In 2018, the state of California passed the California Consumer Privacy Act (CCPA), a piece of legislation designed to spell out and enforce consumer privacy rights. Less than a year after the CCPA took effect, Californians voted in favor of Proposition 24, which created more robust, comprehensive privacy protections: the California Privacy Rights Act (CPRA). This more recent act will update, amend, and extend the previous legislation.
The CPRA will also create the California Privacy Protection Agency (CPPA), an agency whose job includes investigating possible violations and enforcing the law. The CPPA will begin enforcing the CPRA’s provisions on July 1, 2023.
If you had to read the first two paragraphs again to make sure you got all the acronyms right, you’re probably not alone. Just to review: the CCPA is the 2018 legislation, the CPRA is the 2020 law that expands it, and the CPPA is the agency that will enforce the CPRA .
As we wait for the CPRA to take effect, it’s helpful to know what to expect. While many questions remain regarding the CPRA, SixFifty is here to provide you with what we do know and help your business start preparing now.
New Privacy Rights
First, you should start preparing for extended privacy rights granted by the CPRA in addition to the privacy rights already covered by the CCPA. These include the following:
- If a business holds inaccurate personal information about someone, the CPRA allows consumers to ask that the information be corrected.
- Previously, the CCPA allowed consumers to opt out of the selling of their private information. The CPRA expands this to include sharing as well. “Sharing” is defined generally as disclosing personal information for purposes of targeted advertising.
- Consumers must be able to limit the use and disclosure of their sensitive personal information, including restricting businesses from disclosing their information to third parties. More information on exactly what constitutes “sensitive personal information” is provided below.
Sensitive Personal Information
Next, you should determine whether you process any sensitive personal information. This includes:
- Identification like social security, driver’s license, or passport numbers
- Bank accounts and debit or credit card numbers (along with any security information needed to access the account)
- Precise geolocation data
- Religious or philosophical beliefs
- Racial or ethnic background
- Union membership
- The contents of someone’s mail and text messages (unless they’re addressed to your business, of course)
- Genetic data
If you use any of the above information, the CPRA may require you to perform an annual cybersecurity audit and submit regular risk assessments about the processing of that information.
Automated Decision-Making Technology
You should also start identifying any automated decision-making processes you currently use.
That’s because the new privacy rights granted by the CPRA include the right to opt out of automated decision-making technology. As the name implies, this is the process of making a decision without human involvement, and it includes “profiling,” in which an automated process uses personal information to predict their behavior.
The CPRA will also authorize consumers to request both information about the logic involved in these decision-making processes and a description of what outcomes the process might predict.
What happens if you don’t comply with the provisions listed above? While we don’t yet know much about CPRA enforcement, we can make educated inferences based on what we know about how enforcement worked under the previous legislation.
Under the CCPA, enforcement begins when the California Office of the Attorney General (OAG) sends a notice of alleged noncompliance, after which a business has 30 days to correct the issue or show compliance before the OAG initiates any action (i.e. sue the offending business). These compliance issues include the following:
- Lack of a “Do Not Sell My Personal Information” link
- Lack of CCPA request methods
- Failing to give notice to consumers at the time of collection
- Failure to disclose the sale of personal information
- Non-compliant service provider contracts
- Issues with minors’ privacy
- General non-compliant privacy policies
The penalty for non-compliance under the CCPA includes civil penalties of up to $7500 for each violation in a lawsuit by the OAG. Other violations carry a $2500 fine.
One of the themes of this post has been the fact that there’s still a lot about the CPRA that we don’t know. In particular, the CPPA will issue regulations on the above topics over the next year. You can begin preparing right now, based on the information you do have, SixFifty can help you comply with new regulations as they become clear.