When the California Consumer Privacy Act of 2018 (CCPA) became law more than two years ago, it was the broadest data privacy statute enacted in the United States to date. The CCPA began as a ballot initiative that its primary sponsor, real estate developer Alastair Mactaggart, proposed to California voters during the 2018 midterm election. However, after discussions and negotiations with the California legislature, proponents of the initiative agreed to incorporate the measure into the legislative process instead of placing it, unaltered, on the ballot. The CCPA was signed into law by then-Governor Jerry Brown on June 28, 2018, after moving through the legislature in a matter of days.
When California enacted the CCPA, it was viewed by many as the United States’ version of data protection legislation akin to Europe’s General Data Protection Regulation (GDPR). Despite a number of differences between the two regimes, not least of which was enforcement, prior to the adoption of the CCPA, no single privacy law in the United States purported to regulate such a broad range of information and establish such an expansive set of privacy rights for consumers.
Federal sectoral laws, such as the Children’s Online Privacy Protection Act, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and others had set forth privacy rules for business processing and use of certain types of information. Similarly, some states had previously enacted limited issue-specific laws regulating the processing and use of particular kinds of data. However, in 2018, the CCPA became the most broadly applicable law in the United States to impose rules on business processing of any information that reasonably could be associated with a consumer.
In response to the CCPA, businesses went to great expense to engage in data mapping exercises, update their privacy policies, create and implement compliance mechanisms related to the new consumer rights articulated in the law, review and renegotiate existing contracts, institute new recordkeeping processes, reevaluate loyalty programs, and undertake a range of other steps designed to facilitate compliance with the new law. The CCPA’s language left much open for interpretation and created challenges for companies attempting to operationalize its terms. In addition, the California Office of the Attorney General (OAG) engaged in a lengthy process of drafting and finalizing regulations aimed at implementing the CCPA.
From late 2018 to early 2019, the OAG held seven pre-rulemaking forums to enable interested parties to provide input on the content of the rules. The agency also engaged in a public notice and comment rulemaking process during which five iterations of draft regulations were released from late 2019 to late 2020, despite the fact that the CCPA became enforceable on July 1, 2020. Shortly after the CCPA’s enforcement start date, the OAG began sending warning letters to companies notifying them of apparent noncompliance with the law. By mid-2020, the OAG filed its supposedly final regulations and began to enforce the new law. In an October surprise, the OAG unexpectedly filed a new set of modifications coupled with a comment period that ended on October 28, 2020. The regulations are pending approval and finalization.
In 2019, Mactaggart began drafting a new privacy ballot initiative in time for the November 3, 2020 election ballot. He decided to author a new law that would materially amend the untried CCPA, and, in his view, further strengthen privacy protections for consumers in the state. The new ballot initiative, entitled the California Privacy Rights Act of 2020 (CPRA), was certified for the general election ballot on June 25, 2020. Presented to voters as “Proposition 24,” and adopted by voters on November 3, the CPRA is set to go into effect on January 1, 2023.
This article compares and contrasts certain key provisions of the CPRA and CCPA as well as select provisions of the CPRA and GDPR. It then discusses what is next for the CPRA in California and provides an assessment of the likely impact of the CPRA on businesses and consumers in the state.
While the CPRA is not a total overhaul of the CCPA and its associated regulations, “CCPA 2.0” brought significant changes to the law.
The CPRA changed one of the threshold requirements of the CCPA. The new law applies to businesses which satisfy one or more of three triggers, including businesses that annually buy, sell, or share the personal information of 100,000 or more California consumers or households. Devices are not included in this count as they were for the CCPA. The 100,000 mark is a change from the CCPA’s old requirement that the law applies to businesses that buy, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices.
In addition, the CPRA adds the term “share” to the definitions section and defines “sharing” to mean the oral, written, or electronic communication of consumer personal information to a “third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” Cross-contextual behavioral advertising is another newly defined term in the CPRA. It is defined as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.” The CPRA requires businesses to enter into contracts with their service providers that prohibit their service providers from “selling or sharing . . . personal information,” as discussed in more detail below.
