California voters have approved the new California Privacy Rights Act (“CPRA”). The margin was 56% – 44% – comfortable, if significantly tighter than pre-election polling that showed CPRA winning in a landslide. That comes on the heels of the California Attorney General’s release of still more proposed amendments to the regulations for the existing California Consumer Privacy Act (“CCPA”). Below we sum up these important changes emerging from Sacramento. We also note some possible Election Day impacts on the privacy law reforms that have been percolating in Washington, D.C.

CPRA Expands Consumer Protections

New Consumer Protections and Rights

  • Sensitive Personal Information and the Right to Limit Use
  • CPRA defines a new category of “Sensitive Personal Information.” The new category includes data elements such as Social Security number, ethnic origin and religious beliefs.
  • Consumers now have the right to “limit the use of [their] sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.” That appears to mean, among other things, no use of sensitive personal information for marketing or analytics.
  • California here follows the path carved by the European Union’s influential General Data Protection Regulation (“GDPR”). GDPR increasingly is the template from which other jurisdictions are cutting their own privacy laws. It provides heightened protections for sensitive personal data, defined as including topics like race, political opinion, health and sexuality.
  • Right to Correct Personal Information
  • Consumers now have a “Right to Correct Inaccurate Personal Information.” This permits them to request that businesses use “commercially reasonable efforts” to correct inaccuracies.
  • CCPA already allows consumers to request access to their data and to request that the data be deleted—but is silent on the scenario where consumers want correction rather than deletion. CPRA fills this gap.

Clarifications on Covered Data and Transactions

  • Selling OR Sharing Consumer Data
  • CCPA already broadly regulates companies “selling” a consumer’s personal information. CPRA broadens this to include “sharing” of personal information, even where no money or other consideration is exchanged. CCPA’s restrictions and obligations around “selling” now apply equally to “sharing.” Consumers’ “Do Not Sell” right will now be a “Do Not Sell or Share” right; the “Do Not Sell” button required on business websites now becomes a “Do Not Sell or Share” button.
  • The definition of “sharing” specifically excludes business transfers of personal data as an asset to third parties when it is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the business, provided that the information is used or shared consistently with the law.
  • HR and B2B Exemptions Extended
  • The Act extends the exemptions in this title for HR and business to business information until January 1, 2023. These exemptions originally were set to expire on January 1, 2021. As we previously reported, prior to the passage of CPRA the California legislature had already extended the exemptions to January 1, 2022. Businesses will welcome the extra year of these key exemptions.
  • Loyalty, Rewards, Premium Features, Discounts, or Club Card Programs
  • Companies are now expressly permitted to have loyalty and rewards programs that provide special benefits to participants.
  • Timeframe for Implementation and Covered Data
  • The law becomes enforceable on January 1, 2023, giving companies a little over two years to get their compliance houses in order. Consumers’ data requests, though, will relate back one year. This means a request made after CPRA’s effective date may require searching for, disclosing, correcting or deleting data going back as far as January 1, 2022.
  • Businesses are not required to keep personal information for any length of time just to comply with such requests.

Enforcement Considerations

  • New Penalties for Intentional Violations Involving Data of Minors
  • Any business, service provider, contractor or other person that violates California privacy law as it pertains to minors, where the company has actual knowledge that the minor is under 16, could face fines of $7500 for each violation.
  • New “California Privacy Protection Agency”
  • CPRA creates a new California Privacy Protection Agency to focus exclusively on enforcing the state’s privacy law. (We would call it the CPPA, but enough with the acronyms already.)
  • The Act also appropriates $5 million for FY 2020–2021 and $10 million each following year to fund the new agency.

CPRA also directs the California Attorney General to adopt regulations addressing its new provisions and other key privacy topics, namely “automated decision-makers” (a/k/a artificial intelligence) and “precise geolocation” data. As the AG regulates in these areas, covered companies’ obligations will shift again.

Takeaways for Covered Businesses

  • Two words: Data minimization. As legal obligations around data grow, the easiest way to avoid violations of CPRA is to not have the data. CPRA thus is a good prompt to map and inventory data, consider what among the inventoried data is “reasonably necessary” for collection and retention in serving consumers and delete/stop collecting what isn’t necessary. Businesses might pay special attention to minimizing sensitive personal data and children’s data, given the increased enforcement risk that CPRA carries for those categories.
  • In the year ahead, companies should review and refresh their data-handling policies and procedures to meet CPRA’s new obligations. They should then train relevant employees on the new policies and procedures.
  • The creation of the new Privacy Protection Agency may well point towards an uptick in enforcement activity. As the province of a standalone agency, privacy enforcement will no longer compete for resources and attention with the countless other issues in the California AG’s jurisdiction. A standalone privacy agency will likely want to justify its existence through aggressive activity, possibly going beyond the “usual suspects” in Big Tech to address other business sectors.
  • CCPA’s private right of action for data breaches remains, but CPRA does not create any new private rights of action. This leaves the Privacy Protection Agency as the sole driver of enforcement for non-data-breach violations.
  • The Act also retains the “opt-out” model whereby consumers generally do not need to affirmatively consent to data collection or sharing. The picture is more complicated for third-party ad-tech companies. Under CPRA, they must now provide notice to consumers and give them the choice to opt out of having their personal data sold or shared.

