The California Privacy Rights Act
-
• The CPRA broadly applies to you if your entity is a “business,” which is the same term used under the previous law. However, the threshold for what qualifies as a “business” is different under the CPRA.
• An entity is considered a “Business” if it (1) operates for profit and conducts business in California; (2) is involved in the collection of California residents’ Personal Information; (3) is determining the purposes and means of how and why the Personal Information is being processed; and (4) satisfies one of the following thresholds:
o Annual gross revenue of over $25 million in the preceding calendar year;
o Alone, or in combination, annually buys, sells, or shares the Personal Information of 100,000 or more consumers or households; or
o Derives 50% or more of its annual revenue from selling or sharing consumers’ Personal Information.
• It is important to note that the CPRA does not restrict a Business from complying with:
o Applicable law, court orders, or law enforcement requests;
o Law enforcement agency requests to not delete certain Personal Information if pursuant to an active investigation;
o Government agency requests pursuant to emergency access in order to prevent risk of death or serious physical injury to a person; or
o Evidentiary law.
• Additionally, Business are not restricted from using information in order to exercise or defend legal claims
-
• Under the CPRA, “Personal Information” does not include Deidentified Information or Aggregate Consumer Information. Because the CPRA only regulates a Business’s collection, use, retention, selling, sharing, or disclosure of Personal Information, Deidentified Information or Aggregate Consumer Information are not within the CPRA’s scope.
• “Deidentified Information” includes any information that cannot be used to infer information about, or be linked to, a consumer. For a Business to freely use Deidentified Information, they must:
o Take reasonable measures to maintain the information’s deidentified state (i.e., that it cannot be reasonably linked to a consumer);
o Publicly commits (i.e., places within the privacy policy) to maintain and use the information only in its deidentified state; and
o Enters into contracts with recipients of the Deidentified Information that requires such third parties to maintain its deidentified state.
• “Aggregate Consumer Information” includes any information relating to a group or category of consumers, where such information no longer identifies particular consumers and is not linked or reasonably linkable to a consumer. Additionally, Aggregate Consumer Information cannot be linkable to any specific device.
-
• The most basic, and often times a business first, step towards compliance with privacy laws is building out a consumer-facing privacy policy.
• Under the CPRA, a Business must provide the consumers a privacy policy prior to, or at the same moment, Personal Information being collected. That privacy policy must include the following content:
o The categories of Personal Information collected and the purposes that the Personal Information is collected and used for;
o Whether the collected Personal Information is sold or shared;
o If a Business is collecting Sensitive Personal Information, the categories of Sensitive Personal Information collected and the purposes that the Sensitive Personal Information is collected and used for; and
o The length of time the Personal Information and/or Sensitive Personal Information is going to be retained OR if that is not reasonably possible to determine, the criteria used to determine how long such information is retained.
-
• Tied into the third privacy policy requirement, a Business is required to adopt data minimization principles. Personal Information and Sensitive Personal Information can only be retained for as long as reasonably necessary in relation to the purpose(s) disclosed to the consumer in the privacy policy.
• Additionally, a Business’s collection, use, retention, and sharing of Personal Information or Sensitive Personal Information must be reasonably necessary and proportionate solely to achieve the purposes that were disclosed to the consumer in the privacy policy.
• In short, a Business’s consumer-facing information practices must begin and end with what is disclosed in the privacy policy. Anything beyond that will require specific prior consent from the consumers.
-
• The principle of specification and purpose limitation is intrinsically tied to the notice that the CPRA requires a Business to provide its consumers.
• A Business cannot collect or use Personal Information for additional purposes beyond what is compatible with the purpose(s) disclosed in the privacy policy and for which the Personal Information was originally collected for.
• Similarly, a Business cannot collect or use Sensitive Personal Information for additional purposes beyond what is compatible with the purpose(s) disclosed in the privacy policy and for which the Sensitive Personal Information was originally collected for.
-
• Under the CPRA, a consumer has the right to opt out of the selling or sharing of their Personal Information. This opt out right is broad and gives the consumer a lot of control over their Personal Data in two ways. First, the definition of selling is broad enough to include situations where money is not exchanged. For example, if a Business is disclosing Personal Information to a third party in exchange for development, modifications, improvements to existing technologies or services, or analytics; the Business might be selling Personal Information. Second, the CPRA includes a new category of activity called sharing. Specifically, sharing includes instances when the Business discloses or transfers Personal Information to a third party for certain advertising activities.
