On November 3, 2020, Californians voted to pass Proposition 24, expanding and modifying the California Consumer Privacy Act (“CCPA”), which came into force on January 1, 2020. The new California Privacy Rights Act (“CPRA”) supersedes the CCPA and will be fully operative on January 1, 2023 (with a look-back period starting January 1, 2022). Until that time, the CCPA as written and amended generally remains in effect.  As we learned during the lead up to the CCPA, the time period to prepare for this type of comprehensive and complex legislation passes quickly, and businesses should begin their CPRA preparations sooner rather than later.  In this installment of the CPRA Digest, we discuss the expanded and new consumer rights under the CPRA, and the implications for organizations anticipating the CPRA.

Expanded Consumer Rights

The CPRA expands the following existing consumer rights:

  • In addition to having the right to request the categories of personal information about a consumer that a business sells, a consumer now also has to the right to know when their personal information is “shared” with a third party, and when information is otherwise disclosed for  a business purposes, including disclosures to a service provider.1

Under the CPRA, the concept of “sharing” personal information is novel and significant because it is aimed directly at cookies and similar technologies used for online advertising. “Sharing” is defined as renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal Information by the business to a third party for cross-context behavioral advertising.2 In other words, when personal information is “shared” with a third party for cross-context behavioral advertising,3 whether or not for monetary or other valuable consideration, the consumer has the right to know.

  • In addition to opting out of the sale of information, a consumer will now also have the right to opt-out of the “sharing” of their personal information with third parties.4 As such, if a business is “sharing” the consumer’s personal information with a third party for cross-context behavioral advertising, the consumer has the right to opt-out of such sharing.  Note that there has been significant debate under the current language of the CCPA regarding whether cross-contextual behavioral advertising already constitutes a “sale” under the CCPA, and no specific market practice has yet to emerge on this issue.  Therefore, the impact of this provision is really to confirm that organizations that utilize cookies and similar technologies in this manner will need to provide an express right of opt-out.
  • The right to deletion has been expanded under the CPRA to require businesses to notify service providers, contractors, as well as third parties that the business sold or “shared” the personal information with that they must also delete the personal information, barring some limited exceptions, including when the effort provides impossible or involves disproportionate effort.5  Compliance with the application of the expanded deletion obligation will likely prove difficult in practice with regard to third parties to which personal information has been “sold” and/or “shared”, such that many organizations may attempt to argue that doing so is impossible or involves disproportionate effort.
  • Under the CCPA, a business is required to provide, upon request, a consumer with such consumer’s personal information in a readily useable format that would allow the consumer to transmit the information to another entity. Under the CPRA, the expanded right to data portability dictates that the business must also transfer that information directly to another entity at the consumer’s request.6
  • In addition to obtaining an affirmative authorization before selling the personal information of a minor under 13 years of age, a business must also obtain this authorization before “sharing” their personal information with a third party in the event of cross-context behavioral advertising.7

New Consumer Rights

In addition to the expansion of current rights as discussed above, the CPRA introduces the following new consumer rights for residents of California:

  • Right to correct8– A business will be required to use commercially reasonable efforts to correct inaccurate personal information about a consumer upon receiving a verified request from the consumer.
  • Right to limit sensitive personal information9– A consumer has the right to direct a business that collects sensitive personal information about that consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.

Note that the concept of “sensitive personal information” is also new to the CPRA, and includes various data elements including social security or driver’s license number, account information or credit/debit card number when in combination with required security or access code, geolocation, racial or ethnic origin, religion, union membership, contents of a consumer’s mail, email or text messages and a consumer’s genetic data.

Proposed Regulations

In addition to the new and expanded rights identified above, the implementing regulations (to be issued by July 1, 2022)10 will likely implement the following additional rights:

  • The consumer will have the right to access information regarding the businesses’ use of automated decision-making technology, including profiling.11 This will include providing the consumer additional information behind the logic involved in the decision making process, as well as a description of the likely outcome of the process with respect to the consumer.
  • The consumer will also have the right to opt-out of automated decision-making.

How These Changes will Impact Your Business

Although the forthcoming proposed regulations should help clarify and further define the scope of many of the requirements outlined in the CPRA, organizations should not wait to start their preparation efforts, particularly considering the delayed release (and ongoing updates to) of the CCPA regulations.

In addition to working towards the operational and technical changes, such as the inclusion of required links on the website homepage and creation of relevant forms, businesses should consider the following steps in the CPRA preparation process:

  • Conduct internal diligence to map data collection practices in light of these changes. This will include identifying the collection and sharing of information that falls into the category of “sensitive personal information” and determining which data elements in that category would be considered “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.” It would also require a complete understanding of the manner that cookies and similar technologies are utilized on company websites to determine how to address the new “sharing” obligations.
  • Review and update their privacy notices to reflect the updated rights afforded to California consumers and related disclosure obligations.
  • Review downstream data sharing practices with service providers to confirm that they are required and capable of addressing these new obligations on the organization’s behalf. Also consider how third parties with which personal information is shared and/or to which personal information is sold can be notified of deletion requests.
  • Implement technical measures to ensure updates to website homepage and internal policies are functioning properly.

While this additional preparation is daunting, organizations that start now can work to build on their existing efforts and develop an internal strategy that can be rolled out a manageable pace across the coming months.

Be sure to follow our CCPA Digest as we continue to examine other key aspects of the CPRA and steps that companies can undertake to begin addressing them. Our prior alerts are available here.

1. Cal. Civ. Code Section 1798.115

2. Cal. Civ. Code Section 1798.140(ah)

3. Cal. Civ. Code Section 1798.140(k). “Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.

4. Cal. Civ. Code Section 1798.120

5. Cal. Civ. Code Section 1798.105(c)

6. Cal. Civ. Code Section 1798.190(a)(3)(B)(iii)

7. Cal. Civ. Code Section 1798.120(c)

8. Cal. Civ. Code Section 1798.106

9. Cal. Civ. Code Section 1798.121

10. Cal. Civ. Code Section 1798.185(a)(22)(d)

11. Cal. Civ. Code Section 1798.185(a)(16)