January 27, 2021
The California Consumer Privacy Act (CCPA) has been the most important general consumer privacy law in the United States since it was passed in 2018. Although it has only been in effect since January 2020, California voters last November approved the California Privacy Rights Act (CPRA), a ballot initiative that significantly amends the CCPA. What changes were made to the law? How (and when) do businesses need to comply with them?
Substantive Amendments to the CCPA
The CPRA makes a number of changes to the CCPA that become effective on January 1, 2023, and enforcement actions can begin in July of that year. While this may seem a long way off, experience with the implementation of the CCPA’s original requirements teaches that compliance takes significant planning and testing, so businesses should start preparing sooner rather than later.
One of the thresholds that triggers CCPA compliance obligations—the number of California consumers whose data the business processes—has been increased from 50,000 to 100,000, and now only includes consumers whose personal information businesses buy, sell, or share, not merely receive. The definition of “personal information” has also been clarified to not include publicly available information that consumers share about themselves or “lawfully obtained, truthful information that is a matter of public concern.” There will also be a new category of “sensitive personal information” subject to specific limitations, opt-out rights, and disclosure requirements.
The CPRA creates a few new consumer rights—which means it also creates new obligations on businesses. In addition to the rights to access and delete personal information, California residents will now be able to have businesses to correct inaccurate data. Additionally, businesses will need to disclose in their privacy policies how long they retain each category of personal information they collect. And to address concerns about data disclosures for contextual advertising, the CPRA extends the CCPA’s opt-out right to apply to any “sharing” of personal information, not just “sales” of such data.
Contractual terms with third parties will also need to be updated when the CPRA takes effect. For example, service providers will be required to notify their business customers of any subprocessors they engage. Service providers and contractors will also now be prohibited from combining personal information they receive from different businesses (for example, a CRM provider could not take the contact data collected by one customers and combine it with data collected from another customer to create a more comprehensive contact database).
The CPRA Creates a New State Privacy Agency
One of the most significant changes the CPRA makes is that it creates a new state agency, the California Privacy Protection Agency (CPPA), tasked with investigating violations of the law and bringing enforcement actions. Previously, the CCPA could only be enforced by the CA Attorney General, who had relatively few resources to devote to privacy issues. The CPPA, on the other hand, will have an annual budget of ten million dollars and focus exclusively on privacy-related matters. This will no doubt increase the scope of government investigations and enforcement, meaning that businesses will need to be even more vigilant about complying with the law. As before, there is still no private right of action for violations of the CCPA, except for certain data breaches.
The CPRA also directs the California Privacy Protection Agency to issue new regulations in a number of areas, including data minimization, automated decision-making, profiling, risk assessments, annual cybersecurity audit requirements, and “dark patterns.” This regulation process is something to keep an eye on—as businesses learned when the AG’s CCPA regulations in 2020 added significant details regarding how to implement the law’s many requirements. The new regulations must be finalized by July 1, 2022.
Need help complying with the CPRA?
Schedule a free demo with SixFifty. We can help your organization comply with the CCPA, the new CPRA, the GDPR, and more.
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth
About The Author: Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income.
Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as General Counsel allows her to field-test SixFifty’s products to ensure they’ll work for customers.
Education and Experience
Marie attended Brigham Young University, and spent most of her undergrad studying International Politics and Development. It was during a field study in South Africa that she first decided to become a lawyer. As she researched the new South African constitution and worked with community organizers, Marie became fascinated with the development of the rule of law and how it in turn fosters economic development.
After undergrad, she attended BYU Law, where she continued focusing on improving equity, specifically through access to justice. She spent time interning with a nonprofit at the Human Rights Council in Geneva and with the United Nations International Tribunal for the Rwandan Genocide. At home, she interned with Catholic Charities, focusing on supporting asylum cases. Marie’s work with communities and governments across the globe broadened her understanding of how the law can either uplift or further harm underserved populations.
After law school, Marie worked as a judicial law clerk for the US Fifth Circuit Court of Appeals. She then practiced commercial litigation in Salt Lake City before returning to BYU Law, where she became an Assistant Dean. During her time at BYU Law, Marie built a diversity recruiting program and a storytelling program. Although she has left academia, she continues to keep a hand in by teaching a legal design class at BYU Law School and an undergraduate international politics class that focuses on development and diplomacy at BYU’s Kennedy Center. Both courses help students increase their community engagement and use their skills to create change.
Achievements with SixFifty
Marie’s work with both SixFifty and LawX focuses on making the law less complicated and
more equitable for both companies and individuals.
Marie’s legal specialty is privacy. She has additional focus areas in legal technology; diversity, equity and inclusion; employment; and compliance. She enjoys the opportunity to build products with the legal product team, including pro bono products. This allows her to work with communities she cares about – and complements the work she continues to do at BYU.
With Marie’s guidance and experience, SixFifty is able to offer privacy products that allow even small companies to easily comply with global privacy restrictions. Her passion for making the law accessible to everyone is evident in our pro bono products, which help individuals access free legal help for common issues.
Get to Know Marie
When she’s not helping to advance SixFifty’s mission, Marie travels whenever she can. Keep your eyes open and you may find her anywhere in the world – one of her favorite trips was a seven-day motorbike tour of northern Thailand. She especially loves to canyoneer in southern Utah and explore wilderness areas.
Marie also continues her community development and education work. She is on the board of several nonprofits, including one that runs primary schools in South Sudan and the Utah Tribal Relief Foundation. She recently joined the board of the Mountainland Association of Governments, which focuses on making loans to entrepreneurs from underserved communities who lack access to traditional funding. She’s also a Model UN legend! She is the Executive Director of BYUMUN, Utah’s premier high school Model United Nations learning conference.
Marie loves podcasts and will nerd out on anything related to the law, the history of the English language, and anything done by the people at Radiolab.
Bar Licensed
Utah
More posts by Marie Kulbeth