• Additionally, the CPRA grants the consumer a right to limit the use and disclosure of their Sensitive Personal Information to only what is necessary. While not a complete opt out, this broad right could substantially limit a Business’s collection and use of Sensitive Personal Information. The consumer has the right to, at any time, direct a Business to only use Sensitive Personal Information to what is necessary to perform the service or provide the goods reasonably expected by an average consumer. Services and goods explained in a privacy policy are good bets to be reasonably expected especially if related to the direct consumer-Business relationship.
• The right to limit the use or disclosure of Sensitive Personal Information however, does have some limits. First, Service Providers and Contractors are only required to limit Sensitive Personal Information pursuant to a written contract with the applicable Business and only with respect to its direct relationship with that Business. Second, if Sensitive Personal Information is not processed for the purpose of inferring characteristics about the consumer, it is not subject to this right.
• Exercising Opt Outs
o A Business must clearly and conspicuously provide a link on their internet homepage titled “DO NOT SELL MY PERSONAL INFORMATION” and if the Business collects Sensitive Personal Information, there must be a link titled “LIMIT THE USE OF MY SENSITIVE PERSONAL INFORMATION.” These links must provide clear instructions and processes by which a consumer can exercise their applicable right.
o Alternatively, a Business can use a single webpage, combining the “DO NOT SELL” and “LIMIT MY SENSITIVE PERSONAL INFORMATION” links into one. This combined link must be clearly labeled and can only be used if the webpage is sufficiently clear and easy for the consumer to use in exercising both rights.
• Opt In Consent
o A Business must obtain opt in consent from consumers under the age of 16 prior to the sale or sharing of their Personal Information. Further, that Business must refrain from selling or sharing that Personal Information for at least 12 months prior to requesting that consumer’s consent again.
-
• The CPRA creates a new subset of Personal Information called Sensitive Personal Information. Information falling within this subset is protected and a Business’s collection, use, retention, and ability to share such information is more regulated by the CPRA.
• Sensitive Personal Information includes Personal Information that reveals a consumer’s:
o Social security, driver’s license, or other government issued identification numbers;
o Account log-in information in combination with any credentials that would allow access to the account;
o Financial account, debit card, or credit card information in combination with any credentials that would allow access to the account;
o Precise geolocation information;
o Racial or ethnic origin;
o Religious, philosophical, or union membership information;
o The contents of emails or text messages (unless the Business was the intended recipient of such message)
o Genetic information
• Sensitive Personal Information also includes:
o Biometric information that is processed for the purpose of uniquely identifying a consumer;
o Personal Information collected and processed concerning a consumer’s health; or
o Personal Information collected and processed concerning a consumer’s sex life or sexual orientation.
-
• It is important to note that cookies are considered Personal Information under the CPRA. The definition of Personal Information includes any information that identifies, relates to, or that could be reasonably linked to (directly or indirectly) to a consumer. Unique Personal Identifiers fall within the definition of Personal Information. A “Unique Personal Identifier” includes any persistent identifier that can be used to recognize or related to a consumer or household. This includes IP addresses, cookies, beacons, pixel tags, mobile ad identifiers, and other similar information.
• Under the CPRA, a Business disclosing cookies to third parties providers (i.e. analytics and advertising providers) for cross-contextual behavioral advertising must provide notice and an opt-out, as is required for instances where the business is selling or sharing personal information.
