The California Consumer Privacy Act (CCPA) and the CPRA: What’s Changed? 

Californian privacy law is about to change once again thanks to the California Privacy Rights Act (CPRA) which will become fully enforceable on 1st July 2023. 

The current law is set out in the California Consumer Privacy Act (CCPA) which has been in force since 1st July 2020. CCPA regulates the processing of California consumers’ personal data, regardless of where a company is located. It provides broader rights to consumers, and stricter compliance requirements for businesses, than any other US state or federal privacy law. 

Like the EU General Data Protection Regulation (GDPR), CCPA is about giving individuals control over how their personal data is used by organisations. It requires transparency about how such data is collected, used and shared. It gives Californian consumers various rights including the right to: 

  • Know and access the personal being collected about them 
  • Know whether their personal data is being sold, and to whom 
  • Opt out of having their personal data sold 
  • Have their personal data deleted upon request 
  • Avoid discrimination for exercising their rights 

CPRA is not a new law; it amends the CCPA to give Californians even more control over their personal data.  The key provisions include: 

  • Changing the CCPA’s definition of Personal Information 
  • Creating a new data category called “Sensitive Personal Information” similar to Special Category Data under GDPR 
  • Changing the scope of the CCPA  
  • Adding new rights e.g. to correct inaccurate information and to limit use and disclosure of sensitive personal information 
  • Changing regulatory area of focus towards behavioral advertisement  
  • Adding additional requirements for business (closely modelled on GDPR Data Protection Principles) namely data minimisation, purpose limitation and storage limitation 
  • Expanding the CCPA’s current consent requirements to include where, amongst others, a business is selling or sharing personal information after a user has already opted out and when selling or sharing the personal information of minors  

Whilst becoming fully enforceable on 1st July 2023, CPRA will have a 12 month “lookback period” applying to its new rights from 1st January 2022. 

Until recently, CCPA did not have a regulator like the Information Commissioner in the UK. It was primality enforced by the Office of the Attorney General through the courts; although there is a private right of right action for a security breach. The courts can impose fines for breaches of CCPA depending on the nature of the breach: 

  • $2,500 for an unintentional and $7,500 for an intentional breach  
  • $100-$750 per incident per consumer, or actual damages, if higher – for damage caused by a security breach.  

CPRA establishes the California Privacy Protection Agency (CPPA) which has the authority to investigate potential breaches and violations, and to draft enforcement regulations. It has produced new CPRA Regulations providing rules on service provider contracts, dark patterns, and the recognition of “global opt-out” browser signals. 

While the CCPA fines and damages may appear relatively low, it is important to note that they are per breach. A privacy incident can affect thousands or tens of thousands of consumers, in which case it could cost a company hundreds of thousands or even millions of dollars. In the first three years of the CCPA’s existence, 320 lawsuits have been filed in 28 states according to a report by Akin, a US law firm. It found that: 

  • More than 80% of CCPA lawsuits in 2022 corresponded to a breach notice filed with the California Attorney General’s Office, and businesses that report a data breach to the AG’s office have about a 15% chance of facing subsequent consumer litigation. 
  • Breaches affecting at least 100,000 people accounted for 56% of lawsuits in 2022 stemming from data breaches. 
  • Financial services companies accounted for 34% of cases in 2022, by far the highest rate of any industry. Medical services and software/technology each comprised 13%.

All US based businesses, as well as those elsewhere who are processing Californian residents’ personal information, need to consider how CPRA will impact their data management and start the implementation process immediately. People are more concerned than ever about what is happening to their personal data as a result of recent media headlines concerning the exploitation of personal data by AI and social media companies

Ibrahim Hasan will be speaking about the CCPA and CPRA at the MER Information Governance Conference in Chicago in May.  

Interested in US privacy law? Check out our US privacy programme 

The State of US Privacy Law in 2023 

The United States is making substantial progress on privacy law. Six states have passed comprehensive data protection bills (with at least two more likely to follow) and five of these take effect throughout 2023.  

One of the most significant changes to US privacy law comes in the form of the California Privacy Rights Act (CPRA) which is fully enforceable from 1st July 2023. The CPRA makes several important amendments to the California Consumer Privacy Act (CCPA) which has been in force since 1st July 2020. 

Among other changes, the CPRA introduces a concept of “sensitive personal information”, which includes data about a consumer’s government ID numbers, account credentials, racial origin, religious beliefs, union membership, genetics, biometrics, health status, and more. It also provides several new rights for consumers, such as the right to correct inaccurate personal information and the right to limit the use and disclosure of sensitive personal information. 

