marketing, and IT teams coordinate to stay current on and compliant with the law to best ensure new requirements result in reasonable compliance steps rather than costly and potentially insurmountable sea changes.

Reprinted with permission from the December 3, 2020 issue of The Recorder. © 2020 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Firm Highlights

Publication

Thomson Reuters v. Ross Intelligence: AI Copyright Law and Fair Use on Trial

On Sept. 25, 2023, Judge Stephanos Bibas (sitting by designation in the District of Delaware), determined that fact questions surrounding issues of fair use and tortious interference required a jury to decide media conglomerate...

Read More
Publication

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More
Publication

Top 5 Privacy Cases To Watch, From Chatbots to Geolocation

Litigation — and threats of litigation — related to privacy law violations have been on the rise recently. While some judges have pushed back on the theories set forth by plaintiffs, new privacy lawsuits...

Read More
Publication

It Wasn’t Me, It Was the AI: Intellectual Property and Data Privacy Concerns With Nonprofits’ Use of Artificial Intelligence Systems

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

Nonprofits’ Use of Artificial Intelligence Systems: Intellectual Property and Data Privacy Concerns

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

California Proposes New AI & Automated Decision-Making Technology Regulations

The California Privacy Protection Agency (CPPA) released its draft  regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently...

Read More
Publication

Enforcement of CPRA Regulations Delayed

Shortly before the California Privacy Right Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) were set to become enforceable on July 1, 2023, a Sacramento Superior Court judge issued a ruling on...

Read More
Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More
Publication

Court Reinstates CPPA Enforcement Authority and Confirms No Delay Necessary for Enforcement of Future CCPA Regulations

A recent appellate decision has made clear that the regulations promulgated under California’s groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)), are ripe...

Read More
Publication

California AI Proposal Rethinks Consumer Scope and Recordkeeping

The California Privacy Protection Agency will revisit its  draft  regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024...

Read More