The Past as Prologue: California Voters Approve CPRA as AG Proposes New CCPA Regulations
On November 3, 2020, California voters passed Proposition 24, the California Privacy Rights Act (CPRA). Crafted to address perceived gaps in the California Consumer Privacy Act (CCPA), the CPRA effectively calcifies the law by barring most changes to the CCPA. The CPRA will become effective five days after the California Secretary of State certifies the election results (Effective Date), and while the law will apply to personal information collected on or after January 1, 2022, most provisions become enforceable on January 1, 2023; Amendments to the CCPA will be enforceable on July 1, 2023.
The CPRA aligns the CCPA even more closely with the EU General Data Protection Regulation (GDPR), granting new privacy rights to California consumers and imposing new obligations on companies – for example, requiring service providers to assist “businesses” to comply with their CCPA obligations – a requirement for processors under the GDPR.
Companies will welcome some changes, including extension of the employee and “B2B” exemptions and exclusion of certain information from the definition of personal information. Many other aspects of the CPRA, however, could force companies to upend their CCPA compliance programs, on which they have already spent significant resources. The ad tech industry appears to be particularly in the line of fire. All companies in the advertising ecosystem, including back end providers of data driven products and services, will have to carefully assess their business models in light of the CPRA’s changes and adapt their CCPA compliance strategies as needed.
The impact of the CPRA could be accelerated by modified CCPA regulations recently proposed (Proposed Regulations) by the California Attorney General (CA AG). Such a development could facilitate a more orderly integration of the two regimes and their shared policy goals. Now is the time to start planning and budgeting for the impending changes.
In Section I, this Dechert OnPoint summarizes the main provisions of the CPRA. Section II provides a brief overview of key provisions of the Proposed Regulations and offers takeaways for companies navigating California’s increasingly complex privacy regime.
Section I. The CPRA
A. Scope and Key Definitions
- Publicly Available Information: The CPRA expands the exclusion of “publicly available information” from the CCPA’s definition of personal information by adding information that is “lawfully made available to the public by the consumer or from widely distributed media.” Companies whose business models depend on processing publicly available information will be outside of the scope of the CCPA’s requirements for that information.
- Changes to the Definition of “Business”: The CPRA makes certain changes to the CCPA’s definition of “businesses” by (i) increasing the number of California residents (“consumers”) or households about which a business buys, sells, or “shares” personal information from 50,000 to 100,000; and (ii) removing “devices” from the calculation. Now, only the personal information of California consumers or households will be considered in evaluating what constitutes a “business”.
The CPRA also narrows the scope of activities to be considered when determining who qualifies as a business by removing “receiving” personal information from the list of relevant processing activities. Nonetheless, all “sharing” of personal information will be considered, rather than only information shared “for a commercial purpose.” This change suggests that information received in the ad tech supply chain will be scrutinized to determine if the recipients are acting as service providers or in effect, as businesses.
- Definition of “Personal Information”: The CPRA excludes from the definition of personal information “lawfully obtained, truthful information that is a matter of public concern,” reducing the exposure of media organizations to potentially problematic CCPA rights requests (for example, if a public figure were to request deletion to silence critics).
Extension of Exemptions: On September 29, 2020, the Governor signed into law an amendment to the CCPA that extended the sunset terms of the employee and “B2B” exemptions from January 1, 2021 to January 1, 2022 -- if the CPRA, with similar extensions, had not been approved by voters. With the passage of the CPRA, the exemptions are now extended to January 1, 2023. This will be a welcome development for companies who could rely on comparable GDPR exemptions for EU data to protection systems and intellectual property but lacked similarly explicit exemptions under the CCPA.
- Clarification of the Gramm-Leach Bliley Act (GLBA) Exemption: The CPRA clarifies that the GLBA exclusion applies to personal information “subject to” the GLBA as opposed to personal information that is “processed, shared, sold or disclosed pursuant to the GLBA.”
- New Category of “Sensitive Personal Information”: The CPRA creates a new category, “sensitive personal information.” Data elements include Social Security, driver’s license, or passport numbers; financial account information; precise geolocation; and, tracking the GDPR, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric or health information, and information about sex life or sexual orientation, as well as the contents of mail, email, and text messages. Consumers will be empowered to limit use of their sensitive personal information (except for enumerated uses to be established in regulations). Business must comply with new disclosure requirements on website homepages with corresponding links to enable consumers to “limit” the use of their sensitive personal information.
- New Consumer Privacy Agency; Higher Fines
The CPRA also makes changes to the CCPA’s enforcement regime and penalty provisions. Specifically:
- New Privacy Regulator: The CPRA establishes the California Privacy Protection Agency (Agency). The new Agency will implement and enforce the CCPA and issue guidance to consumers and companies on respective rights and obligations. The five-member board will be comprised of privacy, technology, and consumer rights experts appointed by the Governor, CA AG, California Senate Rules Committee and the Speaker of the Assembly.
