While most of America, and the world, have been focused on the U.S. Presidential election, voters in California have quietly approved the most sweeping privacy and data protection law in the United States. The California Privacy Rights Act (“CPRA” or the “Act”) will be replacing the California Consumer Privacy Act (“CCPA”) that just came into effect earlier this year.
In October 2019 we provided our initial take on the then proposed California Privacy Rights Enabling Act of 2020 (“CPREA”). The CPRA is structured in sections that include: 1) Findings and Declarations; 2) Purpose and Intent; 3) detailed redlined edits to the CCPA; and 4) various enactment provisions. We encourage readers to look at our prior post for a more detailed analysis of the substantive changes that the CPRA will make to the text of the CCPA.
This post provides a brief Q & A with a preliminary analysis of the key issues of immediate concern for regulated businesses and their counsel.
QUESTION: When does CPRA go into effect?
ANSWER: The Act provides for a phased implementation, with full enforcement starting January 2023. Here are the details:
First, the following Sections will go into immediate effect five days after the California Secretary of State files the final results of the election:
The remainder of the Act will then go into effect on January 1, 2023; provided, however, the Act also includes a look back toJanuary 1, 2022, to cover any information collected on or after that date. Accordingly, all businesses that are currently subject to the CCPA will have just over one year to make (further) program updates to conform their data collection practices with the new requirements under CPRA.
QUESTION: What about the amendments made to the CCPA?
ANSWER: Any amendments made to the CCPA after January 1, 2020, are superseded by the text of the CPRA. To the extent those amendments conflict with the stated intent of CPRA, they are null and void. Amendments made prior to Jan 1, 2020, remain in effect.
Two bills that passed in September 2020 are impacted by this:
QUESTION: Is my business subject to CPRA?
ANSWER: There are a few substantive changes to the definition of a “business” that is subject to regulation under the CPRA as opposed to the current CCPA.
The first standard is slightly altered to state that a business meets the threshold if, “[a]s of January 1 of the calendar year” it has had annual gross revenues exceeding $25,000,000 “in the preceding calendar year.”
The second standard alters the language to provide for regulation of a business that “[a]lone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumers or households.” This increases the number of consumers or households from 50,000 to 100,000 and removes the measurement of devices.
The third and final standard is slightly modified to cover any business that “[d]erives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.”
QUESTION: What really big changes from the CPRA may directly impact my business?
ANSWER: Here are a few brief items you might want to consider as you begin the process of getting ready for the CPRA:
There are numerous requirements corresponding to new regulations, including definitions and limitations on a variety of major privacy areas:
There are also changes to the data breach cure provisions. Under the CCPA, regulated businesses have a 30-day period to cure alleged failures that resulted in personal data breaches. The CPRA does not offer such a safe harbor; implementing curative measures within 30 days following a breach will not constitute a “cure” under the Act. The only way regulated businesses can obtain relief is to fix any security holes before a breach.
Finally, the CPRA will implement a data enforcement regulatory agency which receives mandatory funding from the state. This may lead to a significant increase in enforcement actions and accordingly administrative fines. In addition, regulated businesses will also be responsible under the CPRA for violations caused by their contractors.
We again recommend that reviewing our prior CPREA post for further information on these and other areas. And we’ll be back with further analysis down the road.