OVERVIEW
In 2018, the State of California passed a sweeping consumer privacy protection law called the California Consumer Privacy Act of 2018 (“CCPA”). Then, in November of 2020, voters in California passed Proposition 24—the California Privacy Rights Act (“CPRA”), which simply amended (and added) to the scope of the CCPA, making it the country’s most stringent consumer data privacy law. For your purposes, you can consider the CCPA and the CPRA as referring to the same thing (i.e., the CPRA really just amended the CCPA).
The CPRA went into effect last month, and because the CPRA is likely to have a significant impact on how many businesses operate in California—they will need to comply with new requirements and provide enhanced privacy protections for California consumers—it might be worth taking a few minutes to broadly familiarize yourself with its provision, especially as they related to your rights as a consumer.
As you read this article, keep in mind that the CCPA/CPRA is a monumentally complex set of laws that would take thousands of words to adequately explain. This article, therefore, is aimed only at providing you with a very broad overview of certain key points of the law, as well as how it might affect many large businesses doing business in California.
WHAT IS THE CCPA/CPRA?
In General
When the CCPA (Civ. Code, §§ 1798.100 to 1798.199.100) went into effect in 2018, it instituted sweeping protections for consumers’ personal information while at the same time imposing a variety of data protection-related duties on companies that do business in California. The CPRA, which went into effect last month, established additional rights for California residents (and expanded on others) related to the collection, use, and sharing of their personal information by businesses subject to its provisions (more on that below).
Generally speaking, the CCPA/CPRA provides consumers with a variety of new rights, including the right to access, delete, and correct personal information. It also gives consumers the right to opt-out of the sale or sharing of their personal information and imposes additional obligations on businesses that sell or share personal information. The CCPA/CPRA also includes additional rights for consumers to limit the use of their personal information for advertising and marketing purposes.
The CPRA actually established a new state agency tasked solely with implementation and enforcement of the CCPA/CPRA called the California Privacy Protection Agency (“CPPA”). Although it took effect on January 1, 2023, the CPPA didn’t actually publish regulations implementing the CPRA until last week (February 14, 2023), when it submitted its initial draft set of regulation to the Office of Administrative Law—which has until March 29, 2023 to approve or reject them. If approved, they’ll be sent to the Secretary of State for official implementation on July 1, 2023.
Since compliance is still required despite the lack of formal regulations, many businesses have elected to start complying with the draft regulations submitted last week.
Who Does the CCPA/CPRA Apply To?
The CCPA/CPRA applies to for-profit companies conducting business in California who collect and control the processing of consumers’ information and who meet any of the following conditions:
- Have an annual gross revenue of more than $25 million. (Civ. Code, § 1798.140(d)(1)(A).)
- Annually buy, sell, or share personal information of at least 100,000 consumers or households. (Civ. Code, § 1798.140(d)(1)(B).)
- Derive 50% or more of its annual revenues from selling or sharing consumer’s personal information. (Civ. Code, § 1798.140(d)(1)(C).)
Notably, the CCPA/CPRA does not apply to various types of business (or information), including: (a) non-profit or governmental entities (Civ. Code, § 1798.140); (b) most medical information, including information that is part of a clinical trial or research study (Civ. Code, § 1798.145(c)(1)(A), (B), and (C)); or (c) any use by or connection with consumer credit reporting agencies (subject to certain exceptions found in other laws) (Civ. Code, § 1798.145(d) and (e)).
What Does the CCPA/CPRA Consider to be “Personal Information”?
The CCPA/CPRA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Civ. Code, § 1798.140(v)(1).) With the exception of personal information obtainable from publicly available sources (lawfully offered from federal, state, or local government records) (Civ. Code, §§ 1798.140(v)(2); 1798.80), or which have been “deidentified” or aggregated with the information of several people, “personal information” means a consumer’s:
- Name, street address, IP address, email address, account name, social security number, driver’s license number, passport number, etc. (Civ. Code, § 1798.140(v)(1)(A).)
- “[A]ny information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.” (Civ. Code, §§ 1798.140(v)(1)(B) and 1798.80.)
- “Characteristics of protected classifications under California or federal law.” (Civ. Code, § 1798.140(v)(1)(C).)
- “Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.” (Civ. Code, § 1798.140(v)(1)(D).)“Characteristics of protected classifications under California or federal law.” (Civ. Code, § 1798.140(v)(1)(C).)
- Biometric information (e.g., unique physical characteristics such as fingerprints, DNA, and retinal scans). (Civ. Code, § 1798.140(v)(1)(E).)