- More Rulemaking Authority for CA AG: Effective five days after the election results are certified, the CA AG’s rulemaking authority and obligations will be expanded to include: (i) requiring the CA AG to issue definitional regulations on the definition and use of sensitive personal information; and (ii) the performance of required cybersecurity audits or risk assessments, similar to GDPR data protection impact assessments (DPIAs). Final regulations must be adopted by July 1, 2022. The CA AG’s rulemaking authority will transfer to the new Agency either on January 1, 2021 or six months after the Agency notifies the CA AG that it is prepared to begin rulemaking activities, whichever is later.
- Cure Periods No Longer Guaranteed: The CCPA’s 30-day cure period will be eliminated and replaced with a “case-by-case” approach. The new Agency will be authorized to offer companies an opportunity to cure and an opportunity for reduced fines and penalties in connection with violations of the law after taking into account such factors as the nature of the violation, evidence of good faith efforts to comply or willful non-compliance. The CCPA’s 30-day cure period for data breaches is preserved, with the caveat that implementing and maintaining “reasonable security practices” after a data breach has already occurred is neither a safe harbor nor a “cure”.
- Increased Fines & Easier Recovery: The civil penalty for CCPA violations will be replaced with an administrative fine. Amounts for the administrative fine will remain the same as the CCPA’s current amounts for the civil penalty (up to $2,500 per violation or $7,500 for each intentional violation), although fines for violating the CCPA’s opt-in-to-sale requirement for consumers under 16 years will be three times as high as the current penalty amounts (increased from $2,500 to up to $7,500 per violation).
B. California Consumers Get New GDPR Rights
As noted, the CPRA expands California consumers’ privacy rights.
- Right to Opt-Out of “Sharing” for Certain Digital Advertising: The CPRA adds a new right to opt out of sharing personal information with third parties. “Share” is defined as sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information to a third party for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” “Cross-context behavioral advertising” includes targeted advertising based on prior browsing activity (i.e., behavioral advertising/retargeting).
This change will have two significant impacts: (i) it will clearly empower consumers to effectively remove themselves as targets of behavioral advertising/retargeting; and (ii) it clarifies that disclosures of personal information for behavioral advertising/retargeting, are not a “sale” under the CPPA. This change offers long awaited clarification on the issue and allows companies that engage in behavioral advertising/retargeting to fine tune their disclosures, and work toward addressing opt out of sharing requests to reflect that behavioral advertising/retargeting is “sharing” personal information, not “selling” personal information.
- Right to Correct: Consumers have a new right to correct inaccurate personal information, similar to the right to rectification under the GDPR. Businesses must implement reasonable data integrity protocols to ensure they do not collect, retain, or share inaccurate personal information.
- Modified “Access” Right: Businesses will be able to refuse access requests for information used for security purposes or that would expose trade secrets. This change is significant for companies that have been stymied by being unable to protect systems and company data through similar exceptions available under already enjoy such exceptions under the GDPR.
C. New GDPR-Like Obligations for Businesses
The CPRA establishes other rights and organizations that are similar to those under GDPR. For example:
- Automated Decision Making: Businesses will be required to disclose the role of automated decision making in certain instances, including when it is used to analyze or predict performance at work, economic status, health, personal preferences, interests, reliability, behavior, location or movements. The CA AG is required to issue regulations on consumers’ rights to access the information involved in automated decision making and to opt-out of automated decision making, including profiling. An unintentional consequence of these changes could be impediments to innovation involving such tools as AI, machine learning and modeling used for trend forecasting and to improve efficiency and productivity.
- Notices; Data Minimization; Proportionality: Companies will be required to implement data minimization, proportionality and retention limits that are universally accepted fair information practice principles. Companies will also be required to provide notice of the reasons they collect personal information; how much they collect, and how long they retain personal information.
- Commercial Agreements: Businesses must enter into contracts with service providers, and contractors that (i) state that personal information is sold or disclosed for limited and specified purposes; (ii) require the service provider or third party to provide at least the level of privacy protection required by the CCPA and notify the business if it cannot; and (iii) enable businesses to audit third party, service provider, or contractor use of personal information and remediate unauthorized uses. Reflecting the GDPR’s processor controller relationship, service providers and contractors will be required to (i) assist businesses in complying with their CCPA obligations, (ii) notify businesses when engaging subcontractors (e.g., sub-processors) to assist in the processing of personal information on behalf of the business, and (iii) enter into written contracts with such sub-processors binding the sub-processors to the same service provider/contractor obligations under the CCPA. These provisions align the CCPA processor-controller framework even more closely to the GDPR than is currently the case.
D. Key Takeaways
The passage of the CPRA is a clear sign that consumer interest in controlling their personal information is at an all-time high. The CPRA intensifies the focus on the advertising ecosystem by adding new restrictions on collection, use and sharing of personal information among companies in the ecosystem.