The CPRA adds the category of “contractor” to the CCPA to cover contractual arrangements that restrict the sale/reuse of personal information but are not “service provider” relationships. Contractors are subject to contractual restrictions similar to those that apply to service providers under the CCPA. The CPRA prohibits the contractor from, in part: selling or sharing personal information; retaining, using, or disclosing personal information for any purpose other than for the business purposes specified in the contract; or combining personal information with personal information received from another person, or collected from the contractor’s own interaction with the consumer, subject to some exceptions to be defined by regulation.
The CPRA amends the term “service provider” to include additional contractual restrictions. A service provider is now prohibited from “selling or sharing the personal information;” “retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business;” and “combining the personal information which the service provider receives from or on behalf of the business, with personal information which it receives from . . . another person or persons, or collects from its own interaction with the consumer . . . .” Similar to contractors, the service provider would, however, be permitted to combine personal information to perform business purposes as defined by regulation. This definition change means that, compared to the CCPA regulations, service providers may face greater restrictions for combining personal information collected from varied sources under the CPRA.
The CPRA also amends the definition of “third party” to mean an entity with which the consumer does not intentionally interact but that collects personal information from the consumer’s current intentional interaction with another business. The new law explicitly excludes service providers and contractors from the definition of “third party.”
On the contractual front, the CPRA requires additional contractual arrangements between businesses and their service providers, contractors, and third parties. Of note, if a contractor engages other individuals to assist in processing personal information, those outside individuals also will be bound by the same contractual protections as the contractor.
Now that the CPRA regulates selling or sharing personal information, businesses that share personal information, as defined by the law, must now provide consumers with certain disclosures in response to access requests and allow consumers to limit sharing through a clear and conspicuous link.
Under the CCPA implementing regulations, businesses were required to adhere to user-enabled privacy controls that communicate or signal the consumer’s choice to opt out of the sale of personal information. The CPRA now allows businesses the option to honor “an opt-out preference signal” set with the consumer’s consent, or to provide opt-out links related to the sale and/or sharing of personal information.
The CPRA also adds a new consumer right to correct personal information. (We discuss this right further below.) As for existing consumer rights to know/access and delete, the CPRA makes some notable changes. Under the right to know, the CPRA permits a regulator to issue a rule allowing access requests for personal information to extend beyond the CCPA’s previous 12-month period, unless doing so would be impossible or involve disproportionate effort. Such requests would apply only to personal information collected on or after January 1, 2022.
For the right to delete, businesses are required to direct both service providers and now contractors to delete personal information when requested to do so by a consumer. Businesses would also need to notify third parties to whom the business sold or shared such personal information to delete the personal information, subject to some exceptions. The CPRA adds clarification to the CCPA that service providers and contractors are not required to comply with deletion requests directly from consumers if they collected, used, processed, or retained personal information in their role as a service provider or contractor.
As discussed further below, much like the GDPR, the CPRA designates a special class of “sensitive personal information” (SPI). The CPRA requires businesses that collect SPI to provide consumers with specific disclosures and to allow consumers to limit a business’s ability to use and disclose SPI. Businesses are also now required to provide a clear, conspicuous link titled “Limit the Use of My Sensitive Personal Information” on their webpages, or to include another clearly labeled link that easily allows a consumer to both opt out of the sale or sharing of personal information and limit the use or disclosure of SPI.
The CPRA now requires privacy policies to include a list of the categories of personal information shared with third parties in addition to the categories of personal information collected, sold, and disclosed for a business purpose. Businesses also must include the length of time they intend to retain each category of personal information collected, including SPI, in a notice to consumers at the time of personal information collection. If providing a retention period is not possible, a business must list the criteria it uses to determine the retention period and may not maintain personal information or SPI for longer than reasonably necessary.
The CCPA temporarily exempted from certain requirements personal information collected in the context of employment relationships and business-to-business arrangements. The CPRA extends the CCPA’s exemptions for personal information related to employment records and business-to-business transactions until January 1, 2023.
The CPRA establishes a brand-new agency in the State of California to regulate data privacy and bring enforcement actions for violations of the law. This regulator, the California Privacy Protection Agency (CPPA), is authorized to assume rulemaking responsibilities from the OAG and investigate possible violations of the CPRA upon the sworn complaint of any person or on its own initiative. Administrative fines for violations of the CPRA may span $2,500 for each violation to $7,500 for each intentional violation or any violation involving the personal information of a minor consumer.
