Californian privacy law is about to change once again thanks to the California Privacy Rights Act (CPRA) which will become fully enforceable on 1st July 2023.
The current law is set out in the California Consumer Privacy Act (CCPA) which has been in force since 1st July 2020. CCPA regulates the processing of California consumers’ personal data, regardless of where a company is located. It provides broader rights to consumers, and stricter compliance requirements for businesses, than any other US state or federal privacy law.
Like the EU General Data Protection Regulation (GDPR), CCPA is about giving individuals control over how their personal data is used by organisations. It requires transparency about how such data is collected, used and shared. It gives Californian consumers various rights including the right to:
- Know and access the personal being collected about them
- Know whether their personal data is being sold, and to whom
- Opt out of having their personal data sold
- Have their personal data deleted upon request
- Avoid discrimination for exercising their rights
CPRA is not a new law; it amends the CCPA to give Californians even more control over their personal data. The key provisions include:
- Changing the CCPA’s definition of Personal Information
- Creating a new data category called “Sensitive Personal Information” similar to Special Category Data under GDPR
- Changing the scope of the CCPA
- Adding new rights e.g. to correct inaccurate information and to limit use and disclosure of sensitive personal information
- Changing regulatory area of focus towards behavioral advertisement
- Adding additional requirements for business (closely modelled on GDPR Data Protection Principles) namely data minimisation, purpose limitation and storage limitation
- Expanding the CCPA’s current consent requirements to include where, amongst others, a business is selling or sharing personal information after a user has already opted out and when selling or sharing the personal information of minors
Whilst becoming fully enforceable on 1st July 2023, CPRA will have a 12 month “lookback period” applying to its new rights from 1st January 2022.
Until recently, CCPA did not have a regulator like the Information Commissioner in the UK. It was primality enforced by the Office of the Attorney General through the courts; although there is a private right of right action for a security breach. The courts can impose fines for breaches of CCPA depending on the nature of the breach:
- $2,500 for an unintentional and $7,500 for an intentional breach
- $100-$750 per incident per consumer, or actual damages, if higher – for damage caused by a security breach.
CPRA establishes the California Privacy Protection Agency (CPPA) which has the authority to investigate potential breaches and violations, and to draft enforcement regulations. It has produced new CPRA Regulations providing rules on service provider contracts, dark patterns, and the recognition of “global opt-out” browser signals.
While the CCPA fines and damages may appear relatively low, it is important to note that they are per breach. A privacy incident can affect thousands or tens of thousands of consumers, in which case it could cost a company hundreds of thousands or even millions of dollars. In the first three years of the CCPA’s existence, 320 lawsuits have been filed in 28 states according to a report by Akin, a US law firm. It found that:
- More than 80% of CCPA lawsuits in 2022 corresponded to a breach notice filed with the California Attorney General’s Office, and businesses that report a data breach to the AG’s office have about a 15% chance of facing subsequent consumer litigation.
- Breaches affecting at least 100,000 people accounted for 56% of lawsuits in 2022 stemming from data breaches.
- Financial services companies accounted for 34% of cases in 2022, by far the highest rate of any industry. Medical services and software/technology each comprised 13%.
All US based businesses, as well as those elsewhere who are processing Californian residents’ personal information, need to consider how CPRA will impact their data management and start the implementation process immediately. People are more concerned than ever about what is happening to their personal data as a result of recent media headlines concerning the exploitation of personal data by AI and social media companies.
Ibrahim Hasan will be speaking about the CCPA and CPRA at the MER Information Governance Conference in Chicago in May.
Interested in US privacy law? Check out our US privacy programme.