The California Consumer Privacy Act (CCPA) is a state law intended to enhance Californians’ right to privacy and level of consumer protection.
The Act intends are to provide California residents with the right to:
- Know about the personal data being collected.
- Know whether their personal data is sold or disclosed and to whom.
- Refuse the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
Non-compliance with the statute can result in fines and sanctions against businesses.
Californians approved Proposition 24 on November 3, 2020, which amends and broadens the CCPA, which went into effect on January 1, 2020. With effect from January 1, 2023, the CCPA will be replaced by the new California Privacy Rights Act (CPRA). The CCPA is still in force till then.
The CPRA first modifies the requirements for enterprises to be covered by the new law. A covered business must have one of the following characteristics to qualify under the CPRA:
- At least half of the company’s annual revenue comes from exchanging or selling the personal data of customers. This is a change because this threshold now takes into account the “sharing” of personal information. This broadens the range of businesses that fall under the CPRA’s purview and has an impact on ad tech companies in particular.
- Gross sales for the company exceed $25 million. This provision was the same under the CCPA.
- Over 100,000 Californian households and customers’ personal information are purchased, sold, or shared by the company. As a result of this clause, the threshold under the CPRA rises from 50,000 under the CCPA to 100,000. Because of the higher barrier, more small businesses will fall outside the CPRA’s purview.
- Extending the Scope of Private Rights of Action for Data Privacy Violations: The CPRA broadens consumers’ private right of action to sue businesses for illegal access to or publication of their personal information, including non-encrypted and non-redacted email addresses, passwords, and security questions that would allow access to accounts. Furthermore, the CPRA establishes triple damages for infractions involving minor consumers under the age of 16.
- Establishment of an Agency for Privacy Protection: The Attorney General’s office will no longer be responsible for enforcing the law owing to the creation of the California Privacy Protection Agency (CPPA) by the CPRA. On July 1, 2021, or six months after notifying the Attorney General that rulemaking is ready to start, whichever comes first, the new agency will assume the Attorney General’s rulemaking jurisdiction. An initial budget of $10 million has been allocated to the CPPA to support its enforcement and investigation efforts.
- Limitations on “Sharing” Personal Data: The CPRA broadens the CCPA’s restrictions on the “sharing” of personal information to cover “cross-context behavioural advertising,” regardless of whether it is done for payment or another kind of valuable reward. Thismodification, it is intended to further regulate the use of personal data for behavioural and targeted advertising.
- Creation of a Subcategory of “Sensitive Personal Information” for Personal Data: Sensitive personal information is a new category created under the CPRA that contains, among other things, details about one’s precise location, race, religion, sexual orientation, social security number, and specific health information. Additional restrictions on the use of sensitive personal data are made by the CPRA.
- Restrictions on Retention Period: The CPRA places restrictions on the gathering and storage of personal information, requiring businesses to keep only the data that is required and appropriate to fulfill the objectives for which it was gathered or processed. Additionally, the CPRA mandates that companies disclose to customers the length of time they intend to keep each category of personal information, including sensitive personal information, as well as the factors used to establish that time frame.
- Limitation on the 30-Day Cure Period: Businesses no longer have a 30-day window to correct purported violations under the CPRA before facing administrative enforcement. The CPPA will still have the option to grant businesses the chance to fix suspected infractions, but the lack of a guaranteed right to do so elevates early monitoring and compliance to a considerably higher priority for CPRA compliance due to the elimination of a right-to-cure. The CPRA also includes a cure period that, if followed, will stop statutory damages in private proceedings for violations.
- Extension of Employee and Business-to-Business Data Exemption: On January 1, 2021, the CCPA’s current exemptions for handling employee or business-to-business data were due to expire. The CCPA’s current partial exemptions for information pertaining to workers and job seekers of enterprises, as well as information gathered from customers in a “business to business” context, are immediately extended by CPRA until at least January 1, 2023.
- Limits on Automated Processing: The CPRA establishes new guidelines for opt-out rights related to “profiling” or “automated decision making technology,” which includes consumer/employee profiling connected to work performance, financial situation, health, location, and other characteristics. The CPPA is required to develop regulations addressing access and opt-out rights relating to profiling technology. The consumer also has a right to access “meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”
- Right to Correct Incorrect Data: Along with the already-existing rights of notice and deletion, the CPRA now includes the right to update consumer data.
- New Requirements and Obligations for Contractors, Third Parties, and Service Providers: Service providers, contractors, and third parties now have new contractual and direct obligations as a result of the CPRA. It mandates that companies that send personal information to third parties enter into an agreement that obligates the recipient to the same level of privacy protection as that offered by the CPRA, gives the company the right to take reasonable steps to stop unauthorised use, and asks the recipient to notify the business if it is unable to comply.
The CPRA requires companies to provide more information and implement safeguards, which strengthens customer privacy rights and protections.
With heavy fines and sanctions, businesses have to make sure that they follow the regulation’s requirements if the CPRA applies to them. This will include:
- Ensuring they are offering minors adequate protection.
- Meeting notification obligations.
- Limiting how they track their users.