If your business interacts with residents of California in any manner, then you should be aware that on January 1, 2023, the California Privacy Rights Act (“CPRA”) went into effect. This new set of consumer privacy regulations builds on the foundation of the California Consumer Privacy Act (“CPPA”), clarifying preexisting requirements and adding some new requirements. CPRA also establishes a state administrative office for overseeing its implementation and enforcement.
California has a history of being on the leading edge of consumer protection laws, and those laws tend to be fairly aggressively enforced, sometimes by the state government and sometimes by private citizens who are given authority. While the CPRA did not create a private citizen right of action for the CPPA, it did create a new agency with the stated purpose of enforcing the CPPA and it also gave the California Attorney General enforcement power.
The law went into effect as of the new year, but the regulations that are intended to help businesses know how to comply with the laws will not be in place in time. As of this writing, it is not certain when the regulations will be complete, but it is likely that they will be completed in the first half of 2023, coming into effect in the third quarter. Note that California is only the first in what is a wave of privacy legislation at the state level. Colorado, Connecticut, Utah, and Virginia have also enacted comprehensive data privacy laws that will soon come into effect.
Important Definitional Updates:
“Covered Businesses” – CPRA raises the threshold for covered businesses from 50,000 to 100,000 California resident consumers or households (but removes “devices”) To assess whether a consumer is a California resident may require implementing additional analytics to evaluate users or involve pre-screening consumer lists. CPRA further clarifies that the financial hurdle for covered businesses of $25MM (adjusted for inflation) is calculated as of the previous tax year. So, if your business did not meet the financial threshold in 2022, it will not need to come into compliance in 2023, even if it exceeds that threshold in 2023. Any business that derives 50% or more of its annual revenue from selling or sharing the personal information of California residents would be required to comply.
“Coverage for Contractors” – There are certain situations where CPRA will require contractors who work for a Covered Business to comply in limited ways. Contracts with covered contractors will also be required to contain certain provisions, sometimes referred to as a data processing addendum.
“Sale” – CPRA updates the CPPA to clarify that a “sale” only takes place when it is to a third party, not to a related entity.
“Sharing” – in addition to the buying and selling of personal information, CRPA now adds “sharing” to the covered activities when the personal information communicated to a third party for cross-content behavioral advertising. A business may unwittingly “share” personal information when a third party places advertising on its website.
“Sensitive Personal Information” – a new category of personal information was added by CRPA that has specific rules for its collection and handling.
Other Key Updates:
Additional Consumer Rights – In addition to the consumer rights already contained in the CPPA, the CRPA adds the rights to correct inaccurate personal information, opt out of “sharing,” and restrict sensitive personal information processing.
Special Exclusions – Additional exclusions were added to cover, for example, the treatment of trade secrets, press rights, and certain physical items that might qualify as personal information, such as photographs. But CRPA also removes the exclusion for workforce/employment personal information (including information about job applicants) and b2b communications.
General Notice Rights – CRPA does not change the general categories, but updates and expands them. New regulations will likely clarify new specific rules on implementation. Pre-collection disclosure obligations are also updated and expanded by the CRPA.
Miscellaneous Updates:
In addition to the above key-updates, CRPA contains many more provisions on topics including the following:
- M&A Exception rules
- Expands notice of financial incentives duty
- Expands consumers’ individualized right to know
- Clarifies obligations related to Data Portability rights
- Revises circumstances under which a business may deny a request to delete personal information
- Updates data minimization and purpose limitation requirements
- Retention restrictions
- Data Security – makes the data security obligations explicit
- Updates notice requirements
- Provides clarifications for a business’s duties with regard to service providers, contractors, and third parties
If you have questions about how CRPA may affect your business, please reach out to Conroy Baran and we can help you comply with the new law.