Under the CCPA, a business has 30 days to cure any alleged violation coming from either the California Attorney General or a consumer. If the business cures the alleged violation within 30 days of being notified, it will not be subject to penalty from the Attorney General, and for the consumer allegations, no individual or class action suit for statutory damages may be brought against the business. Notably, under the CCPA, a consumer only has a private right of action when their (assuming they are a California resident) personal information is subject to “unauthorized access and exfiltration, theft, or disclosure” and the business violated a duty to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” The new law does not include a guaranteed 30-day cure period for CPPA enforcement actions, but a cure period is permissible at the enforcer’s discretion. The CPRA retains the CCPA’s 30-day cure period for civil lawsuits and adds the caveat that implementing and maintaining reasonable security measures and practices following a breach does not constitute a cure with respect to that breach. The CPRA also extends the CCPA’s limited private right of action for security breaches to now include breaches of merely email addresses and credentials that in combination with a password or security question and answer would permit access to the account, information that under some state data breach statutes is not considered “personal information” that triggers statutory notification.
The CPPA will be made up of a five-member board, including the Chair. The Chair and one member of the board will be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly will also each appoint one member. The law states that “these appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.” Notably, the selection process for the CPPA board will not undergo any type of third-party review or evaluation outside of the political official who appoints each member.
Each member of the agency board, including the Chair, will “serve at the pleasure of their appointing authority but shall serve for no longer than eight consecutive years.” Critically, in addition to the unreviewable appointment process, serving “at the pleasure” means that the appointing authority may also remove its designated appointee at any time during his or her eight-year term without stating a reason. In other words, if in the sole view of the appointing authority, any appointee performs unsatisfactorily, including the Chair, he or she may be summarily removed by that authority and immediately replaced, again without any third-party review, for another eight-year term subject to the same potential risk of removal.
The newly created agency and the OAG are charged with issuing regulations requiring annual cybersecurity audits and risk assessments of businesses which process personal information that “presents significant risk to consumers’ privacy or security.” The regulators are required to issue regulations to implement the CPRA by July 1, 2022.
The CPRA sets forth specific terms regarding how it may be amended. The law may be amended by a statute passed by “a vote of a majority of the members of each house of the Legislature and signed by the Governor, provided that such amendments are consistent with and further the purpose and intent” of the CPRA. The CPRA’s proponents have publicly stated that these terms are intended to “[m]ake it almost impossible to weaken privacy in California in the future . . . [as] any amendment would have to be ‘in furtherance of the purpose and intent’ of CPRA . . . .”
The GDPR was adopted by the European Union on April 14, 2016, and went into effect on May 25, 2018. Due in part to its broad scope and comprehensive nature, GDPR concepts have bled into proposed and enacted legislation in other countries, including proposed privacy legislation and new state laws in the United States.
While the CPRA and GDPR differ in several respects, including how each is enforced, some elements of the CPRA borrow from concepts in the GDPR. Certain consumer rights, data categorizations, and structural enforcement elements are similar across the two statutes, though the details of those broad concepts differ within the contours of each of the laws. In addition, the CPRA and GDPR diverge in their approaches to a covered entity’s ability to process information associated with a covered individual (a “data subject” under GDPR and a “consumer” under CPRA).
The terminology and scope of the two laws are also not the same. The majority of GDPR requirements apply if an entity constitutes a data “controller,” i.e., “a natural or legal person . . . alone or jointly with others, determines the purposes and means of the processing of personal data . . . .” In contrast, most CPRA obligations apply to “businesses” that collect “personal information.” A “business” is a for-profit entity that does business in the State of California and meets certain data processing or revenue thresholds. As the definition suggests, “doing business” in the State of California is a prerequisite for being a “business” subject to the law, while GDPR does not require one to actually conduct business within the EU in order to be subject to its terms.
Below is a discussion of certain key similarities and differences between the GDPR and CPRA.
