California voters have spoken: in November 2020, they voted to enact the California Privacy Rights Act (CPRA), which will mark a significant expansion of California’s existing privacy laws when it takes effect on January 1, 2023. While the CPRA maintains the core framework of the predecessor California Consumer Privacy Act (CCPA), it is a 52-page behemoth that introduces a number of substantive changes to the CCPA, in many ways inspired by the EU’s broad General Data Protection Regulation (GDPR). As a result, compliance will necessitate a careful review of existing practices and thoughtful changes to contracts, privacy notices, individual rights response procedures, and other privacy operations. Pending the CPRA’s effective date, the CCPA will remain in effect.
Businesses that have already undertaken compliance steps for the CCPA have a good head start, but the passage of the CPRA means there is more work to be done. This post sets out key practical steps that CCPA-compliant businesses should be focusing on now to hit the ground running to comply with the CPRA. Notably, the CPRA also creates a new California Privacy Protection Agency that, once established, will issue new regulations interpreting the CPRA (taking over from the California Attorney General), so full compliance will be a moving target between now and 2023.
This is the first in a multi-part series of blog posts that will provide further analysis of the CPRA.
Identify whether any new exceptions to the definition of “personal information” apply
While the CPRA is making headlines for the concepts that it borrows from the GDPR and the ways that it expands on existing CCPA obligations, it also introduces a few carveouts to the overall applicability of the law. These carveouts include new, context-specific exceptions to the definition of “personal information,” including an expanded definition of “publicly available” information. Specifically, publicly available information—which under the CCPA only includes information made available through government records—will include under the CPRA information made publicly available by the consumer or information from widely distributed media. In addition, the CPRA also excludes lawfully obtained, truthful information that is a matter of public concern from the definition of "personal information". While there is some ambiguity around the scope of these expanded exceptions, they may help reduce CPRA compliance obligations for some of the information a business may maintain.
Businesses should closely review their data maps and refresh them to account for the new exceptions. This will help assess whether there’s a viable possibility that certain information might fall outside the scope of the CPRA. Updated data maps may also help with other compliance obligations, such as the new requirements applicable to certain uses of sensitive personal information (see item 2 below).
Evaluate whether transfers of personal information are considered “sharing”
The CPRA introduces a new concept of “sharing” information, defined as any disclosure of personal information to third parties for cross-context behavioral advertising, regardless whether consideration is exchanged. Where a business engages in sharing, it must post a link titled “Do Not Share My Personal Information” and provide consumers an opportunity to opt out of sharing.
For businesses that already comply with the CCPA, this should sound familiar to the existing “sale” opt-out requirements. “Sales” under current California law occur when personal information is transferred or otherwise made available to a third party in exchange for money “or other valuable consideration.” There was some debate among commentators about whether cross-context behavioral advertising was undertaken for "other valuable consideration," and thus subject to the "sale" opt-out. The new definition of "sharing" under the CPRA puts this debate to bed and makes clear that this type of disclosure is subject to a consumer opt-out.
In addition, sharing does not extend to transfers to “service providers” or “contractors”. This is notable because many online advertisers, cookie providers, and other adtech stakeholders act as service providers. Provided those service providers agree to certain restrictions on their use of information, transfers to such parties will not be subject to the expanded opt-out right.
In practical terms, businesses should evaluate whether any disclosures of personal information are considered “sharing,” and if so, implement the appropriate opt-out measures.
Identify and evaluate all uses of “sensitive personal information”
The CPRA also introduces a new defined term, “sensitive personal information,” which is a broad category of information that appears to be inspired both by state data breach statutes and the GDPR’s concept of “special categories of data.” Specifically, the CPRA defines sensitive personal information as information that reveals:
- social security, driver’s license, state ID, or passport numbers;
- account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- precise geolocation;
- racial or ethnic origin, religious or philosophical beliefs, or union membership;
- contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;
- genetic data;
- biometric data processed for the purpose of uniquely identifying a consumer;
- personal information concerning a consumer’s health; or
- personal information concerning a consumer’s sex life or sexual orientation.
The CPRA requires certain disclosures about the use of sensitive personal information in the business’s privacy policy and in response to Right to Know access requests. Importantly, to the extent that the business uses sensitive personal information to infer characteristics about consumers, the CPRA requires the business to publish a "Limit the Use of My Sensitive Personal Information" link on its online services. If a consumer exercises this right, the business must limit its use of sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer, and certain additional business purposes specified in the statute and forthcoming regulations (e.g., for product improvement and security purposes).
In practice, the first step is to identify all sensitive personal information the business collects. The second step is to evaluate how that information is used and whether those uses are subject to the new opt-out right. If they are, the business should plan to post the “Limit the Use of My Sensitive Personal Information” link and put in place internal processes to implement these limitation requests. Another option would be to proactively stop such uses of sensitive information to avoid introducing a complex new limitation process.
Update public-facing notices and opt-out links
Existing CCPA-compliant privacy notices will need updates to comply with new transparency requirements in the CPRA, including mandatory disclosures about the new consumer rights introduced by the CPRA and about retention practices. In addition, businesses that “share” personal information or collect sensitive personal information and use it in a certain manner must include certain descriptions about those practices. As described above, these businesses will also be required to add “Sharing” opt-out links and/or sensitive personal information use “Limitation” links to their homepages and mobile applications, and they must update the effect of clicking on "Do Not Sell My Personal Information" links as needed.
