Voters in California approved Proposition 24, which updates the California Consumer Privacy Act (“CCPA”) just a few months after the landmark regulations implementing the privacy law went into effect.  As we have previously explained, the California Privacy Rights Act (“CPRA”) will change the existing CCPA requirements in a number of ways, including limiting the sharing of personal information for cross-context behavioral advertising and the use of “sensitive” personal information, as well as creating a new correction right.  It also establishes a new agency to enforce California privacy law.  The key provisions of the bill will not go into effect until January 1, 2023, providing much-needed time to clarify the details and for businesses to adjust their CCPA compliance approaches to account for the additional requirements.

Here are a few key issues to watch now that the CPRA has passed:

  • Additional regulations are coming. The CPRA amends the text of the CCPA in a number of places, but many of the key details will be defined through future regulation.  Among other things, the CPRA requires the adoption of regulations defining a number of terms in the statute; establishing rules governing the right of correction; establishing technical requirements for a global opt-out preference signal and other opt-out mechanics; and determining when service providers and contractors (a new category of entity defined in the CPRA) can use personal information pursuant to written contracts for their own business purposes.  This further rulemaking activity will be in addition to the ongoing, further round of rulemaking pending at the Attorney General’s office.
  • A great deal depends on the new California Privacy Protection Agency. The CPRA creates a new agency to implement and enforce the law.  How the CPRA will be interpreted and enforced will depend significantly on who makes up the five-member board of the new agency.  Two of these seats (including the Chair) will be appointed by the California Governor, and each of the remaining seats will be appointed by the Attorney General, Senate Rules Committee, and Speaker of the Assembly respectively.  These positions should be filled in about 90 days.
  • There are some key differences between the CPRA and the existing CCPA. Although the CPRA makes a number of other changes, here are some of the key areas to watch:
    • Sensitive personal information: The CPRA creates a new category of “sensitive personal information” that covers (among other things) precise geolocation information, the contents of a consumer’s communications, and health information (to the extent not covered by the HIPAA or other related exemptions). Consumers can limit a business’s use of sensitive personal information to those that are “necessary to perform the services or provide the goods,” and a business may post a “Limit the Use of My Sensitive Personal Information” button on its website to effectuate that opt-out.  Service providers and contractors will be required to comply with limitations as long as they (1) are notified by the business and (2) have actual knowledge that they are processing sensitive personal information.  Notably, the heightened requirements do not apply to publicly available information or sensitive personal information that is not collected or processed for the purpose of “inferring characteristics” about a consumer.
    • Sharing personal information for cross-context behavioral advertising: The CPRA imposes disclosure and opt-out obligations for personal information that is shared for purposes of cross-context behavioral advertising.  This opt out extends the CPPA’s opt-out right for the sale of personal information.  Specifically, the CPRA defines “share” to include sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information for cross-context behavioral advertising, “whether or not for monetary or other valuable consideration, including transactions between a business and third party for advertising for the benefit of a business in which no money is exchanged.”
    • Contractors: The CPRA defines “contractors” as a new regulated entity in addition to “businesses,” “service providers,” and “third parties.”  In general, contractors appear to have similar obligations under the CPRA as service providers, and are subject to similar contractual restrictions.  But a contractor (1) must certify that it understands and will comply with contractual restrictions and (2) is not explicitly obligated to process personal information on behalf of a business.  We expect that the differences between contractors and service providers will be further defined through a future rulemaking.
    • Dark patterns: The CPRA states that any “agreement obtained through use of dark patterns does not constitute consent.”  The bill’s definition of dark patterns—“a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation”—is unclear and could be the subject of significant debate in the future.

With the CCPA regulations taking effect only a few months ago, businesses now will likely have to further overhaul their processes to address the different obligations imposed by the CPRA before the substantive legal requirements become operative on January 1, 2023.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”