Terminating Sanctions Order Emphasizes the Need for Safeguards to Ensure Disposition Programs are Defensible
October 28, 2020
Guidelines for Using Technology-Assisted Review
November 13, 2020

California Voters Approve the CPRA

Goodbye CCPA – we hardly knew you.

Hello CPRA!

While most of America, and the world, have been focused on the U.S. Presidential election, voters in California have quietly approved the most sweeping privacy and data protection law in the United States. The California Privacy Rights Act (“CPRA” or the “Act”) will be replacing the California Consumer Privacy Act (“CCPA”) that just came into effect earlier this year.

In October 2019 we provided our initial take on the then proposed California Privacy Rights Enabling Act of 2020 (“CPREA”).[1] The CPRA is structured in sections that include: 1) Findings and Declarations; 2) Purpose and Intent; 3) detailed redlined edits to the CCPA; and 4) various enactment provisions. We encourage readers to look at our prior post for a more detailed analysis of the substantive changes that the CPRA will make to the text of the CCPA.

This post provides a brief Q & A with a preliminary analysis of the key issues of immediate concern for regulated businesses and their counsel.

QUESTION: When does CPRA go into effect?

ANSWER: The Act provides for a phased implementation, with full enforcement starting January 2023. Here are the details:

First, the following Sections will go into immediate effect five days after the California Secretary of State files the final results of the election:

  • Section 1798.145, Subdivisions (m) and (n) (limitations on employment-related data)
  • Section 1798.160 (the creation of the Consumer Privacy Fund – the “Fund”)
  • Section 1798.185 (addition of specific new regulations that will apply to CCPA and then CPRA—we will cover in detail in a later post)
  • Sections 1798.199.10 through 1798.199.40 (establishment of the California Privacy Protection Agency – the “Agency”)
  • Section 1798.199.95 (automated appropriations to finance the Agency)

The remainder of the Act will then go into effect on January 1, 2023; provided, however, the Act also includes a look back toJanuary 1, 2022, to cover any information collected on or after that date. Accordingly, all businesses that are currently subject to the CCPA will have just over one year to make (further) program updates to conform their data collection practices with the new requirements under CPRA.

QUESTION: What about the amendments made to the CCPA?

ANSWER: Any amendments made to the CCPA after January 1, 2020, are superseded by the text of the CPRA. To the extent those amendments conflict with the stated intent of CPRA, they are null and void. Amendments made prior to Jan 1, 2020, remain in effect.

Two bills that passed in September 2020 are impacted by this:

  • AB 713, which added Section 1798.146, established new exemptions for certain medical and health information. This primarily addressed a likely Federal Preemption issue related to deidentified information covered under HIPAA and HiTECH. Further analysis will be needed to assess whether this change will survive, although on first impression it appears likely.
  • AB 1281, which extended exemptions of employment and business-to-business information until January 1, 2022, contained a provision expressly providing that it would only become operative if California voters did not approve the CPRA. As such, this amendment to the CCPA has been killed by the voters. CPRA Section 3.A.8. expressly extends the exemptions until January 1, 2023.

QUESTION: Is my business subject to CPRA?

ANSWER: There are a few substantive changes to the definition of a “business” that is subject to regulation under the CPRA as opposed to the current CCPA.

The first standard is slightly altered to state that a business meets the threshold if, “[a]s of January 1 of the calendar year” it has had annual gross revenues exceeding $25,000,000 “in the preceding calendar year.”

The second standard alters the language to provide for regulation of a business that “[a]lone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumers or households.” This increases the number of consumers or households from 50,000 to 100,000 and removes the measurement of devices.

The third and final standard is slightly modified to cover any business that “[d]erives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.”

QUESTION: What really big changes from the CPRA may directly impact my business?

ANSWER: Here are a few brief items you might want to consider as you begin the process of getting ready for the CPRA:

There are numerous requirements corresponding to new regulations, including definitions and limitations on a variety of major privacy areas:

  • Limits on how businesses can use information gathered from consumers that are more in-line with the purpose limitations and data minimization requirements under the European GDPR Article 5;
  • Requirements that regulated business de-identify sensitive information held on consumers;
  • Limitations on the use of “precise geolocation” to locate and track consumers;
  • Requirements for certain businesses to perform annual independent cybersecurity audits and submit reports to the new Privacy Protection Agency; and
  • Increased rights of consumers to opt-out of automated decision-making.

There are also changes to the data breach cure provisions. Under the CCPA, regulated businesses have a 30-day period to cure alleged failures that resulted in personal data breaches. The CPRA does not offer such a safe harbor; implementing curative measures within 30 days following a breach will not constitute a “cure” under the Act. The only way regulated businesses can obtain relief is to fix any security holes before a breach.

Finally, the CPRA will implement a data enforcement regulatory agency which receives mandatory funding from the state. This may lead to a significant increase in enforcement actions and accordingly administrative fines. In addition, regulated businesses will also be responsible under the CPRA for violations caused by their contractors.

We again recommend that reviewing our prior CPREA post for further information on these and other areas. And we’ll be back with further analysis down the road.

[1] In the final documentation for the Act as submitted to the California electorate, the word “Enabling” was struck, resulting in the official acronym: CPRA.

Eric P. Mandel
Eric P. Mandel
Eric is an attorney, legal technologist, and privacy professional who has spent the past 13 years focused on solving complex problems at the intersection of law and technology. He has served in senior leadership roles in several trade associations, including The Sedona Conference, the EDRM Institute, the Legal Technology Professionals Institute, and the Association of Certified E-Discovery Specialists, and is a frequent speaker on a broad range of topics relating to electronic discovery, information governance, data regulatory compliance, and data privacy and data protection. Additionally, Eric has worked on numerous leading publications, including The Sedona Principles, Third Edition.