In more detail
Who and what data is protected?
The California Privacy Rights Act changed the range of applicability of the CCPA only slightly. The amended CCPA protects "personal information," defined broadly to include any information that relates to a particular California resident or household. Excluded from the definition are aggregate, deidentified and publicly available information[4], and lawfully obtained, truthful information that is a matter of public concern.[5] CCPA exceptions that currently apply to the processing of personal information in the B2B and HR contexts will expire 1 January 2023. The California Privacy Rights Act also states that it "shall prevail over any conflicting legislation enacted after 1 January 2020" and that any conflicting legislation "shall be null and void … regardless of the code in which it appears," thus possibly invalidating health-information related exemptions that the California Legislature added in September 2020.[6]
Who Must Comply?
A business anywhere around the world has to comply with the amended CCPA if it does business in California, operates for profit, determines the purposes and means of data processing, and exceeds one of three revenue/information processing thresholds, or if it is a parent or subsidiary of an entity that meets those requirements and the two use a common brand. The first threshold is whether the business has annual gross revenues of USD 25 million or more, the second threshold is whether the business derives 50% or more of its annual revenue from "selling" or "sharing" California residents' personal information,[7] and the third threshold is whether the business annually buys, sells or shares the personal information of 100,000 or more California residents or households. The CCPA also includes requirements on service providers and contractors that process personal information on behalf of businesses, and third parties to whom a business sells or shares personal information.
How to Comply?
In addition to complying with existing obligations under the CCPA, businesses have to address new or changed requirements under the amended CCPA. Here are some key recommendations.
- Revise data processing, sharing and selling agreements. The California Privacy Rights Act prescribes certain types of clauses that will have to appear in agreements between parties exchanging personal information. The clauses touch on a variety of subjects, such as audit rights and obligations to process personal information for specified purposes only. Companies should start broaching these requirements with their business partners soon if they have not already, given the time needed to negotiate contracts.
- Consider making strategic changes to business activities to reduce compliance obligations. For example, because the amended CCPA strictly governs selling and sharing personal information, companies may benefit from concerted efforts to avoid engaging in these activities. As another example, companies may wish to adopt deidentification protocols to take advantage of exceptions related to "deidentified" information.
- Develop internal protocols for personal information selling and sharing. Businesses are subject to special disclosure, consent and data processing requirements if they sell or share personal information. For example, they must enable California residents to opt out via a link posted on every webpage titled "Do Not Sell or Share My Personal Information." CCPA regulations currently require businesses that collect personal information online and sell personal information to treat user-enabled global privacy controls that signal a California resident's choice to opt-out of selling as a valid opt-out request. The California Privacy Protection Agency's regulations are expected to include similar requirements for sharing.
- Prepare for data minimization and deletion requirements. Under the amended CCPA, a business' collection, use, retention, and sharing of personal information must be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected. To address these requirements, businesses should update their protocols to ensure, for example, that they delete personal information once it is no longer reasonably necessary to achieve the purposes for which it was collected.[8]
- Enable and process requests regarding "sensitive personal information." California residents will have the right to request that businesses stop using their "sensitive personal information" for purposes outside of providing requested goods and services and certain other narrow purposes. Businesses that process sensitive personal information outside of these purposes also have to post a link titled "Limit the Use of my Sensitive Personal Information" online, which they can combine with the "Do Not Sell or Share My Personal Information" link if applicable. "Sensitive personal information" includes certain prescribed categories of information, such as government identifiers, precise geolocation data, information on racial or ethnic origin, religious or philosophical beliefs, and the contents of a California resident's mail, email and text messages addressed to someone other than the business.
- Update data subject request protocols and procedures. The amended CCPA establishes new data subject rights and changes existing rights. New rights include the right to correct inaccurate information and limit the use of sensitive personal information. Changes to existing rights include expanding the right of access to cover information collected over a broader period, and removing some exceptions that currently allow businesses to refuse deletion requests.
- Update notices at collection and privacy policy. The California Privacy Rights Act expands the list of disclosures that must be included in a business's privacy policy and other notices. Businesses should consider preparing a privacy policy that is specific to the amended CCPA and separate from the general privacy policy they might use to address privacy laws in other jurisdictions, since California laws establish unique requirements and use unique terms that may be difficult to reconcile with those of other jurisdictions.
- Comply with requirements regarding processing minors' personal information. Selling and sharing the personal information of minors is subject to special requirements, such as requiring opt-in consent from either the minor if between 13-15 or their parent or guardian if they are 12 or under. Penalties under the amended CCPA are tripled for negligent violations regarding minors under the age of 16.
- Upgrade and document security measures. The amended CCPA will require all businesses to implement reasonable and appropriate security measures, and businesses whose processing of personal information presents significant risks to consumers' privacy or security to undergo cybersecurity audits and risk assessments. The California Privacy Protection Agency's regulations are expected to explain these requirements in greater detail.
- Keep up-to-date. The California Privacy Rights Act leaves significant rulemaking authority with the California Privacy Protection Agency, and requires the agency to promulgate its regulations by 1 July 2022.
Sanctions and Remedies
The California Attorney General's Office and California Privacy Protection Agency will have the authority to bring civil and administrative enforcement actions, respectively, against alleged violators of the amended CCPA starting 1 July 2023.[9] The California Privacy Rights Act vests significant powers in the California Privacy Protection Agency, including to investigate violations, hold hearings, issue cease-and-desist orders, and impose administrative fines of up to USD 2,500 for each violation or up to USD 7,500 for each intentional violation. Currently, the CCPA requires the California Attorney General's Office to give a business a 30-day cure period before bringing enforcement actions. The California Privacy Rights Act will repeal this cure period, so the California Attorney General's Office and California Privacy Protection Agency will be able to bring enforcement actions without delay.
This article was originally published in the January 2022 edition of LegalBytes, which can be found here.
[1] For a more detailed analysis of the California Privacy Rights Act, please see The California Privacy Rights Act of 2020: A broad and complex data processing regulation that applies to businesses worldwide, Lothar Determann and Jonathan Tam, Journal of Data Protection & Privacy, Volume 4 / Number 1 / Winter 2020-21, available here (last accessed December 31, 2021).
[2] I.e., January 1, 2022 is the beginning of the period to which some of the new requirements apply. E.g., businesses subject to the amended CCPA have to explain on January 1, 2023 whether they "shared" California residents' personal information as of January 1, 2022. We outline the concept of "sharing" later in this update.
[3] CCPA Enforcement Case Examples, State of California Department of Justice, available here (last accessed December 31, 2021).
[4] The California Privacy Rights Act expanded the definition of "publicly available" to bring it more in line with the everyday meaning of the term and cover not only information in public records, but also information that individuals freely make available.
[5] The CCPA also provides for statutory damages for security breaches. In this context, "personal information" only encompasses a prescribed list of relatively sensitive categories of information.
[6] AB-713 California Consumer Privacy Act of 2018 (2019-2020).
[7] The CCPA defines "selling" broadly as disclosing personal information "for monetary or other valuable consideration." The California Privacy Rights Act introduces the new term "sharing", defined as disclosing personal information for cross‐context behavioral advertising.
[8] For general guidance on developing personal information retention protocols, please see How to Develop a Privacy -Enriched Data Retention Policy, Theo Ling and Jonathan Tam, Canadian Privacy Law Review, Volume 17, Number 8, July 2020, available here (last accessed December 31, 2021).