-
• The CPRA provides California consumers with the following rights to:
o Know or access the Personal Information a Business is collecting about them;
o Delete the Personal Information a Business is collecting about them;
o Opt out of the selling or sharing of their Personal Information;
o To not be discriminated against for exercising any of their rights under the CPRA;
o To correct or rectify any inaccurate Personal Information that is collected about them; and
o To limit the use and disclosure of Sensitive Personal Information
• Responding to Requests
o To facilitate consumers’ rights under the CPRA, a Business is required to provide clear methods for their exercise. For example, if a Business if operating completely online and the direct relationship with the consumer exists online, the Business only needs to provide an email address. Otherwise, the Business must provide two methods to consumers so they can exercise their rights. Generally, all Business must establish a toll free telephone number as one of the methods. Further, if the Business is operating online, one of the methods must be through the online website. Whatever the methods are, they should be spelled out in the privacy policy so as to properly inform the consumer.
o Generally, Businesses will have 45 days to respond to a consumer request related to one of the above rights (i.e., access). However, a Business may request an additional 45 days if the request is sufficiently numerous or complex. In that scenario, the Business must inform the consumer of the 45 day extension.
o In responding to requests, Business must reasonably verify the request (i.e., ensure the person requesting the information is the consumer or the authorized agent of the consumer who the Personal Information is about). While a Business cannot require a consumer to create an account if they do not already have one, a Business can still request identifying information to match with the Personal Information the Business already has. This allows the Business to reasonably verify the request. If a Business cannot reasonably verify the request, the Business is not obligated to respond.
-
• A Business must conduct an annual cybersecurity audit, and submit such audit’s results to the California Privacy Protection Agency, if their processing of Personal Information presents a significant risk to consumer privacy or security. These risk assessments must be submitted to the California Privacy Protection Agency. Business’s must consider the following when determining whether their processing of Personal Information poses a significant risk:
o The size and complexity of the Business itself; and
o The nature and scope of the processing activities.
• Generally, a Business must ensure that an audit under the CPRA is thorough and independent, as well as identify whether the processing activities include Sensitive Personal Information. If the processing does include Sensitive Personal Information, then the Business (in the risk assessment) must identify and weigh the benefits of the processing against the risks of the processing. Any processing whose benefits are outweighed by the potential risks should cease.
-
• Data mapping is the process by which Businesses connect the data of one model, server, or silo, with the information in another or multiple models, servers, or silos. There is no specific requirement for a Business to conduct data mapping.
• However, practically, Businesses within the scope of the CPRA will need to conduct some form of data mapping in order to comply with various requirements under the law. For example, if a consumer requests the specific Personal Information that is collected about them and exercises their rights to access and data portability, a Business will need to know exactly what they have collected about that consumer and where that information is. A Business will not practically be able to do that without data mapping.
• Another example of where data mapping is practically required is if a Business conducts risk assessments under the CPRA. To properly weigh the benefits and risks of information collection and processing, a Business must know exactly how much information they are collecting and exactly where that information is stored and/or processed. Without data mapping, that task becomes extremely difficult.
-
• The CPRA regulates two forms of disclosures a Business could make to third parties: selling and sharing.
• Selling includes any activity where the Business sells, rents, releases, discloses, disseminates, makes available, transfers, or otherwise communicates Personal Information. These activities are only considered selling under the CPRA if the Business is receiving monetary or other valuable consideration for such action. A Business is not selling if:
o The consumer directed the Business to intentionally disclose Personal Information or interact with a third party;
o The consumer exercised one of their rights under the CPRA and the Business must alert a third party of such; or
o The action is related to a merger, acquisition, bankruptcy, or other similar transaction.
• Under the CPRA, a Business may disclose and use Personal Information for certain business purposes so as to avoid it being considered a “sale.” Such business purposes include:
o Auditing and reviews of advertising analytics (i.e., ad impressions or unique visitors);
o Ensuring security to the extent that Personal Information is reasonably necessary and proportionate to that purpose;
o Debugging and repairing errors that impeded existing functionality;
o Short-term use that includes, among other things, non-personalized advertising shown during the consumer’s current interaction with the Business provided such Personal Information is not disclosed to another third party and is not used to build a profile of the consumer;
o Internal research;
o Maintaining or servicing consumer accounts as well as fulfilling orders or shipments;
o Advertising and marketing (except for cross-context behavioral advertising), provided that the Personal Information of those who have opted out, is not combined with the Personal Information of other consumers; or
o Verifying or maintaining the quality or safety of a device or service.
• Sharing, on the other hand, only includes the such activities where the Business provides a consumer’s Personal Information to a third party for the purpose of cross-context behavioral advertising. It is considered sharing even if the Business is not receiving monetary or other value for such information.