The CPRA adds a new right to Californians’ arsenal that was not present in the CCPA: the right to correct inaccurate personal information. This right is included in the GDPR as well and is referred to as the “right to rectification” under that law. To comply with both the CPRA and GDPR, businesses must implement a process for responding to and effectuating correction requests from consumers and data subjects. GDPR enables data subjects to request rectification of personal data if such data is inaccurate or incomplete, while the CPRA’s explicit terms apply to inaccurate personal information only. Controllers under GDPR must rectify personal data in response to a request without undue delay. Under CPRA, businesses must correct inaccurate personal information within 45 days of the request date, with certain options available for deadline extensions.
The CPRA and GDPR both set forth particularized rules with respect to the processing, use, and disclosure of a subset of data that is deemed more sensitive than other information. The CPRA defines “sensitive personal information” as personal information that reveals certain data elements, such as a consumer’s Social Security number, driver’s license number; state identification card; passport number; account log-in, financial account, debit card, or credit card number in combination with any required access credentials; precise geolocation information; racial or ethnic origin; religious or philosophical beliefs; union membership; mail, email, or text message contents; genetic data; biometric information processed for certain purposes; health data; and information concerning a consumer’s sex life or sexual orientation. As discussed above, the CPRA enables consumers to limit use and disclosure of SPI by implementing a link or button on the business’s homepage enabling consumers to submit a request for such a limitation. The law also imposes specific disclosure requirements on businesses related to this kind of information.
The GDPR similarly creates specific rules for the processing of sensitive personal data, which it considers a “special category” of personal data under the law. Unlike the CPRA, however, the GDPR does not merely provide consumers with the ability to restrict use and disclosure of sensitive personal data. Instead, the GDPR flatly prohibits “[p]rocessing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” absent consent by the data subject to the processing or the existence of another specifically enumerated exception that would allow a controller to process such information.
The CPRA gives consumers the right to opt out of sales or sharing of personal information. The term “sale” is defined as any transfer of personal information to another business or third party in exchange for monetary or other valuable consideration, and the term “sharing” is defined as transferring personal information to another party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. Businesses under the CPRA are generally subject to few restrictions on their ability to collect personal information in the first place. However, they must abide by a consumer’s wishes to stop transferring that information upon receiving a request to opt out of personal information sales or sharing. Businesses are required to maintain a “Do Not Sell or Share My Personal Information” link or button on the business’s webpage to enable consumers to opt out of such personal information transfers. The CPRA’s continued reference to “my personal information,” first adopted in the CCPA, raises the possibility that such data, as a matter of California law, should be viewed as property belonging to the consumer. If embraced, this interpretation would represent a departure from current state and federal laws, and could bring with it significant legal consequences.
In contrast, the GDPR requires a data controller to have a “[lawful] basis for the processing” of personal data upon collecting such information in the first instance. Under the GDPR, processing is permitted if it took place with the data subject’s consent or is necessary to the legitimate interests of the controller or a third party, for performance of a contract, to protect vital interests, for compliance with a legal obligation, or for the performance of a task to be carried out in the public interest. While many companies have relied on legitimate interests as a lawful basis of processing, particularly in the programmatic adtech space where setting a third-party cookie on a website facilitates the collection of personal data, recent regulator guidance suggests that consent may be required at the initial point of processing. In addition, the European Court of Justice recently held in its Planet49 decision that pre-ticked check boxes on a website do not constitute valid consent under European data protection law.
The CPRA’s and GDPR’s approaches to requirements for data processing and transfers mark an important difference between the two regimes. Under the CPRA, businesses may generally collect, process, and transfer personal information until a consumer submits a request asking the business to refrain from doing so. Under the GDPR, businesses must have a documented reason for processing personal data in order to collect and retain information, and, more recently, courts in the EU have indicated that consent is the preferred lawful basis of processing for certain activities.
The GDPR and CPRA both allow enforcement actions by private litigants, though the availability of private enforcement under the CPRA is narrower than it is under GDPR. As discussed above, the CPRA empowers a consumer to bring a lawsuit against a business only for certain kinds of data breaches that expose non-encrypted and non-redacted personal information or expose the consumer’s email address in combination with security information permitting access to the account, to unauthorized access or infiltration. Penalties can range from $100 to $750 per consumer per incident or actual damages, whichever is greater, for such private enforcement lawsuits. Private actions are not permitted under the CPRA for any violation of the law other than those related to limited kinds of data breaches.