- Internet-related information such as a person’s browsing and search history, or a consumer’s interactions “with an internet website application, or advertisement.” (Civ. Code, § 1798.140(v)(1)(F).)
- Geolocation data (e.g., location tracking). (Civ. Code, § 1798.140(v)(1)(G).)
- “Audio, electronic, visual, thermal, olfactory, or similar information.” (Civ. Code, § 1798.140(v)(1)(H).)
- Professional and employment-related information. (Civ. Code, § 1798.140(v)(1)(I).)
- Not publicly available information about a consumer’s education (e.g., education records, such as grades, disciplinary status, etc.). (Civ. Code, § 1798.140(v)(1)(J).)
- “Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” (Civ. Code, § 1798.140(v)(1)(K).)
- “Sensitive personal information.” (Civ. Code, § 1798.140(v)(1)(L).) Sensitive personal information is defined to include personal information that reveals (Civ. Code, § 1798.140(ae)(1)(A).):
-
- A consumer’s social security, driver’s license, identification, or passport number. (Civ. Code, § 1798.140(ae)(1)(A).)
- A consumer’s account log-in, financial account, debit/credit card numbers “in combination with any required security or access code, password, or credentials allowing access to an account.” (Civ. Code, § 1798.140(ae)(1)(B).)
- A consumer’s precise geolocation. (Civ. Code, § 1798.140(ae)(1)(C).)
- A consumer’s racial or ethnic origin, religious beliefs, or union membership. (Civ. Code, § 1798.140(ae)(1)(D).)
- The contents of a consumer’s mail, email, or text messages (except where the business is the intended recipient of the communication). (Civ. Code, § 1798.140(ae)(1)(E).)
- A consumer’s genetic information. (Civ. Code, § 1798.140(ae)(1)(F).)
- For the purpose of uniquely identifying a consumer, the processing of a consumer’s biometric information (Civ. Code, § 1798.140(ae)(2)(A)), personal information about the consumer’s health (Civ. Code, § 1798.140(ae)(2)(A)(B)), sex life (Civ. Code, § 1798.140(ae)(2)(B)), or sexual orientation (Civ. Code, § 1798.140(ae)(2)(C)).
What Rights Does the CCPA/CPRA Grant to Consumers?
The CCPA/CPRA grants consumers powerful rights regarding their personal information, including the right to:
- Subject to various exceptions, delete their personal information. (Civ. Code, § 1798.105.)
- Correct inaccurate personal information. (Civ. Code, § 1798.106.)
- Access their personal information—i.e., the right to know what personal information a business has collected, sold, or shared, and why. (Civ. Code, §§ 1798.110 and 1798.115.)
- Opt-Out—i.e., consumers 16 years or older may demand that a business not sell or share their personal information. (Civ. Code, § 1798.120.)
- Instruct a business to limit us or disclosure of sensitive personal information for specific purposes. (Civ. Code, § 1798.121.)
- Prohibit businesses from retaliating against a consumer for exercising their rights by denying goods or services, charging different prices, etc. (Civ. Code, § 1798.125.)
- Data portability—i.e., the right to receive the data in a readily usable format that will allow a consumer to transmit their personal information to another entity. (Civ. Code, § 1798.130(a)(2)(A) and (3)(A).)
WHAT ARE SOME WAYS THAT THE CCPA/CPRA MIGHT CHANGE HOW BUSINESS IS DONE IN CALIFORNIA?
While it is impossible to tell precisely how such sweeping legislation will ultimately affect businesses in California, we can be fairly certain that the CCPA/CPRA will change how certain companies in California do business in a few key ways, including the following:
- Increased Transparency and Accountability. The CCPA/CPRA requires businesses to be transparent about their data collection and sharing practices and accountable for protecting consumer data.
- Enhanced Consumer Rights. The CCPA/CPRA grants California consumers relatively new rights, such as the right to limit the use of their personal information, the right to request the deletion of their personal information, and the right to opt-out of the sale of their personal information.
- Stricter Data Protection Standards. The CCPA/CPRA establishes stricter data protection standards for businesses, such as requirements for data minimization, as well as purpose and storage limitations.
- Increased Compliance Costs. Businesses will need to invest in compliance measures to meet the requirements of the CCPA/CPRA, including updating their privacy policies, implementing new data protection measures, and providing training for employees.
CONCLUDING THOUGHT
The CCPA/CPRA’s sweeping protections for consumers regarding the collection and use of their personal data is expected to have significant implications for certain large businesses operating in California, as well as other states (many of which have already followed California’s lead in passing their own consumer data privacy laws). Whether or not it lives up to its intent of actually protecting consumers remains to be seen.