Review and update agreements with third parties, service providers, and contractors
Several changes introduced by the CPRA will impact a business's contracts involving transfers of personal information. Significantly, the CPRA now requires all sales, sharing, and disclosures of personal information for a business purpose to be made pursuant to a contract. This includes sales to or sharing with business partners, affiliates that do not share common branding, and other third-party recipients. It also includes disclosures made to service providers and a new category of recipients called “contractors,” which are similar to service providers but may use personal information for their own business purposes in certain circumstances, subject to strict limitations on subsequent use and disclosure of the information. Finally, even disclosures of deidentified information to any recipient will require a contract setting out clear restrictions on attempts at reidentification.
Notably, the CPRA also includes a different, more restrictive definition of "service provider" and a slightly broader exception to "sales" and "sharing" where disclosures are made at the consumer’s direction.
We will provide additional analysis of these definitional changes and specific contracting requirements in a future blog post as part of our CPRA series.
To comply with these new CPRA provisions, businesses will need to (1) develop the necessary contracting materials (e.g., template agreements, service provider and contractor addenda, checklists, etc.) in preparation for a contracting exercise; (2) assess all transfers of personal information to identify which provisions are required for which recipients; and (3) begin the process of updating and negotiating the required agreements.
Update individual rights procedures and response materials
The CPRA introduces several new consumer rights that may require operational changes, including the right of correction, the right to limit the use of sensitive personal information, and the right to opt out of sharing. Additionally, there are changes to the existing access right: "requests to know" the categories of personal information collected about a consumer must include disclosures about sensitive personal information and any sharing; and "requests to know" specific pieces of personal information are subject to new exceptions, such as where information relates to another individual or where information is generated for security or data integrity purposes. The CPRA also adds obligations to flow down certain rights requests, including notifying service providers, contractors, and third parties of deletion requests.
Businesses will need to implement any technical or operational changes necessary to fulfill the new CPRA rights, update their individual rights response policies and procedures, and update response materials accordingly (e.g., template “right to know” categories of personal information responses).
Review internal practices relating to collection and retention of personal information
In a notable departure from traditional US consumer privacy laws, the CPRA introduces new GDPR-style data minimization and data retention requirements, which may have operational impacts on businesses. Under the CPRA, the collection, use, retention, and sharing of personal information must be reasonably necessary and proportionate to achieve the purposes of collection. Thus, businesses must not collect more personal information than is necessary, and they must not retain personal information for longer than reasonably necessary for disclosed purposes.
In practice, businesses should incorporate these requirements into existing privacy by design and data retention policies and procedures or, if necessary, develop new policies and procedures to accommodate these requirements. For businesses that have not previously undertaken a GDPR-compliance exercise, this may require significant operational or cultural changes with respect to information collection, storage, deidentification or pseudonymization, and deletion practices.
Assess the role and manner of consent in personal information processing activities
The CPRA adds a definition of "consent" aligned with the GDPR’s definition, defined as “any freely given, specific, informed and unambiguous indication of the consumer’s wishes.” The CPRA also makes it clear that “acceptance of a general or broad terms of use or similar document that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent.” A business also cannot obtain consent through the use of a so-called "dark pattern," a user interface designed to impair choice (which will be further defined by regulation), nor through “hovering over, muting, pausing, or closing a given piece of content.”
Consent is relevant to various operations involving personal information, for example consumer financial incentive programs and overriding online consumer opt-out preference signals. Where intending to rely on consent for various consumer interactions implicating the CPRA, businesses will need to conform their approaches to consent and user interfaces with these requirements.
Identify whether other new exceptions apply to the business
In addition to the new exceptions to the definition of “personal information,” the CPRA adds certain new partial exemptions to the law that were not included in the CCPA. These include certain exemptions for household data, certain information handled by commercial credit reporting agencies, and educational and test records. Businesses should carefully review the new exemptions to determine the extent they may apply. Businesses should also account for the expiration of the current so-called "business-to-business" and "HR" exceptions on January 1, 2023, which will warrant application of the full array of CPRA requirements to these categories of personal information now largely outside of the scope of the CCPA.
Monitor future developments and engage with the rulemaking process
Like the CCPA, the CPRA sets in motion a new rulemaking process to develop additional regulations, which must be finalized by July 1, 2022. While the regulations may offer clarity to certain aspects of the law, they will almost certainly create additional compliance requirements. In particular, the CPRA requires the development of regulations around the following topics, among many others:
- the new individual rights, including the right of correction, the right to opt out of sharing, and the right to limit the use of sensitive personal information;
- requirements and technical specifications for a global opt-out / preference signal that can be used to indicate a consumer’s intent to opt out of sales or sharing;
- audit and risk assessment requirements for processing involving “significant risk,” an undefined term; and
- a new opt-out right relating to the use of automated decision-making technology, including “profiling.”
The statute provides minimal context or details around these forthcoming requirements, but “broad public participation” is required to be solicited before issuing adopting regulations, so businesses will likely have an opportunity to submit comments or participate in workshops in the coming months.
Beginning in December, Hogan Lovells will publish a series of blog posts taking a deeper dive into specific aspects of the CPRA, so stay tuned.
Click here to read our previously published summary of the CPRA’s key provisions.
Click here for additional context we provided in June 2020 at the time the CPRA was certified to appear on this year’s ballot.
Authored by: Bret Cohen, Tim Tobin, Aaron Lariviere.