Top 10 Practical Business Implications Arising From the Passage of the CPRA
California’s Proposition 24 passed as expected, and the new California Privacy Rights Act will change the privacy landscape created by the California Consumer Protection Act (CCPA), which went into effect only months ago. While the CPRA won’t go into effect until Jan. 1, 2023, with enforcement (concerning data collected from Jan. 1, 2022 and later) beginning no sooner than July 1, businesses should already be in a position to comply.
In short, the difficult work in marshaling the data subject to the CPRA will need to have been undertaken in connection with CCPA compliance. As such, assuming a business has taken efforts to comply with the CCPA, the new law will require evolution rather than revolution of companies’ privacy practices. That does not mean, however, there is not work to be done, and companies subject to the CPRA should be taking steps to comply sooner rather than later.
(1) It should be noted that the CPRA amends, incorporates, and replaces the CCPA. The definition of companies subject to the new act is narrowed, and so those that would not be subject to the CCPA will similarly not be subject to the CPRA. Certain companies currently subject to the CCPA will not be subject to the CPRA, and after Dec. 31, 2022 will no longer have to comply with the requirements of the CCPA (or, obviously, the CPRA). This would mainly include companies who collect and use the personal information of more than 50,000 but less than 100,000 California data subjects. Such companies should continue satisfying the requirements of the CCPA through at least the end of 2022. Action item: Determine applicability of CCPA and CPRA to identify compliance regime.
(2) The CPRA has extended the deadlines under the CCPA concerning personal information of employees and business-to-business contacts until Jan. 1, 2023. Thus, companies subject to the CCPA that will not be subject to the CPRA need not take steps to bring the collection and use of this specific data into compliance with the applicable provisions of the CCPA. Action item: Determine whether employee and b2b data and the associated deadlines are relevant to your company’s compliance.
Further Refinement of Data Identification and Treatment
(3) The CPRA will require companies to further segregate certain “Sensitive Personal Information” and treat such data differently than other personal information. Consumers will need to be given heightened notice and be able to limit the use or disclosure of such information, which is defined to include things like Social Security, driver’s license, state ID card, or passport numbers, log-in or financial information in combination with any required information enabling access to such information, geolocation information, contents of the consumer’s communications with third parties, racial, genetic, or ethnic information, biometric information used for identification (e.g., fingerprint or facial recognition access methods), health information, and sex life and sexual orientation information. Action item: Determine Sensitive Personal Information within Personal Information and account for differing treatment.
(4) Companies will need to ensure the collection, use, retention, and sharing of personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed,” and disclose a data retention policy reflecting this along with the requirement that data not be retained for longer than reasonably necessary given the applicable disclosed purpose. Action item: Identify purposes of collection and use, and the period for holding of personal information and period for storage of information; prepare data retention policy to account for and reflect same.
(5) Where personal information is shared with third parties, the home page of the business must include a button enabling consumers to opt out of such sharing. Many companies already required to have a “Do Not Sell My Personal Information” will either need a second button regarding sharing or a combination “Do Not Sell or Share My Personal Information” button. Action item: Determine which buttons will be required and incorporate into the website.
Effects on Third-Party Agreements Regarding Sharing and Use of Personal Information
(7) The CRPA requires that those companies that share personal information with service providers and other third parties contractually obligate such recipients to process the personal information with the CPRA-required level of protection. Action item: Review and amend forms and existing contracts to incorporate such provisions.
(8) The CPRA removes the 30-day cure period for government enforcement, and companies will no longer be able to rely on the notice and cure period to avoid liability for noncompliance. Action item: Generally incorporate proactive compliance behaviors.
(9) The CPRA expands the private right of action currently limited to data breaches resulting from unreasonable security practices to also apply to the unauthorized access to and/or disclosure of an “email address in combination with a password or security question and answer that would permit access to an account” where reasonable security practices were not in place. Action item: Ensure proper security practices, policies, and tools are in place.
(10) While neither the CCPA nor the CPRA includes any provisions concerning insurance, the willingness of insurance companies to offer policies limiting liability for damages arising from the acts, whether in the form of government penalties and fines or private actions, is evolving. Action item: Review insurance policies and discuss available coverage with your broker.
California law continues to define and expand consumer protections around privacy rights in personal information. While this landscape will continue to evolve, whether from additional state law or potential federal legislation, it is important that corporate legal, marketing, and IT teams coordinate to stay current on and compliant with the law to best ensure new requirements result in reasonable compliance steps rather than costly and potentially insurmountable sea changes.
Reprinted with permission from the December 3, 2020 issue of The Recorder. © 2020 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.