Voters in California approved Proposition 24, which updates the California Consumer Privacy Act (“CCPA”) just a few months after the landmark regulations implementing the privacy law went into effect. As we have previously explained, the California Privacy Rights Act (“CPRA”) will change the existing CCPA requirements in a number of ways, including limiting the sharing of personal information for cross-context behavioral advertising and the use of “sensitive” personal information, as well as creating a new correction right. It also establishes a new agency to enforce California privacy law. The key provisions of the bill will not go into effect until January 1, 2023, providing much-needed time to clarify the details and for businesses to adjust their CCPA compliance approaches to account for the additional requirements.
Here are a few key issues to watch now that the CPRA has passed:
- Additional regulations are coming. The CPRA amends the text of the CCPA in a number of places, but many of the key details will be defined through future regulation. Among other things, the CPRA requires the adoption of regulations defining a number of terms in the statute; establishing rules governing the right of correction; establishing technical requirements for a global opt-out preference signal and other opt-out mechanics; and determining when service providers and contractors (a new category of entity defined in the CPRA) can use personal information pursuant to written contracts for their own business purposes. This further rulemaking activity will be in addition to the ongoing, further round of rulemaking pending at the Attorney General’s office.
- A great deal depends on the new California Privacy Protection Agency. The CPRA creates a new agency to implement and enforce the law. How the CPRA will be interpreted and enforced will depend significantly on who makes up the five-member board of the new agency. Two of these seats (including the Chair) will be appointed by the California Governor, and each of the remaining seats will be appointed by the Attorney General, Senate Rules Committee, and Speaker of the Assembly respectively. These positions should be filled in about 90 days.
- There are some key differences between the CPRA and the existing CCPA. Although the CPRA makes a number of other changes, here are some of the key areas to watch:
- Sensitive personal information: The CPRA creates a new category of “sensitive personal information” that covers (among other things) precise geolocation information, the contents of a consumer’s communications, and health information (to the extent not covered by the HIPAA or other related exemptions). Consumers can limit a business’s use of sensitive personal information to those that are “necessary to perform the services or provide the goods,” and a business may post a “Limit the Use of My Sensitive Personal Information” button on its website to effectuate that opt-out. Service providers and contractors will be required to comply with limitations as long as they (1) are notified by the business and (2) have actual knowledge that they are processing sensitive personal information. Notably, the heightened requirements do not apply to publicly available information or sensitive personal information that is not collected or processed for the purpose of “inferring characteristics” about a consumer.
- Sharing personal information for cross-context behavioral advertising: The CPRA imposes disclosure and opt-out obligations for personal information that is shared for purposes of cross-context behavioral advertising. This opt out extends the CPPA’s opt-out right for the sale of personal information. Specifically, the CPRA defines “share” to include sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information for cross-context behavioral advertising, “whether or not for monetary or other valuable consideration, including transactions between a business and third party for advertising for the benefit of a business in which no money is exchanged.”
- Contractors: The CPRA defines “contractors” as a new regulated entity in addition to “businesses,” “service providers,” and “third parties.” In general, contractors appear to have similar obligations under the CPRA as service providers, and are subject to similar contractual restrictions. But a contractor (1) must certify that it understands and will comply with contractual restrictions and (2) is not explicitly obligated to process personal information on behalf of a business. We expect that the differences between contractors and service providers will be further defined through a future rulemaking.
- Dark patterns: The CPRA states that any “agreement obtained through use of dark patterns does not constitute consent.” The bill’s definition of dark patterns—“a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation”—is unclear and could be the subject of significant debate in the future.
With the CCPA regulations taking effect only a few months ago, businesses now will likely have to further overhaul their processes to address the different obligations imposed by the CPRA before the substantive legal requirements become operative on January 1, 2023.