• Cross-context behavioral advertising is a type of targeted advertising where the consumer is receiving advertisements based on their Personal Information that was collected across different businesses, distinctly-branded websites, apps, or services outside of the Business’s direct relationship with the consumer through its own website, app, or services. A Business is not sharing Personal Information if:
o The consumer directed the Business to intentionally disclose Personal Information or interact with a third party;
o The consumer exercised one of their rights under the CPRA and the Business must alert a third party of such; or
o The action is related to a merger, acquisition, bankruptcy, or other similar transaction.
-
• The CPRA’s restrictions, and a consumer’s ability to exercise certain rights under the law, are intrinsically tied to a Business’s sharing or selling or Personal Information to a third party. However, both Service Providers and Contractors are not included in the CPRA’s definition of third parties.
• A Service Provider is an entity that processes Personal Information on behalf of a Business and receives Personal Information for a business purpose pursuant to a written contract.
• A Contractor is an entity that a Business makes Personal Information available to for a specific business purpose(s) pursuant to a written contract.
-
• For a Business to establish a relationship with another as a Service Provider, a specific contract will need to be executed. The contract must prohibit:
o The selling or sharing of the Personal information;
o The retention, use, or disclosure of Personal Information for any purpose outside of the business purposes specified in the contract (that are also reasonably related to or spelled out in the privacy policy);
o The retention, use, or disclosure of Personal Information outside of the direct business relationship; and
o Combining the Personal Information received under the contract, with Personal Information from another Business or the Service Provider’s independent interactions with the consumer.
• Additionally, the contract must provide the Business with the right to monitor or audit the Service Provider’s compliance with the contract. This requirement might include assessments or technical/operational testing no less than once per 12 months.
• If a Service Provider plans on engaging subcontractors, the contract must include provisions that require the Service Provider to notify the Business of such engagements and requirements that such subcontractors are bound by a written contract that has equivalent standards.
• For a Business to establish a relationship with another as a Contractor, a specific contract will need to be executed. The contract must prohibit:
o The selling or sharing of the Personal Information;
o The retention, use, or disclosure of Personal Information for any purpose outside of the business purposes specified in the contract (that are also reasonably related to or spelled out in the privacy policy);
o The retention, use, or disclosure of Personal Information outside of the direct business relationship; and
o Combining the Personal Information received under the contract, with Personal Information from another Business or the Service Provider’s independent interactions with the consumer.
• Additionally, the contract must provide the Business with the right to monitor or audit the Service Provider’s compliance with the contract. This requirement might include assessments or technical/operational testing no less than once per 12 months. Finally, the contract must require the Contractor to certify that they understand and comply with the restrictions set forth.
-
• Under the CPRA, a Business must implement reasonable safeguards and security measures to protect all Personal Information that it collects. Additionally, the Business is responsible for taking reasonable precautions in order to protect a consumer’s Personal Information from a security breach. The reasonable security measures and safeguards must be appropriate in light of the nature of the Personal Information collected in order to be reasonable.
-
• Creates the California Privacy Protection Agency to provide both enforcement and guidance under the CPRA.
• Consumers have a limited private right of action for incidents involving a breach of certain categories of information. A consumer may exercise a private right of action to enforce the CPRA if there is a breach of their Personal Data when:
o Their unredacted and unencrypted Personal Information is breached, specifically due to a lack of, or reasonable maintenance of, reasonable security measures; or
o An email address and password or security question answers are breached that would allow an unauthorized third party to access the account.
• Importantly, under the CPRA, there is no longer a 30-day cure period to allow a Business to correct their behavior or actions prior to the California Privacy Protection Agency implementing a fine or penalty.
• Fines & Penalties
o For violations involving a security breach, plaintiffs can recover between $100 to $750 per consumer, per incident or actual damages (whichever ends up being more).
o Administrative fines through the California Privacy Protection Agency’s enforcement are set to no more than $2,500 per violation or $7,500 per intentional violation or for violations involving the personal information of someone under the age of 16.
The Benesch Data Protection Team is composed of attorneys from the firm’s 3iP (Innovations, Information Technology and Intellectual Property), Healthcare, Labor & Employment, and Litigation Practice Groups.