Modified CCPA Regulations

The current CCPA regulations took effect August 14, 2020. Prior to that, the AG released serial public drafts of the regulations and took public comments on each draft. If you thought the current regulations would therefore be a settled matter—turns out, not so much. Here are the highlights of the AG’s latest proposed modifications:

  • Businesses that collect personal information from consumers in brick-and-mortar stores would have to provide notice, via an offline method, that consumers can opt out of having their personal information sold to other parties. The amendment offers several possible means by which to notify consumers. Those include (1) printing the notice on the paper forms that collect the personal information, (2) posting signage directing consumers to where the notice can be found online or (3) orally over the phone when the information is collected.
  • Methods for submitting requests to exercise the right to opt out would have to be easy for consumers to execute. That means minimal steps. Proposed best practices include (1) not having more steps to opt out than it took to opt in and (2) not requiring consumers to search or scroll through the text of a privacy policy or similar document to locate the opt-out mechanism.
  • Businesses would be allowed to require an authorized agent who submits a request to know or a request to delete on behalf of a consumer to provide proof that the consumer gave the agent signed permission to submit the request.
  • Businesses that are engaging with children under 16 years of age would have to include, in their consumer-facing policies, a description of the processes for opting into the sale of their personal data.

The public comment period for these proposals closed late last month. It remains to be seen whether the AG will finalize these amendments in the form proposed or make further changes as the AG has done in the past.

Takeaways

  • Further amending these regulations complicates compliance. Businesses might reasonably ask the AG to stop amending, for a while, so they can finish getting organized to comply with the already significant burdens of CCPA.
  • Still, these changes are relatively minor and mostly serve to clarify preexisting requirements by spelling out examples of how to comply.

And, On The East Coast . . .

In recent years, there has been something approaching consensus for U.S. adoption of  a GDPR-like federal regime. Leaders in both parties, and leading companies in the business community, have expressed general support for the idea of a single, level playing field in privacy law. Joe Biden has stated that the United States should create “standards not unlike the Europeans.” Yet none of the many bills introduced in recent years have emerged from the scrum on Capitol Hill. Sticking points have included whether a federal bill would preempt state laws like CCPA and CPRA, whether it would create a private right of action, and what enforcement authority would be given to the FTC.

It is hard to gauge which way the election results will tilt the debate. CCPA is the first omnibus privacy law and was born in a deep-blue state. So it seems plausible that Democrats, at least, would see CCPA, along with GDPR as a starting point.  Republicans generally have been more inclined towards preemption, less sympathetic to a private right of action, and less favorable towards FTC authority. At this writing, it seems entirely possible that control of the executive and legislative branches will remain divided between the parties. So adoption of any form of federal privacy law will require compromise on these key issues.

* * *

Please do not hesitate to contact us with any questions. To subscribe to the Data Blog, please click here.

Author

Jeffrey Cunard, managing partner of Debevoise's Washington, D.C. office, leads the firm’s corporate intellectual property, information technology and e-commerce practices. He has broad experience in transactions, including software and technology licenses, joint ventures, mergers and acquisitions, and outsourcing arrangements. Mr. Cunard’s practice also encompasses copyright litigation. He is an internationally recognized practitioner in the field of the Internet and cyberlaw, a member of the firm’s Data Strategy & Security practice, and advises in U.S. and international media and telecommunications law, including privatizations and regulatory advice. He can be reached at [email protected].

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at [email protected].

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at [email protected].

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and artificial intelligence risks. He can be reached at [email protected].

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at [email protected].

Author

Frank Colleluori is an associate in Debevoise's Litigation Department. He can be reached at [email protected].

Author

Tigist Kassahun is a corporate associate and a member of Debevoise’s Intellectual Property and Mergers & Acquisitions Groups. She is also active in the firm’s Data Strategy & Security practice. She can be reached at [email protected].

Author

Mengyi Xu is an associate in Debevoise's Litigation Department and a member of the firm’s Data Strategy & Security practice. Her cybersecurity and data privacy practice focuses on compliance design, incident preparation and response, and regulatory notification. She can be reached at [email protected]