California Privacy Rights Act 2020
The California Privacy Rights Act (CPRA) is the new data protection law that will replace the existing California Consumer Privacy Act, 2018. Despite having a strict data protection regulation in place, the California legislation passed the current Act to make compliance requirements for businesses with respect to collection of data and usage of consumer data stricter. The Act will come into force from January 1, 2023.
The key changes that are introduced in the CPRA are discussed in the following sections.
Application and scope
It will be applicable in the following circumstances:
- Have $25 million in gross annual revenue;
- Obtain or share personal information of at least 100,000 California residents, and households;
- Generate at least 50% of their annual revenue from selling California residents’ personal information.
One of the major drawbacks for CCPA was a lack of a specialized data protection authority. The CPRA addressed this issue and inspired from GDPR model introduced its own enforcement authority, the California Privacy Protection Agency.
New Category of data
The CCPA did not separately create a subset for personal data. The CPRA rather introduced a new subset of data, sensitive personal information. We can also finds its reference in Indian Personal Data Protection Bill, 2019. Businesses cannot use the sensitive personal information for purposes other than it were collected unless they provide notice to the concerned consumer along with an opportunity to stop further processing.
Data Subject Rights
The CPRA modifies the existing data subject rights given under CCPA. The following are the modifications done:
- Right to delete- Businesses are now required to notify third parties to delete any consumer personal information bought or received, subject to some exceptions.
- Right to opt-out- The CCPA already grants consumers the right to opt-out of the sale of their personal information to third parties, which also includes sensitive personal information; however, the opt-out right now covers “sharing” of personal information for cross-context behavioural advertising.
- Opt-in rights for minors- Extends the opt-in right to explicitly include the sharing of personal information for behavioural advertising purposes. In case of opt-out right, businesses must wait 12 months before asking a minor for consent to sell or share his or her personal information after the minor has declined to provide it.
- Right to data portability- Consumers may request that the business transmit specific pieces of personal information to another entity, to the extent it is technically feasible for the business to provide the personal information in a structured, commonly used and machine-readable format.
The CPRA apart from modifications introduced new data subject rights to enhance the protection of data of consumers. The following are the new rights:
- Right to Correction- Consumers may request for any correction of inaccurate information residing with the business.
- Right to Opt-Out of Automated Decision-Making Technology- The CPRA authorizes consumers to opt-out of automated decision making technology and that even includes “profiling”.
- Right to Access Information about Automated Decision-Making- The CPRA authorizes regulations that allows consumers to access their information while any decision making process and also can seek the output of the decision.
- Right to Restrict Sensitive personal information- Consumers may limit the disclosure of sensitive personal information in case of secondary purpose and can even restrict businesses to share their respective sensitive personal information to third parties.
Breach of minor’s personal information
The CPRA has took stricter step t o protect the data of minors. A heavy penalty will follow if any breach of data of minor takes place. Any violation of an opt-in sale and share of personal information rule in relation to a minor can result in a $7500 administrative fine, which is three times the minimum amount of $2500. Moreover, the CPRA mandates businesses to abide by global opt-out preference signals identifying consumers as minors.
The CCPA did not particularly mention anything about notification obligations but the CPRA found it necessary to cover and the following are the notification obligation under CRPA:
- Data Collection: The CPRA requires businesses to notify consumers of all categories of personal information they are intending to collect and sale to the third parties. They cannot collect any additional data which is inconsistent with the purpose for collection.
- Data Retention: A business must inform the consumer of the period of time it intends to retain each category of personal information it has collected, including sensitive personal information, or if that is not possible the criteria used to make that determination. No personal information should be retained longer than it is reasonably necessary to fulfil the disclosed purpose it was collected for.
- Data Minimization: The consumer shall be notified by the business how the information will be used and they should limit it to the purpose for collection.
- Reasonable Security Measure: Business shall take reasonable security measures and practices for personal information to protect it from data breaches. They should also take into consideration the nature of the data.
Unlike CCPA, CPRA classifies three distinct categories of entities a business is likely to engage with in relation to the processing of personal information of consumers and requires businesses to have written contracts to perform the same. These categories of entities are contractor, service provider and third-party. Businesses must take reasonable steps to ensure that the entities they are engaging with protect personal information as per the requirements of the CPRA.
Prantik Mukherjee is a lawyer specializing in data protection and privacy compliance.