In contrast, under the GDPR, “any person who has suffered material or non-material damage” as a result of a controller’s violation of the law has the right to compensation for damages suffered. This private right of action provision is significantly broader than the private enforcement terms in the CPRA. Coupled with the GDPR’s broad enforcement provision is the reality that virtually all EU countries follow the “English rule” for apportioning attorneys’ fees by requiring the losing party to pay the winner’s reasonable legal costs. The application of this rule is a major disincentive to litigate, and its general acceptance within the EU, in combination with the breadth of its private enforcement provision, makes EU private enforcement, though broader on its face, arguably less effective in the context of the GDPR than the CPRA.
In addition to private enforcement, public authorities may bring enforcement actions against covered entities for violations of the GDPR and CPRA. The public enforcement structure inherent in the CPRA was discussed above. For the GDPR, individual EU Member States maintain data protection authorities (DPAs), which serve as their central data privacy enforcement bodies that bring actions against controllers for GDPR violations. Examples of such authorities include the Commission Nationale de l’informatique et des Libertés (CNIL) in France, the Agencia Española de Protección de Datos (AEPD) in Spain, and the Bundesbeauftragte für Datenschutz und Informationsfreiheit (BfDI) in Germany. The GDPR authorizes nation-state DPAs to exact administrative fines of e20 million or 2 percent of a company’s worldwide revenues, or, for more egregious violations, e40 million or 4 percent of a company’s worldwide revenues, whichever is larger. These fines may be augmented by penalties that can be assessed on violators for running afoul of individual EU country rules and laws outside of the GDPR. It is worth noting, however, that there is no Federal Trade Commission-like federal enforcement entity in the EU (where a single agency covers all states in the relevant jurisdiction), and GDPR enforcement is limited to the DPAs, which vary in practices and resources from Member State to Member State much like state attorneys general do in the United States.
Now that the CPRA has been adopted as law in California, businesses will have just over two years to prepare for its operative date, which is January 1, 2023. With the exception of the right of access, the Act applies to personal information collected by a business on or after January 1, 2022.
The newly created CPPA administrative enforcement agency will take over authority to issue regulations implementing the CPRA from the OAG beginning on “the later of July 1, 2021, or six months after the [CPPA] provides notice to the Attorney General that it is prepared to begin rulemaking” process. The precise timeline for the CPPA to commence its regulatory process is subject to some debate, as Section 1798.199.40 states that the agency shall adopt, amend, and rescind regulations on and after “the earlier of July 1, 2021, or within six months of the Agency providing” notice it is prepared to assume rulemaking responsibilities. The CPPA is required to adopt final regulations to implement the CPRA no later than July 1, 2022. Here is a recap of the timelines:
July 1, 2021: Roughly when the CPPA will begin its rulemaking process.
July 1, 2022: Deadline for CPPA to adopt final regulations.
January 1, 2023: CPRA becomes operative. Employment record and business-to-business exemptions expire.
July 1, 2023: CPPA may begin enforcing the law.
The CPRA will impact California consumers by broadening the privacy legal compliance and enforcement landscape in the state. The law gives Californians additional rights regarding personal information collected about them that they did not enjoy under the CCPA, and it mandates new disclosure requirements to keep consumers informed of businesses’ data practices. Moreover, the CPRA’s terms could impact the California legislature’s ability to amend the law in the future. If the law’s provisions requiring any subsequent privacy legislation to be consistent with the CPRA and further its purpose withstand legal muster, the CPRA will certainly have a broad and lasting impact on consumer privacy rights in California.
One of the principal impacts of the CPRA on businesses will be the creation of its entirely new data privacy-focused agency. Since the agency will be exclusively dedicated to drafting regulations to define the parameters of the CPRA and bringing administrative actions for violations, it is likely that enforcement actions related to data privacy will increase in number and scope in coming years. Furthermore, the changes the CPRA has made to the CCPA will require businesses to undertake gap analyses to understand what updates they must make to their current internal practices to facilitate compliance with the new regime. While businesses may be able to leverage processes they are already using to comply with the CCPA and GDPR for certain aspects of their CPRA obligations, businesses subject to the CPRA will likely need to make some modifications to their compliance strategies in order to operationalize the law throughout their organizations.
