What the CPRA Means for the CCPA
In the fall of 2020, voters in California approved the California Privacy Rights Act (CPRA). Touted as California Consumer Protection Act (CCPA) 2.0, the CPRA is more an addendum and expansion of CCPA rather than an entirely new law. Think of it as an update that fixes unclear parts of the previous law and adds new systems to better handle the existence of the law itself. As there are a few “breaking changes”, the 2.0 moniker is pretty apt for those in the software world.
The CPRA serves two primary purposes. The first is to clarify and expand on the rights, guidelines, and expectations set forth by the CCPA. The second is to create a new agency whose purpose is to handle the enforcement and compliance of privacy laws within the state of California.
What has changed
Rather than explore every piece of the legislation, let’s look at the big five changes the CPRA introduces.
Who is affected
CCPA was very targeted in which types of businesses needed to comply. Unlike GDPR or the New Zealand Privacy Act which focus more on all individuals or businesses in a region, CCPA put an emphasis on business size and how a business uses data. The privacy rights act adjusts the classifications on which businesses are affected by changing some requirements.
First, it increases the number of customers a business needs from 50,000 to 100,000. Next, it clarifies that the 50% revenue from selling customer data can also come from sharing customer data—more on this later. Finally, it clarifies some language to better define how joint ventures and partnership businesses are affected, as well as how independent contractors should be managed and what kinds of data they can access.
Clarification on selling and sharing
The value of data is ever-increasing. The CCPA intended to apply to all companies that make the bulk of their revenue from data trading, but it wasn’t explicitly clear that any kind of sharing qualified. Now in the CPRA, the term share is added to the definitions list to mean sharing, making available, or otherwise communicating a consumer’s personal information to a third party for cross-context behavioral advertising. This, combined with the change mentioned above to include sharing along with selling, makes it clear to companies that may not explicitly be selling data that they need to also comply. This may also impact which vendors are considered service providers and which are considered third parties, as the arrangement between companies may now be subject to the law.
There are some exceptions to this. Some ways where this type of data exchange isn’t considered sharing includes:
- Whenever the consumer consents to sharing the data.
- Whenever a business shares data to a third party in order to inform the third party that the consumer has opted-out of sharing.
- When the sharing occurs as part of companies merging or when one company acquires another.
That last bullet point, while accurate, can be misleading. Data will still be subject to the law when a merger or acquisition occurs, but the act of merging or acquiring a company does not count as sharing or selling personal information in the eyes of the CPRA.
New sets of rights and protections
In addition to amending which businesses affected, the privacy rights act also adds and enhances additional consumer protections to the CCPA.
- The right to rectification: Much like the feature in the New Zealand Privacy Act, this right allows consumers to correct any inaccurate personal information that a company holds.
- The right to restriction: This gives consumers the right to limit the use and disclosure of personal information. This offers more control to individuals than blanket opt-in/opt-out settings.
- Distinction between sensitive and non-sensitive information: The law adds a distinction between personal information and personally information that is especially harmful when disclosed. The law clarifies that businesses must notify the consumer when it collects sensitive information, the categories of sensitive information collected, and how they intend to use the information. More on this category in the next section.
- Enhances penalties for data breaches involving minors: Essentially, fines are tripled if a data breach containing the personal information (PI) of a child is involved.
- Updates to opt-out rights: The law clarifies that sharing is also included in opt-out requirements, in addition to the previous sale-only requirement.
- Right to object to automated profiling: This new right gives consumers the ability to object to any automated decision-making or profiling. This could be situations where software makes decisions about the individual based on their personal data, or based on information the company has received about the individual.
In addition to these new and updated rights, businesses must inform customers of how long the business intends to retain each category of information. If a retention period isn’t known, the business must disclose the criteria they use for determining retention periods in each category. While this doesn’t prohibit businesses from keeping personal information indefinitely, they do need to at least disclose to their customers that they plan to do so, and why.
The law also clarifies that the non-retaliation/nondiscrimination provision does not prohibit businesses from incentivizing data sharing through loyalty programs, rewards, and similar incentives. This was unclear in the original law, as a business could not punish consumers for choosing to opt-out.
New category of data
We mentioned earlier that businesses must now distinguish between sensitive and non-sensitive information. This new information category is called Sensitive Personal Information (SPI). The types of information included in this category relate to the risk of harm caused by their disclosure. The list includes:
- Social security numbers
- Driver’s license numbers
- Union Membership
- Personal communications or messages
- Genetic data and other health information
- Sex life, sexual history, and sexual orientation
The types of data considered sensitive will likely expand over time. It is best to refer to the original description and consider any sensitive information as information that will cause unnecessary harm were it to be disclosed.
The California Privacy Protection Agency
Perhaps the biggest impact of the California Privacy Rights Act is the creation of a new enforcement agency, the California Privacy Protection Agency (CPPA). Unlike the EU’s Data Protection Authority or New Zealand’s privacy commissioner, the US does not have a federal agency dedicated to enforcing compliance—because the US also lacks a federal data privacy law. This act establishes the new agency to handle all violations, compliance regulations, and penalties. The CPPA will also aid businesses in becoming compliant when an offense arises, and the agency can aid in answering general questions about compliance. Though it is important to know that it is not the agency’s responsibility to guide companies toward compliance.
In addition to acting as a governing agency for handling compliance enforcement, the CPPA is also tasked and given the power to contribute to the privacy law over time. As technology and the needs of consumers changes, the agency can enhance the CCPA. This ensures that the CCPA will remain the standard over time, rather than be replaced by future legislation.
What you should begin doing to ensure compliance
Our overview of the California Consumer Privacy Act covers the basics that you need to know, but you should begin to put your audit process in place right away. The California Attorney General will likely begin requiring that businesses perform audits on an annual basis, and regularly submit risk assessments when the personal information a business stores presents significant risk to the privacy and security of consumers.
The changes introduced in the CPRA are still a ways out. Enforcement of the law does not begin until July 1, 2023. It will, however, apply to all information captured after January 1, 2022. At the time of this writing, that gives most businesses just shy of a year to implement the necessary parts—such as correctly labeling sensitive information.
Now that the creation of a dedicated agency has been finalized, we expect future addendums to the CCPA to come frequently as new privacy needs arise. Building a culture around data privacy is the best way to prepare, whether your company currently falls into the criteria for CCPA compliance or whether it will in the future.