California Prop 24 introduces new rights for consumers and new obligations for businesses. Will it pave the way for federal law? Will it lead to EU Adequacy Status?
On general election night, November 3rd, Californians approved Proposition 24 with a 56% majority to create new privacy legislation, Consumer Privacy Rights Act (CPRA). CPRA replaces and makes material changes to the CCPA.
These changes include introducing new consumer rights such as the Right to correction of data, new organizational requirements such as data retention limitations, and establishing a new enforcement agency to investigate and punish violations via the courts.
While most of the provisions of CPRA will not apply until the beginning of 2023, businesses must be aware of upcoming changes and review their privacy policies and business practices.
In this post, we will try to answer three questions:
What are the changes introduced by CPRA?
Will CPRA pave the way for new privacy laws both on the federal level?
Can CPRA secure an adequacy status by EU for California?
WHAT ARE THE CHANGES INTRODUCED BY CPRA?
Sensitive Personal Information
Whereas CCPA did not treat sensitive data as a separate category of data, CPRA defines 'sensitive data' broadly, even broader than GDPR. Government-issued identifiers, account log-in credentials, financial account information, precise geolocation, contents of certain types of messages, genetic data, racial or ethnic origin all fall under the sensitive data category.
CPRA grants new rights to consumers while imposing strict requirements on businesses handling sensitive information.
Right to opt-out
Firstly, consumers now have the Right to opt-out of the use and disclosure of their sensitive information if sensitive information is used or disclosed for the following purposes:
Performing services reasonably expected by the consumer.
Providing goods reasonably expected by the consumer.
Ensuring the security and integrity of the consumer's information.
Other short term and transient uses (e.g., serving one-time advertisements).
Performing services on behalf of a business.
Product or service improvement.
The collection of CVC code to process payment and authorize the shipment of goods can be an example of a use of sensitive information justified under CPRA where the consumer would not be entitled to opt-out.
Suppose a business uses or discloses sensitive information for any other purpose, such as in a sale to data brokers. In that case, it will have to insert a link on its homepage titled "Limit the Use of My Sensitive Personal Information."
While GDPR's sensitive data category is narrower than CPRA, it subjects data processing to consent. CPRA, however, does not require permission for the processing of sensitive data.
Enhanced Consumer Privacy Rights
Right to correct inaccurate personal information: Section 1798.106 allows consumers to ask for the correction of incorrect personal data. Businesses must execute those requests using all commercially reasonable efforts.
Right to opt-out of automated decision-making and Right to access information about Automated Decision-Making Technology:
The California Attorney General must issue regulations to govern the opt-out of and access to automated decision-making. Use of A. I technologies which have an opaque character can lead to impactful decisions on a consumer's life that is not understandable. While CCPA was silent on this problem, CPRA enhances the transparency of automated decision making by "..requiring businesses' response to access requests to include meaningful information about the logic involved in such decision‐ making processes, as well as a description of the likely outcome of the process concerning the consumer…"
Right to Private Action: Two remarkable changes are introduced with CPRA. Firstly, the consumer's Right to private action is expanded: In addition to breaches of non-encrypted and non-redacted information under CCPA, CPRA also includes unauthorized access to or disclosing to e-mail address, password, or security question.
Secondly, the thirty-day cure period for businesses to remedy violations is eliminated.
Regulation of Cross-Context Behavioural Advertising:
CPRA distinguishes two types of advertising: "cross-context behavioral advertising" and "non-personalized advertising."
Cross-context behavioral advertising is explicitly defined as: "the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications or services, other than the business, distinctly-branded website, application or service with which the consumer intentionally Interacts."
CPRA gives consumers the Right to opt-out of cross-based behavioral advertising, unlike its predecessor CCPA. However, non-personalized first-party ads are not subject to the Right to opt-out.
By clarifying the sharing of personal data for cross-context advertising is subject to CPRA, a vital loophole is closed. Some companies such as Spotify argued in the past that CCPA did not apply to them because they were not selling data in exchange for money, only sharing it when it comes to this advertising method.
New Enforcement Authority:
The California Attorney General's Office handled the enforcement of CCPA. For most CCPA violations, only the Attorney General can sue and fine businesses except for a few circumstances such as theft of unencrypted personal data in a data breach. However, AG previously announced that it only has the resources and capacity to bring only several cases per year.
Contrary to CCPA, CPRA specifies that there will be a separate new agency, California Privacy Protection Agency (CPPA). This new authority will have investigative and enforcement powers. A different agency with resources will ramp up enforcement action against non-compliant businesses.
The New Authority will also be able to provide guidelines on ambiguous parts of the law and bring the much-needed clarity on the scope and interpretation of the law.
Inclusion of Certain GDPR Principles:
Contrary to CCPA, CPRA incorporates the following GDPR principles and imposes more stringent organizational requirements on businesses.
Data minimization: Businesses subject to CPRA should only collect the personal data necessary to achieve specified purposes, and the collection and storage of data should be proportionate to the aim.
Storage Limitation: Businesses should not retain personal information longer than necessary to realize the purposes for processing this data. Furthermore, they must inform consumers about how long they will keep personal information.
Audits and Risk Assessments:
While the new law still does not incorporate privacy-by-design obligation, it foresees that data processing activities should be subject to independent cybersecurity audits if it creates high privacy risks.
This process enables businesses to weigh risks to consumers against business purposes and take appropriate measures.
WILL CPRA PAVE THE WAY FOR NEW PRIVACY LAWS ON FEDERAL LEVEL?
After entry of force of CCPA, multiple states such as Nevada have passed their privacy laws. Other states such as Washington and Illinois also published their draft privacy laws.
CPRA can encourage even more states and also federal legislators to move quickly and adopt new laws. California was the first state to approve a 'Data Breach Law' in 2002, and other states conformed and adopted similar laws.
Will all these efforts also pave the way for federal privacy law?
While the call for federal privacy legislation continues to grow, such law's successful passing remains bleak. There are currently multiple drafts available prepared by both parties, but there are considerable disagreements over issues such as a private course of action and pre-emption.
Regulating privacy on the federal level would guarantee that all businesses handle data responsibly and data subject rights are adequately exercised. Furthermore, federal regulation would remove any friction and divergence and provide unified privacy protection.
CAN CPRA SECURE AN ADEQUACY STATUS BY EU FOR CALIFORNIA?
In July, the European Court of Justice ruled that 'Privacy Shield' was invalid, so the US's free transfer of personal data is no longer lawful. The US is considered as not providing sufficient protection for personal data because of its surveillance practices. Therefore, businesses must rely on other more cumbersome procedures such as SCC contracts to transfer data.
Add to that that the majority of big tech companies are in Silicon Valley and negatively affected.
These factors make California's adequacy status even more critical.
Under article 45 of GDPR, the European Commission can give California' adequacy status'. CJEU explained in a previous decision that adequacy does not mean identical but refers to being "essentially equivalent" to the EU legal system.
CPRA has made it more likely for California by expanding consumer rights and imposing more stringent requirements on businesses. One of the significant shortcomings for adequacy was the lack of an independent authority to oversee compliance while CCPA was in force. CPRA remedies this shortcoming by establishing a new independent agency to investigate and enforce CPRA.
While CPRA will not enter into force until January 2023, businesses must be prepared for new requirements and stay up-to-date. CPRA can facilitate the adoption of federal privacy legislation and make it easier to receive 'Adequacy Status' from the EU. While there are legal issues to look at, the operational impacts require further analysis in order to get ready. Prodago will be mapping CPRA to our data management operating practices in Q1 and will be ready to assist anyone looking to be ready. This should be part of a solid Data Governance Program.