This article provides a brief overview of the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (CPRA), a statute amending and expanding the CCPA.
In response to concerns about the collection and use of personal information by companies regarding consumers, California’s legislative body has created voter-approved compliance guidelines to provide consumers with rights and protections regarding their personal information. The CCPA is one of the most far-reaching data protection laws in the United States.
The CCPA defines personal information that either directly or indirectly: Identifies, relates to, or describes a particular consumer or household; or is reasonably capable of being associated with or could reasonably be linked to a particular consumer or household.
Under the CCPA, consumers have the right to know a wide range of information about a business’s personal information practices, including what categories of personal information a business collects, sells, or discloses, the categories of third parties purchasing or receiving their data and how to exercise their CCPA rights to see, delete, and restrict the sale of their personal information that is collected by companies.
Consumers have the right to: (1) submit opt-out requests at any time and direct businesses that share and sell consumer data to stop this sale; (2) submit a deletion request of personal information collected; (3) receive notice before a business collects personal information; (4) request a business to disclose categories in which they collected personal data, the source of such data collection, the commercial purpose of collecting data, and categories of third parties with which they will share consumer data; and (5) freedom from discrimination by business based on a consumers’ access to their rights.
Businesses must provide a notice at collection whenever and wherever it collects personal information. The notice should include a link to the business' privacy policy, or in the case of offline notices, where the privacy policy can be found online. Even in offline situations, a business must provide this notice before or at the point of collection of personal information, disclosing what personal information categories the business collects and its intended use purposes, among other requirements. Offline collections may add the notice on printed forms that collect personal information; provide a separate paper notice; or post prominent signage including an online link for the notice. Oral collections, such as telephone or in-person conversations, may provide the notice orally.
Businesses must also respond to a consumer’s verified request to send them information regarding specific pieces of personal information collected about the consumer, including: (1) the personal information categories collected about the consumer; (2) the source categories from which the business collected the personal information; (3) the personal information categories sold, if any, and the categories of third parties purchasing that personal information; (4) the personal information categories disclosed for a business purpose, if any, and the categories of third parties receiving that personal information; and (5) the business or commercial purpose for collecting or selling personal information.
Businesses’ response scope to consumer requests is limited to the past 12-month period, and a maximum of two requests can be made in a 12-month period.
The CPRA is the latest addition to the data privacy laws and it expands consumer rights provided under the CCPA. The CPRA will become operative on January 1, 2023.
The CPRA expands consumer rights by: (1) expanding their right to know by removing the 12-month lookback period for access requests and gives consumers the right to make requests that extend beyond the 12 months preceding the request; (2) modifying the right to delete; (3) allowing consumers to request that a business correct any inaccurate personal information it maintains about that consumer; (4) allowing consumers the right to opt-out of sharing personal information to prevent businesses from sharing their personal information, where sharing is defined as disclosing personal information with third parties for cross-contextual behavioral advertising purposes; and (5) allowing consumers to ask a business to restrict its use and disclosure of their sensitive personal information.
The CPRA requires additional disclosures to consumers that will impact both a business's notice at collection and privacy policy. Privacy disclosures will need to describe: (1) the retention period or retention criteria for each category of personal information collected; (2) details regarding the processing of sensitive personal information; (3) the new correction right; (4) whether personal information is sold or shared.
Businesses must also publicly commit to not reidentify, deidentified personal information. Other important changes include: (1) expanding the circumstances in which businesses must minimize their activities involving personal information, such as requiring businesses to collect, use, retain, and share personal information only as "reasonably necessary and proportionate" to its intended purposes; (2) imposing more direct obligations on service providers, including specific requirements to cooperate with businesses in responding to consumers' access, correction, and deletion requests; (3) requiring businesses to implement commercially reasonable security procedures and practices appropriate to the nature of the personal information that they handle in order to protect it from: unauthorized or illegal access; destruction; use; modification; or disclosure; and (4) performing annual, independent cybersecurity audits and submitting an annual privacy risk assessment to the newly created California Privacy Protection Agency.
The CPRA also creates a new state government agency with full administrative power, authority, and jurisdiction to implement and enforce the CPRA, called the California Privacy Protection Agency. The Agency, along with the California Attorney General, is authorized to investigate potential CPRA violations and bring CPRA-related enforcement actions. The Agency will also take over the California Attorney General's current role of issuing regulations under the CPRA and CCPA.