Companies can start preparing by assessing whether the CPRA materially impacts business models and existing privacy compliance strategies. Companies that operate in the ad-tech space, including publishers, digital media companies, ad partners, SSPs/DSPs, trade desks and ad exchanges, should pay particular attention to the ways in which the CPRA could impact acquiring, pooling, processing and sharing of personal information, and should begin working with industry groups now to formulate a coordinated approach to common pain points.
II. CA AG’s Proposed Regulations to the CCPA
January 1, 2023 may seem distant. Until then, companies must comply with the CCPA and implementing regulations (Final Regulations). As noted, above, the landscape remains in flux due to the Proposed Regulations currently under review. The Proposed Regulations include the following notable changes: (i) requirements for delivering an opt-out notice when personal information is collected offline, (ii) requirements to make clear that it must be easy for consumers to submit requests to opt-out, and (iii) clarifications that enable businesses to require authorized agents to provide proof of authorization.
A. Notice of the Right to Opt-Out for Information Collected Offline
The Proposed Regulations establish standards for how businesses that collect personal information from consumers offline and sell that personal information must give consumers notice of the right to opt-out of such sale (Notice of Right to Opt-Out). The Proposed Regulations make clear that in such circumstances, a business must provide the Notice of Right to Opt-Out via an offline method that facilitates consumers’ awareness of that right; and include illustrative examples of acceptable “offline” methods for providing such notice. For example, at brick and mortar stores, the notice could be printed on the paper forms where consumers’ personal information is collected or posted on a sign in the area where the information is collected. In each case, it would be permissible for the in-person notice to direct consumers to where the Notice of the Right to Opt-Out can be found online. Businesses that collect personal information from consumers over the phone could provide the Notice of Right to Opt-Out orally during the call.
These changes would create a holistic framework for the way many companies acquire and process personal information. Companies that are accustomed to linking regulation with online data collection and use will want to carefully consider their offline sources of data and how to exploit current methods for communicating with customers to comply with the Proposed Regulations.
B. Submitting Requests to Opt-Out Must be Easy and Require Minimal Steps
The Proposed Regulations would require businesses that sell personal information to implement opt-out methods that are “easy for consumers to execute” and “require minimal steps.” These methods cannot be “designed with the purpose” or have the “substantial effect” of subverting or impairing a consumer’s choice to opt-out.
Examples provided by the CA AG illustrate how businesses can meet these standards. The level of granularity is reflected in the requirement that the number of steps a consumer must go through to submit a request to opt-out cannot exceed the number of steps a consumer would have to go through to opt back in to the sale of their personal information (after having opted out):
- For opt-outs, the number of steps would be counted from when the consumer first clicks a business’s “Do Not Sell My Personal Information” link to the time when submission of the request is complete.
- Businesses would also need to avoid using confusing language, such as double negatives, when providing consumers with methods to submit requests to opt-out.
- Businesses would not be able to require consumers to “click through or listen to reasons why” they should not make an opt-out request before submitting one.
- Consumers could not be required to provide personal information that is not necessary to comply with a request in order to submit the request.
C. Authorized Agents May be Required to Provide Proof of Authorization
The Final Regulations currently allow businesses to require consumers to provide the business with signed permission before an authorized agent can submit a request to know or request to delete on the consumer’s behalf. The Proposed Regulations would delete this provision and instead include a provision that would permit businesses to require authorized agents to provide “proof” that the consumer gave the authorized agent signed permission to submit requests to know and requests to delete on behalf of the consumer.
D. Key Takeaways from the Proposed Regulations
In the near term, businesses will want to consider the Proposed Regulations in conjunction with the CPRA to assess where there may be common ground and the potential that the AG’s interpretation of the CCPA could be updated by the Proposed Amendments. In particular, businesses will want to:
- Review offline data collection (including over the phone, or via mail) of information belonging to California residents. If such information is sold, start thinking about how to deliver a Notice of Right to Opt-Out in an offline format;
- Review the language used in the Notice of Right to Opt-Out to ensure it is not misleading and consider now if it would be possible to implement a combined notice of right to limit sharing of sensitive data and right to opt out of sale (as the CPRA seems to permit);
- Revisit processes for submitting opt-outs and opt-ins to ensure that those processes would meet the requirements for ease, accessibility and “number of clicks” that are set forth in the Proposed Regulations, and begin thinking about modifications to the process if it does not meet the proposed standards; and
- Consider whether the company is positioned to revise its public-facing CCPA disclosures if the Proposed Regulations are adopted.
As seen with California’s early adoption of its data breach law, “as goes California, so goes the country.” As a result, the CPRA, in addition to having already influenced state law, is likely to influence comprehensive federal privacy legislation put forward by the newly elected Biden administration. Therefore, companies will want to stay informed and remain agile in their approaches to complying with California’s evolving privacy legal landscape. We will provide further updates as the status of the Proposed Regulations and the scope and impact of the CPRA come into sharper focus.