California Privacy Rights Act Now Effective | Tonkon Torp LLP
On January 1, 2023, the California Privacy Rights Act (CPRA) went into full force and effect, heralding a new era of statewide personal information (PI) regulation. The CPRA provides even more protections for the privacy rights of California consumers than previously established under the California Consumer Privacy Act of 2018 (CCPA).
The CPRA is an appendix to the CPC, operating as a series of significant amendments to existing law. The CCPA applies to any for-profit entity doing business in California that collects, shares, or sells personal information of California consumers and meets at least one of the following three criteria: (i) gross receipts exceed $25 million (total, not only in California); (ii) owns the IP of 50,000 or more California consumers, households or devices; or (iii) earns more than half of the annual revenue from the sale of California consumer PI.
The CPRA extends the scope of California’s requirements to any entity that owns, is owned by, or shares common brand with a covered business. It also extends its regulatory reach to a third set of applicable entities: joint ventures or partnerships made up of businesses in which each business has at least a 40% interest. The joint venture or partnership itself, and any business constituting the joint venture or partnership, will be separately considered a single business for the purposes of applying the CPRA. Additionally, the CPRA holds businesses accountable for how third parties use, share or sell PI when the business was the one that collected the PI in the first place.
The CPRA also creates a new category of sensitive PIs (SPIs), regulated separately from normal PIs. SPI includes: data on race and ethnicity; religious beliefs, political and philosophical beliefs; data on sex life and sexual orientation; genetic and biometric data; health data; location data; social security and driver’s license numbers; and financial information.
The CPRA introduces four new consumer privacy rights and expands five existing rights under the CCPA. The four new CPRA rights are:
Right to Correction: California residents may request to have inaccurate PI and SPI corrected; Right to know about automated decision-making: California residents may request access to and knowledge about how a business’s automated decision-making technologies work and the potential results of using such technologies; Right to Opt Out of Automated Decision Making: California residents may opt out of having their PI and SPI used to draw automated inferences (eg, profiling, behavioral advertising, etc.); and Right to Restrict Use of SPI: California residents may restrict a business’s use of SPI (particularly with respect to sharing with third parties).
The five modified CCPA rights are:
The right to erasure is extended to require businesses to notify third parties of California residents’ requests to erase PI The right to know what PI has been collected by a business is extended beyond the previous 12-month time period of meeting in the CCPA The right to opt out is expanded to allow California residents not only to opt out of the sale of PI, but also to opt out of the sharing and sale of PI specifically for behavioral advertising Rights of of minors is expanded to require that minors opt out of a business’s sharing of PI for behavioral advertising The right to data portability is expanded to allow California residents to request that their PI be transported to businesses or organizations others
In practice, businesses will need to obtain consumer consent in California in more scenarios than before. The CPRA renews the CCPA’s previous requirements about how business websites enable consumers to opt out of having their PI sold or shared, and adds requirements about how websites enable users to exercise their right to limit the use of SPI. Businesses should consult with legal counsel to ensure compliance with the CPRA. Enforcement is set to begin by the newly created California Privacy Protection Agency (CPPA) on July 1, 2023, with a review period for data collected from January 1, 2022. The CPPA may investigate potential violations on its own initiative, by administer fines as fines on a per violation basis.
At both the state and federal levels, there is no shortage of legislative and regulatory activity related to data privacy. Businesses should continue to consult with legal counsel to ensure compliance with the CCPA, CPRA and other relevant privacy regulations.