Most entrepreneurs from Latin America dream of taking their companies to Silicon Valley in California. They don’t dream of having to comply with California Privacy Rights Act.
While the world waited to see who won the 2020 election in the United States, few commentators noticed that voters in California approved a ballot measure creating the California Privacy Rights Act (CPRA). The CPRA amends and expands the existing California Consumer Privacy Act (CCPA), California’s privacy legislation that, in addition to being relatively new itself, is already very comprehensive regarding the responsibilities of companies collecting consumer data.
Although most substantive provisions of the CPRA will not become effective until January 1, 2023, certain rules regarding disclosures to consumers (“Right to Know” disclosures) apply to information collected in the year prior to that date. Additionally, as many businesses have discovered in striving to comply with existing data regulations such as the CCPA or the European Union’s General Data Protection Regulation (GDPR), compliance regarding data privacy involves significant time and effort to organize and implement.
As such, companies doing business in California, one of the gateways to global trade, particularly with Latin America, must begin the process of addressing the CPRA now. This article is intended as a high-level summary advising of some key changes facing businesses operating in California, whether located therein or serving consumers or businesses based in California.
The CPRA will modify the CCPA to cover businesses serving a threshold of 100,000 consumers or households (doubling the existing threshold of 50,000 consumers or thresholds), limiting its applicability. However, covered entities will be expanded to include businesses generating the majority of their revenue from either selling or “sharing” personal information, a broadly defined category of activity encompassing most means of making personal information available, significantly increasing the reach of regulators.
Building upon the CCPA’s restrictions regarding the collection, use and disclosure of “personal information” that identifies or is reasonably capable of identifying consumers, the CPRA creates a new category of “sensitive personal information” that includes information such as social security, license or passport numbers, financial account access information, geolocation information, racial, ethnic or religious information, and genetic data. Businesses collecting this information will need to notify consumers that they do so, and consumers will have the right to opt-out of such information being disclosed or used in certain manners.
“Proportional” Usage and Data Minimization
Collection, use, retention and disclosure of covered consumer data will now need to meet a “proportionality test” showing that its collection and retention is reasonably necessary and proportionate to achieve the purposes for which such information is collected or processed, or for certain other purposes expressly disclosed to consumers.
Additionally, businesses seeking to collect or use covered consumer data for a new purpose not previously disclosed must first provide consumer notice regarding such new purpose.
Finally, businesses must disclose, at the time of collection of personal information, their retention periods for each category of personal data collected, or at least the factors considered in determining the retention period for such personal data, and must not retain personal information for longer than is “reasonably necessary” to accomplish disclosed purposes of collection of such data.
New and Expanded Rights for Consumers
Consumers will now have new rights regarding the collection of their data under the CPRA, including (but not limited to):
- The right to correct inaccurate records of personal information retained by a covered business;
- The right to restrict the usage and dissemination of sensitive information for certain purposes; and
- The right to opt out of certain automated decision-making practices of companies subject to the CPRA, as well as the right to request information regarding the decision-making processes of such automated decisions. This point could have a particular impact on service or consulting businesses, such as those assisting companies in making workforce decisions based upon certain performance metrics, or financial technology companies utilizing personal information to make financing determinations.
Beyond these new rights, existing rights of consumers to (i) request deletion of disseminated personal information, (ii) opt out of the sale or sharing of personal information for certain purposes, (iii) request retained personal information, and (iv) request records of personal information have all been expanded. Enhanced protections for minors requiring their express “opt-in” to the collection and sharing of their personal information are also included in the CPRA.
Third Party Contractor Obligations
Third parties servicing companies covered by the CPRA will also be impacted by the new law. “Contractors” of CPRA compliant businesses will need to agree to meet certain CPRA standards regarding the sale, retention, disclosure or combination of consumer personal data provided to them by such CPRA compliant businesses. Any contracts between covered businesses and their service providers will need to be crafted to meet specific CPRA requirements, similar to how such contracts are regulated under the GDPR. This means that companies providing services to businesses subject to the CPRA will need to modify business practices in certain circumstances in order to assist their clients in complying with these new data privacy regulations.
While the above is not a comprehensive review of potential regulatory changes under the CPRA, it does encompass significant potential changes to business practices for a number of companies.
As with any regulatory compliance effort, the engagement of counsel with experience handling data privacy compliance matters is essential for ensuring that businesses operating in California or serving Californians avoid potentially significant liabilities. Even for businesses that are compliant with the GDPR, previously the gold standard for data privacy compliance, these regulations add new requirements that will need to be considered regarding data privacy compliance. Implementing new policies takes time and internal coordination, and having appropriate compliance personnel, including experienced legal counsel, review existing practices and develop new processes will continue to be critical in the evolving space of data privacy. Policy review should consider both the modification of existing practices as well as procedures for reviewing and implementing new business practices regarding data collection and retention.
Most importantly, putting a knowledgeable team of internal and outside counsel is critical to avoiding unnecessary liability, because the old adage goes, when it comes to data privacy, it’s what you don’t know that might hurt you the most.