America’s first dedicated consumer privacy watchdog is beginning to take shape, aiming to replace the “two strikes you’re out” framework with a “speeding ticket” one.
The new enforcement model brings a risk of higher administrative fines and less chance to escape liability but businesses receive guidance and still have time to become compliant.
The ink on the California Consumer Privacy Act (CCPA) had not yet dried when in November 2020, four months after the first U.S. state privacy law came into force, Californians voted to upgrade it by introducing stricter data protection provisions.
The California Privacy Rights Act 2020 (CPRA) imposes new requirements on businesses, bringing the level of Californians’ data protection on par with the EU’s General Data Protection Regulation (GDPR).
The CPRA clarifies certain grey areas of the CCPA, grants California residents a new right to correct inaccurate personal information, and, crucially, creates a new agency with significant funding and powers to impose administrative fines.
The California Privacy Protection Agency is expected to become a key U.S. privacy agency with the explicit mandate to “vigorously enforce the law against businesses that violate consumers’ privacy rights,” the CPRA says.
The agency annual budget of $10m is enshrined in the CPRA, which also encourages cooperation with other privacy protection agencies “in California, other states, territories, and countries to ensure consistent application of privacy protections.”
The latter provision will allow the new agency to engage with the Federal Trade Commission (FTC) or the European Data Protection Board on broader actions and grow to become a key U.S. privacy enforcer.
Under the current act, CCPA, the state attorney general (AG) has the exclusive power to enforce the law and consumers can sue businesses in case of data security breaches under the private right of action. In both cases, businesses have a 30-day period to remedy the alleged violation and avoid administrative or civil actions.
Since the start of CCPA enforcement in July 2020, the AG has sent out “notice to cure letters in the double digits” and they are “broadly seeing compliance in response to our notices to cure,” the office told VIXIO.
The new law will significantly extend the number of agencies that have the authority to enforce the law when it comes into force in January 2023.
The state AG, as well as district attorneys in 58 counties and city attorneys in the four largest cities of California, will have the power to enforce the law alongside the new agency.
The CPRA also removes the 30-day right to remedy in case of administrative actions, which means any business found in violation of the act may face administrative penalties.
Fines imposed by the privacy agency can reach $2,500 for each violation and $7,500 for each intentional violation and each violation involving minors.
The new law also amends provisions relating to consumer lawsuits involving data breach incidents – ground for a vast majority of data lawsuits.
Although the 30-day remedy period remains, allowing businesses a chance to escape civil liability, the CPRA clarifies that “the implementation and maintenance of reasonable security procedures … following a breach does not constitute a cure with respect to that breach.”
According to an October 2020 report from The International Association of Privacy Professionals, at least 23 ongoing lawsuits were filed under the CCPA last year.
These included the Hanna Andersson class action lawsuit concerning a data breach incident that led to the theft of credit card details of over 200,000 consumers who made online purchases from the retailer in 2019, resulting in a settlement worth $400,000.
Although it is nearly another two years before the CPRA comes into force, initial appointments to the privacy agency’s board are scheduled to be announced by March 16 this year.
The California Privacy Rights Act will become effective in January 2023, whereas civil and administrative enforcement of the new provisions will start in July 2023.
Preparing For The California Privacy Rights Act
The CPRA establishes a new category of sensitive personal information, imposing a set of new obligations on businesses as well as the need for them to update their privacy notices.
Similar to the GDPR, information related to race, religious beliefs, sexual orientation and precise geolocation will be considered sensitive personal information. However, California’s new law goes further to include information related to communications, ID cards and personal financial data in the sensitive data category.
It gives consumers the right to limit the use and disclosure of their sensitive information to a purpose-based use and to a use that is “reasonably expected by an average consumer.”
The sponsor organization of the CPRA explains that a consumer may not reasonably expect a weather app to know its exact geolocation or an e-commerce firm to collect information about its race in order to deliver a product.
The limitation does not apply to information that is “collected or processed without the purpose of inferring characteristics about a consumer.”
In order to prepare for the new category of sensitive data, businesses may start mapping their data sets and identify which pieces of information would fall into the new category.
The law also requires businesses to update their “Do Not Sell My Personal Information” button.
Consumers should have the choice between “Global opt-out from sale and sharing of personal information,” “Limit the Use of My Sensitive Personal Information,” and “Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising.”
The CPRA also clarifies what constitutes a sale. The current law defines a sale as making personal information available to a third party for monetary or other valuable consideration.
There have been many discussions about whether ad tech uses are considered a sale under the CCPA description of “other valuable consideration.”
The CPRA clarifies that the law applies to businesses that “share” a consumer’s personal information with a third party for cross-context behavioral advertising.
In addition to the introduction of sensitive information, the CPRA introduces GDPR-like “general duties.”
Businesses that collect personal information will be allowed to collect information only for a specific, explicit and legitimate purpose, and store personal data only as long as it is “reasonably necessary and proportionate” to the purpose for which it was collected.
It also requires businesses to inform consumers about how long they intend to retain each category of personal information, including sensitive personal information.
As one of the most significant additions to the existing consumer rights, the CPRA will allow consumers to request correction of inaccurate personal information. Businesses will have to make “commercially reasonable efforts” to comply with such requests.
The new law does not specify how often or under which circumstances a consumer may request a correction or how businesses can prevent fraud related to such requests.
Once operative, the CPRA will allow consumers to access all information a business collected about them after January 1, 2022.
Finally, the CPRA introduces a new “contractor” category, in addition to the current category of a service provider. A service provider “processes personal information on behalf of a business and…receives from or on behalf of the business a consumer’s personal information for a business purpose,” whereas a contractor is “a person to whom the business makes available a consumer’s personal information for a business purpose.”
A contractor must not sell or share the personal information and may use the information solely for the purpose set out in a written contract. One of the main changes sees the law creating a chain of custody, by requiring any other person who assists the contractor to comply with the same obligations and offer the same level of protection.
Compliance with this provision may require businesses to revise existing contracts to make sure they include all necessary elements prescribed by the new law. Further clarifications on the contracts are expected to be made in the new agency’s regulations.
The new privacy agency has until July 2022 to make regulations addressing these and other questions and set standards for exceptions for requests to which a response would involve “disproportionate effort.”
Anticipated strong enforcement, alongside new laws coming into force in other states, such as Virginia, make non-compliance an unviable option for businesses.