The legislative framework under the California Consumer Privacy Act of 2018 ('CCPA') has undergone significant change according to the enactment of the California Privacy Rights Act of 2020 ('CPRA'), which aims to strengthen the negotiating capacity of consumers with businesses in terms of the protection of their rights. The CPRA will not be replacing CCPA, but rather it is an amendment of the present provisions of Title 1.81.5 of the California Civil Code (CCPA). The CPRA is set to become effective on January 1, 2023. However, several provisions are now applicable to personal information collected from January 1 2022.
Following is a brief overview of the expanded scope, as introduced by CPRA:
· Creation of new classifications of sensitive personal information
· Broadened consumer rights to manage and request corrections to their data [[1] Section 1789.106]
· Control afforded to employees in terms of the way businesses use their data
· Creation of a new enforcement agency: the California Privacy Protection Agency (CPPA) [[1] Section 1798.199.10]
. Provisions pertaining to enhanced protections for minors
From the perspective of operational implementation, organisations that already have their CCPA compliance programs in place should consider some additional requirements before CPRA's effective date. However, even for such organisations, compliance with CPRA is necessary, as the look-back period of the legislation makes it clear that many of its provisions will apply to personal information collected from January 1, 2022.
Here are the steps of compliance required to successfully implement the increased scope of compliance from CCPA to CPRA:
1. Understanding the widened scope
Businesses are now required to detect, classify, and rightly govern a new categorisation of data as sensitive personal information (SPI) by incorporating data minimisation principles and retention requirements as mandated by CPRA. The following data classify as SPIs:
· Racial and ethnic origin which organisations
· Exact geolocations
· Driver license numbers
· Social Security Numbers
· Biometric information
2. Consumer and Employee Rights Requests
CPRA has expanded the rights of access, knowing, deleting, opt-out of sale, and non-discrimination initially introduced by the CCPA. CPRA has now included the following additional rights not merely to consumers but also to employees:
Rectification
Portability
Opting out of the sharing and selling of personal information.
Limiting the use and disclosure of sensitive personal information.
Right to see all personal information, no matter when acquired: unlike the CCPA, which had only limited this right to the last 12 months.
3. The "Do Not Sell or Share My Information" Opt-Out Mechanisms
Various organisations have found themselves making ambiguous interpretations of the "Do Not Sell" requirements under the CCPA about transferring personal information for advertising. The CPRA has addressed this ambiguity through the provisions pertaining to "Do Not Share". According to these provisions, organisations have been mandated to comply with the requirement of providing consumers with a link on the website, enabling them to choose an option of "Do Not Sell or Share My Information."
4. New Policy Requirements
According to the new requirements under the CPRA, organisations must limit the collection, use and retention of sensitive personal information to only what is required to provide goods or services. While the CCPA did not specify particulars about data retention, the CPRA permits the retention of personal information solely when it is "necessary and proportionate" for collection, processing, and other specifically disclosed purposes.
5. Risk Assessments and Annual Cybersecurity Audits
The CPRA mandates an annual, independent cybersecurity audit for organisations where processing activities pose considerable risk to consumer privacy or security.
Additionally, organisations involved in personal processing and sensitive personal information that pose a high risk have been mandated to perform regular risk assessments like that of the Data Protection Impact Assessment (DPIA)—completing these risk assessments and submitting them before a regulatory authority ensures apposite protection to address the risk involved in personal processing information and sensitive personal information.
6. Regulatory Updates
During the CCPA regime, the California Attorney General had the role of implementing, enforcing and overseeing the law's implementation. The California Privacy Protection Agency (CPPA) has been established with the same purpose. The CPPA has time till July 1, 2022, to adopt the new regulations regarding risk assessments, correction requests, and opt-out rights that the CPRA has provided for.
Compliance Requirements
1. Businesses will be required to revise policies and procedures to include the expanded scope of consumer rights.
2. Agreements with third parties, contractors, and service providers must be reviewed to ensure that they contain appropriate CCPA and CPRA compliance requirements.
3. Websites must be updated with new links to "limit the use of my sensitive personal information."
4. Internal procedures must be in place to respond to requests pertaining to the new rights under CPRA.
5. Businesses must revisit their retention policy for personal information to ensure compliance with the new requirements under CPRA and include the retention policy in the Privacy Policy.
Sharanya Mukherjee is a licensed lawyer, passionate about data protection, privacy, cybersecurity, and the law in general. In her role as an attorney at Allendevaux and Company, Sharanya provides organizations with data protection services and implements data protection programs. She can be contacted at: sharanya.mukherjee@allendevaux.com