Client Alert: California Voters Set To Approve New Privacy Rights Act – 5 Things to Know

California voters are set to approve the California Privacy Rights Act of 2020 (CPRA). The CPRA is a new privacy law that significantly expands California residents’ privacy rights beyond those previously created by the California Consumer Privacy Act (CCPA). Below are the top five things to prepare for.

1.  Expands Right to Opt-Out of the Sharing of Personal Information

Under the CCPA, California residents currently have the right to opt-out of the sale of their personal information. The CPRA significantly expands the scope of this opt-out right to also include the right to opt-out of the mere sharing of their personal information. Unlike the CCPA, where the opt-out right was tied to a “sale,” the CPRA will allow consumers to opt-out of the sharing of their personal information even where the information isn’t shared for monetary or other valuable consideration.

2.  Creates New Right to Correct

The CPRA grants residents the right to correct inaccurate personal information held by a business. Any business that receives a request to correct inaccurate personal information must use “commercially reasonable efforts” to correct that inaccurate information. Service providers must assist the business in complying with requests to correct.

3.  Creates New Restrictions on the Use and Retention of Personal Information

The CPRA imposes several new limits on the use and retention of personal information. First, the CPRA allows California residents to limit the use and disclosure of their sensitive personal information by a business. The definition of “sensitive personal information” includes among other things, one’s social security number, driver’s license, state identification card, passport number, financial account, payment information, geolocation, racial or ethnic origin, union membership, religious beliefs, genetic data, biometric information, health information, sexual orientation, and in certain circumstances, email and text message content. Under the CPRA, a resident can direct a business to use sensitive personal information only when necessary to perform a service or provide a good requested by the consumer or as specifically permitted by the CPRA.

Second, like the European Union’s GDPR, the CPRA calls for the creation of regulations governing businesses’ automated decision‐making technology tied to access and opt‐out rights. The CPRA requires businesses provide an explanation about the logic involved in automated decision-making processes.

Finally, the CPRA requires businesses to inform consumers of the length of time the business will retain categories of personal information and sensitive personal information or the criteria used to determine that period. It further prohibits businesses from retaining personal information or sensitive personal information for longer than reasonably necessary, based on the disclosed purpose for collection.

4.  Expands Potential Liability for Data Breaches

The CCPA currently gives California consumers a private right of action if the consumer’s personal information is subject to a data breach. The CPRA notably expands this private right of action to include unauthorized access to, or disclosure of an “email address in combination with a password or security question and answer that would permit access to the account.” 

5.  Creates a New State Agency to Specifically Enforce Privacy Laws and Regulations

Under the CPRA, a new enforcement agency, the California Privacy Protection Agency (CPPA), will have rulemaking and enforcement authority to implement the CPRA. Under the CCPA, these powers are currently given to California’s Attorney General. This new agency will have rulemaking and enforcement powers, and the ability to impose administrative fines of up to $2,500 per violation.

The CPRA will become operative on January 1, 2022.  Given the impacts and challenges this new law poses, businesses should start preparing for compliance. For questions about the CPRA, assistance with your CCPA compliance program, or questions about privacy laws in general, please contact John Landolfi, Christopher Ingram, Christopher LaRocco, Sarah Boudouris, Gretchen Rutz, or your Vorys attorney.