On November 3, 2020, Californians voted to cross Proposition 24, which modifies and expands the California Shopper Privateness Act (“CCPA”), which got here into pressure on January 1 of this yr. The brand new California Privateness Rights Act (“CPRA”), will supersede the CCPA efficient January 1, 2023. Till that point the CCPA stays in impact.
As an preliminary matter, the CPRA modifications the thresholds for companies to be topic to the brand new legislation. To be a coated enterprise beneath CPRA, one of many following should be current:
The enterprise derives at the least 50% of annual income from sharing or promoting the private info of California customers. It is a change, in that this threshold now consists of the “sharing” of non-public info, thereby increasing enterprise that come beneath the protection of the CPRA and particularly impacting companies within the advert tech sector.
The enterprise has gross income over $25 million. This provision is similar as beneath the CCPA.
The enterprise buys, sells or shares the PI of greater than 100,000 California customers/ households. This provision modifications the edge from 50,000 beneath the CCPA to 100,000 beneath the CPRA. The heightened threshold signifies that extra small enterprise will probably be exterior the scope of the CPRA.
Different Key Adjustments
The 50+ web page CPRA is an in depth and detailed piece of laws. Adjustments to CCPA vary from minor revisions and clarification, to increasing its protection, creating a brand new oversight company, introducing new ideas and enhancing particular person non-public causes of actions.
The principle modifications to CCPA are:
Enlargement of personal proper of motion for safety breaches impacting private info. The CPRA expands the non-public proper of motion for customers to convey claims in opposition to a enterprise for the unauthorized entry or disclosure of an e-mail handle and password or safety query that might allow entry to an account, together with entry to a client’s non-encrypted and non-redacted private info. Moreover, the CPRA creates triple damages for violations referring to customers who’re minors beneath the age of 16.
Creation of Privateness Safety Company. The CPRA creates the California Privateness Safety Company (“CPPA”), which can change the Lawyer Basic’s workplace because the statute’s enforcer. The brand new company will take up the Lawyer Basic’s rulemaking authority on the later of July 1, 2021, or six months after it notifies the Lawyer Basic that it’s ready to start rulemaking. The CPPA has been given an preliminary finances of $10 million to fund its investigation and enforcement actions.
Limits on “Sharing” Private Info. The CPRA expands the CCPA’s limitations on the “sharing” of non-public info to incorporate “cross-context behavioral promoting,” whether or not or not for financial or different beneficial consideration. This alteration once more seems to put additional regulation round the usage of private info for behavioral / focused promoting functions.
Creation of “delicate private info” Subcategory of Private Info. The CPRA provides a brand new class of “delicate private info.” Delicate private info consists of, amongst different classes, exact location, race, faith, sexual orientation, social safety info, specified well being info. The CPRA creates extra limitations on the usage of delicate private info.
Limitation on Retention Interval. The CPRA units limits on the gathering and retention of non-public info, requiring a enterprise to retain solely that which in all fairness mandatory and proportionate to realize the needs for which the private info was collected or processed. Additional, the CPRA requires companies to tell customers of the size of time the enterprise intends to retain every class of non-public info and delicate private info, or the factors used to find out that interval.
Limitation of the 30-Day Treatment Interval. Underneath the CPRA, companies now not have a 30-day window to remedy alleged noncompliance earlier than being topic to administrative enforcement. Nonetheless, the CPPA will retain discretion to permit enterprise to remedy alleged violations, however the exclusion of a assured right-to-cure makes early monitoring and compliance a way more crucial space of focus for CPRA compliance. Moreover, the CPRA supplies for a remedy interval that can halt statutory damages with respect to personal actions, if the violation is remedied.
Extension of Exemption for Worker and Enterprise-to-Enterprise Information. The present exemptions beneath the CCPA for dealing with of worker or business-to-business knowledge had been set to run out on January 1, 2021. CPRA instantly extends the CCPA’s present partial exemptions for info referring to companies’ workers and job candidates, in addition to info collected from customers in a “enterprise to enterprise” context, till at the least January 1, 2023.
Automated Processing Limitations. The CPRA creates new guidelines governing opt-out rights related with use of “profiling” or “automated choice making know-how.” That features client/worker profiling tied to work efficiency, financial circumstances, well being, location and different components. The buyer additionally has a proper to entry “significant details about the logic concerned in such decisionmaking processes, in addition to an outline of the seemingly end result of the method with respect to the buyer.” The CPPA is required to develop rules addressing entry and opt-out rights referring to profiling know-how.
Proper to Appropriate Inaccurate Information. The CPRA provides the proper to right client knowledge to the prevailing rights of discover and deletion.
New Necessities and Obligations for Service Suppliers, Contractors, and Third Events. The CPRA locations new contractual and direct obligations on service suppliers, contractors and third events. Particularly, it requires companies that ship private info to 3rd events to enter into an settlement binding the recipient to the identical stage of privateness safety as offered by the CPRA, granting the enterprise rights to take cheap and applicable steps to remediate unauthorized use, and requiring the recipient to inform the enterprise if it will probably now not comply.
When Does CPRA Come Into Power?
The CCPA stays in impact till January 1, 2023, at which era the CPRA (and its rules) will take over. Companies which might be topic to the CCPA now needs to be wanting forward and taking all the required precautionary measures, similar to compiling an information stock, reviewing client rights insurance policies and procedures, knowledge retention practices and vendor and third social gathering agreements, to be well-positioned for CPRA compliance.
© Polsinelli PC, Polsinelli LLP in CaliforniaNationwide Legislation Assessment, Quantity X, Quantity 314