In the intervening two years since the passing of the California Consumer Privacy Act (CCPA), there have been debates about various aspects of the law, such as a lack of definition around certain aspects of the legislation including what exactly constitutes “personal data”.

While the law was amended in October of 2018, there remained ambiguities in some of the language.

In a more substantive overhaul, The California Privacy Rights Act (CPRA) was proposed in May 2020 and was on the November 2020 ballot where it was passed by a decisive majority. This post will discuss five significant changes from CPRA that you need to know.

1. Special rules regarding “Sensitive Personal Information”

The first major change from CCPA to CPRA is the definition of “sensitive data.” The definition is still admittedly broad, but the category items include government-issued identifiers, account log-in credentials, financial account information, precise geolocation, contents of certain types of messages and many more.

It is certainly broader than the definition of “special categories of personal data” under the GDPR, to which some might be tempted to compare it. Here it is worth noting that under CPRA, while additional rules would govern the processing of sensitive data, doing so would not require express consent, as is the case with the narrower set of “sensitive” data under the GDPR.

2. Further limitations on the use of sensitive personal information collected

CPRA also iterates on CCPA about consumers’ ability to limit the use and disclosure of their sensitive personal information. Specifically, a consumer could direct a business to use sensitive personal information only for purposes necessary to perform the service or provide the goods requested or as prescribed by the CPRA or implementing regulations. Businesses would be required to respect such requests unless a consumer provides subsequent authorization to use the sensitive personal information for additional purposes.

CPRA would also require a business to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information or the criteria used to determine that period.

This highly significant new business obligation is somewhat hidden among the CPRA’s notice obligations, forcing businesses to take a careful look at the personal data they have stored and delete unnecessary data much more regularly.

Finally, the CPRA places new contractual and direct obligations on service providers, contractors and third parties. This change too aligns with the separate and distinct obligations the GDPR places on processors.

New obligations are also placed directly on service providers and contractors. CPRA mandates that they cooperate with and assist businesses in providing requested personal information in response to verifiable consumer requests as well as correcting or deleting information or limiting the use of sensitive personal information in response to such requests, each with some exceptions.

3. Changes to the definition of “publicly available information”

Publicly available information includes not only public records from federal, state, or local governments, but CPRA takes it a step further.

CPRA includes as public information:

  • Information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer,
  • Information from widely distributed media, and
  • Information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted its use

4. Employee data moratorium extended

Many covered businesses will surely appreciate the expanded employee data moratorium, which the CPRA extends until Jan. 1, 2023. The act makes clear that personal information collected by a business in the employment context would not be covered until 2023, providing time for adoption of another bill to govern data protections in that context.

More specifically, the CPRA states that it does not apply to personal information collected from an individual acting as a job applicant, an employee, owner, director, officer, staff member or contractor, including benefits administration and maintenance of emergency contact information.

There is a similar exclusion for communications or transactions between businesses and consumers, where the consumer is acting as an employee or one of the other roles cited above. The CPRA’s introductory provisions, outlining its purpose and intent, make clear that while the privacy interests of employees and contractors should be protected, the relationship between employees and businesses is different than that and should be a consideration.

5. Establishment of a California Privacy Protection Agency

The CPRA creates the first agency in the United States dedicated solely to privacy – the California Privacy Protection Agency or CPPA. This agency will implement and enforce the act as well as have subpoena and audit powers. The CPPA would also be charged with building public awareness about privacy risks, providing guidance to businesses and consumers, and “be [appointed] from among Californians with expertise in the areas of privacy, technology, and consumer rights.”

The agency could levy administrative fines of up to $2,500 per violation of the act or up to $7,500 per intentional violation or violations involving minors. It would also absorb the rulemaking authority granted under the act from the Attorney General’s Office. The CPPA would receive at least $10 million in annual funding beginning in 2021–22 with $5 million in the first year.

Best Practices Recommendations

CPRA is not going to be the last privacy law of its kind in the United States. It is important now, more than ever, for organizations to develop a compliant privacy program that can adapt to the current privacy laws as well as future legislation.

With CPRA becoming effective January 1, 2023 and the moratorium on employee exemption extended until the same date, there is still plenty of time to develop a program that can accomplish this.

As you do, keep the following best practices in mind:

  • Know what the regulations (in each location) require.
  • Be sure your data sharing partners are compliant.
  • Know what your contracts say.
  • If you’re on the receiving end of a privacy and security boilerplate, read it.
  • Include that boilerplate in the contracts with your own data sharing partners.

For more on privacy law, check out our ebook: Data Privacy for the Information Management Professional.