While scholars of the finer points of Californian privacy law will have immediately noticed the redundancy in the title of this post, an important clarification is in order for those less familiar: Prop 24, CPRA, and CCPA 2.0 all, somewhat confusingly, refer to the same thing. On November 3, 2020, Californians approved a ballot initiative known as Proposition 24, also known as the California Privacy Rights Act (CPRA) or California Consumer Privacy Act (CCPA) 2.0. This ballot initiative was backed by real estate investor Alastair Mactaggart and his Californians for Consumer Privacy group, which, if you’ll recall some of our earlier posts on the topic, is the same cohort that brought us the first iteration of CCPA.
In becoming law, CPRA notably charted a different course than CCPA, even though both began life as ballot initiatives. In CCPA’s case, California lawmakers ultimately intervened and introduced mirroring legislation in the State Assembly prior to the 2018 general election that preempted the need for a statewide vote. Importantly, this action preserved the legislature’s ability to superintend the law over time. However, on June 25, 2020, Mactaggart’s group announced that CPRA received enough signatures to officially qualify for the 2020 general election in California and that, this time around, they would take their language directly to voters. On election day 2020, the initiative passed 56 percent – 44 percent.
So, what does CPRA actually do? I wish I could tell you that its text is more straightforward than its legislative history, but unfortunately that is not the case. Substantively, CPRA functions as a red-line edit of CCPA – meaning that CPRA doesn’t replace CCPA so much as update it, with the underlying law remaining operative until CPRA’s changes to take effect January 1, 2023. In updating CCPA, CPRA adds new consumer rights, recalibrates eligibility thresholds, redefines certain key terms, and creates an entirely new regulatory body to enforce the law and draft implementing regulations, among many other changes.
ACT | The App Association recognizes that the complex changes represented in CPRA may be challenging to follow or simply dipped beneath the radar during such a tumultuous time. That is why, back in November 2020, our Connected Health Initiative hosted Innovators Network Foundation Privacy Fellow and California privacy expert Eric Goldman to lead a webinar to unpack the new law. If you are looking for an in-depth primer on CPRA, Professor Goldman’s presentation is a great place to start.
For those more inclined to a quick and dirty text-based summary, continue along here as we highlight some of the key changes effectuated by CPRA.
Updated Coverage Threshold
CCPA defined a covered business as a for-profit entity doing business in California: i) generating annual revenues of over $25 million a year; ii) annually buying, selling, or sharing personal information of 50,000 or more consumers or households; or iii) deriving 50 percent or more of its annual revenue from selling personal information. CPRA modifies the second prong of the coverage test, increasing the threshold for covered businesses from 50,000 to 100,000 consumers.
Creation of New Privacy Agency
CPRA creates a new California-specific privacy agency, the California Privacy Protection Agency (CPPA), which will supplant the California Attorney General’s office as the statute’s primary enforcement and rulemaking body. The governance of CPPA will include a five-member board, with appointments expected from California lawmakers by the end of January 2021. The new agency will promulgate rulemakings to clarify existing ambiguities in the law, likely including:
- Design and expectations for required opt-out mechanisms and processes;
- Business obligations and timelines to respond under verifiable consumer requests; and
- Standards for annual cybersecurity audits and risk assessments.
The agency may begin rulemakings as early as July 1, 2021.
New Consumer Rights
The CPRA creates several new consumer rights and amends existing rights to extend beyond what was offered through CCPA.
These include:
- The right to limit use of sensitive personal information. CPRA creates a new data category, “sensitive personal information” to which additional consumer rights attach. Beginning in 2023, business will need to obtain opt‐inconsent prior to the sale of any sensitive information. Consumers also gain the right to opt‐out, at any time, of the use of sensitive data for advertising.
- “Sensitive data” under the new initiative would include precise geolocation data, biometric information, some financial information, data concerning a consumer’s health, and personal information that would reveal race or ethnic origin, sexual orientation, and union membership, among other categories.
- Businesses will also need to disclose whether the company collects, sells, or shares any sensitive personal information, as well as the categories of sensitive personal information collected, the purposes for which they will be used, whether this information will be sold or shared, and the length of time the business intends to retain each category of sensitive personal information.
- Finally, businesses will need to create and prominently display a new “Limit the Use of My Sensitive Information” button to allow consumers to exercise their opt-out rights. This can either be a standalone button or an adaptation of the existing “Do Not Sell My Personal Information” button.
- The right to correct inaccurate personal information. Though enshrined in Europe’s General Data Protection Regulation (GDPR), as well as a feature of most comprehensive privacy legislation at the federal level, the right to request covered businesses to correct any inaccurate personal information a business holds about them was not previously available to Californians.
- An expanded right to opt out.CPRA alters the definition of “sale,” effectively expanding the existing opt-out rights to include both the sale and “sharing” of personal information. Sale is redefined to include either the transfer or making available of a “consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” Under CCPA, it was unclear whether non-monetary sharing of personal information would constitute a sale.
- New opt-out and access rights relative to automated decision-making. Under CPRA, consumers may opt-out from inclusion in a business’s automated decision-making processes, which includes the automated processing of personal information to evaluate aspects of an individual and to profile consumers’ “performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” Consumers may also request from covered businesses “meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”
- New rights and penalties regarding misuse of children’s data. The initiative would require opt‐in (as opposed to opt-out) consent for the collection of children’s (under 16 years of age) information and would triple the fines enumerated in CCPA for violations involving this data.
Clarification of Contractual Relationships
Under CCPA, there was some uncertainty regarding the statute’s obligations upon service providers and those further down the data sharing chain. To clarify, CPRA defines a new type of entity, a “contractor,” which is “a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract.” CPRA then harmonizes contractor obligations with those of service providers – a category that previously existed under CCPA. Under CPRA, both service providers and contractors must provide the same level of privacy protection that covered businesses must provide under the law and are prohibited from further sharing or selling personal data pursuant to the contract, processing it for any purposes other than those specified in the contract or combining it with data received or collected through other means, with some exceptions. Service providers and contractors must also work with businesses to respond to verifiable consumer requests, including deletion requests. Service providers and contractors are separately liable if they use the personal information they receive from businesses in violation of CPRA.
The App Association will remain a resource for updates to CPRA, including any substantive rulemakings from the new CPPA. Stay tuned, and in the meantime, follow the App Association and INF on Twitter for timely updates and thought leadership on all things privacy.