CCPA’s “right to opt out” now explicitly allows consumers to refuse
“cross-contextual advertising”, which involves combining personal information from different websites or apps to target people with ads.
Most significantly, CPRA gives California its own privacy regulator, the California Privacy Protection Agency (CPPA). 

Beyond California 

Following in the footsteps of California, five US states have now passed broadly-applicable privacy legislation: 

These laws create new challenges for businesses operating in the US.
They introduce data protection concepts more familiar to organisations complying with the EU General Data Protection Regulation (GDPR).
More state privacy laws will likely take effect in coming years, with similar bills in Tennessee and Indiana awaiting governors’ signatures at the time of writing. Other bills, such as Washington’s as-yet unsigned My Health My Data Act, could also have a broad privacy impact. 

The new state laws generally apply across all sectors but only to businesses processing the personal data of at least 100,000 consumers—plus smaller companies that derive a given proportion of their revenue from selling personal data. Utah’s law also excludes any business generating under $25 million in annual revenues. But unlike the GDPR, they contain carve-outs for data processing covered by sectoral laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA)

Consumer Rights 

Each of the new US state privacy laws provides new consumer rights, including:  

  • The right of access 
  • The right to delete 
  • The right to correct (except Utah and Iowa) 
  • The right to data portability 
  • The right to opt out of targeted advertising, the sale of personal data (except Iowa) and profiling in furtherance of legal or similar effects (except Iowa and Utah) 

Each law also imposes new rights around the processing of “sensitive data”, with Virginia, Colorado and Connecticut’s laws mandating
GDPR-style consent; and Iowa and Utah requiring controllers to offer consumers an opt-out prior to collection. 

The consumer rights provided under these US privacy laws are somewhat narrower than the GDPR’s “data subject rights”. Consumers unhappy with a controller’s response must exhaust an internal appeals process before complaining to the state’s Attorney General. Controllers must respond to consumers’ requests within 45 days (compared to one month in the EU)—but, similarly to the GDPR, businesses must not charge a fee unless a request is  “manifestly unfounded, excessive, or repetitive”. 

Controllers’ Obligations 

Drawing language from the GDPR, each of these new laws requires controllers to implement binding agreements with their processors.
Much like California’s “service provider contracts”, controllers under these other state laws must contractually require processors to submit to audits, impose similar contracts on any sub processors, and not share data received from the controller (with limited exceptions). 

Virginia and Connecticut’s new privacy laws require controllers to conduct “data protection assessments” in certain circumstances, including before engaging in targeted advertising, selling personal data, processing sensitive data, and other risky activities. Privacy bills currently under consideration in Tennessee and Indiana contain a similar requirement. These provisions were clearly inspired by the GDPR’s Data Protection Impact Assessments and require businesses to balance the benefits that could flow from a processing activity against the risks to consumers and the public, considering any relevant safeguards. 

FTC Enforcement 

The new IS state privacy laws will have a major impact on companies operating in the US. But perhaps equally significant is recent enforcement action by the Federal Trade Commission (FTC) under existing laws. 

In February, the FTC enforced the Health Breach Notification Rule against the drug discount provider GoodRx, issuing a $1.5 million civil penalty and permanently banning the company from sharing health information for advertising purposes. In March, the FTC also settled for $7.8 million with remote therapy provider BetterHelp under the FTC Act—a consumer protection law that BetterHelp allegedly violated by promising not to share personal information and then doing so via pixels and other trackers.
The FTC’s broad interpretation of “personal information” and “health information” in these cases—and its view that the unauthorised sharing of data with advertisers can be a “data breach”—suggests a trend of more robust privacy enforcement in the US. 

Towards a US Federal Privacy Law 

A comprehensive US federal privacy law could provide some clarity in this increasingly complicated patchwork of state and sectoral privacy laws.
For the past two years, President Biden has advocated new privacy measures in his State of the Union address—focusing primarily on children’s privacy, but with a broader call this year to limit how tech companies collect personal information about everyone in the US. 

A federal bill, the American Data Privacy Protection Act (ADPPA) was introduced to the House of Congress last June. The ADPPA would apply to businesses and non-profits across all sectors, regardless of size.  

Among other provisions, the ADPPA would: 

  • Only allow the “reasonably necessary and proportionate” collection, use, and transfer of personal information. 
  • Require organisations to disclose how they collect, use, and share personal information. 
  • Provide consumers with rights to access, delete, and correct their personal information. 

The ADPPA would arguably impose much stricter requirements on businesses than the current tranche of state privacy laws. The bill failed to pass in last year’s legislative session. Opposition centred around the law’s potential to override state privacy laws, and the “private right of action”, which would allow individuals to sue non-compliant businesses. 

Biden’s call for improved privacy protections suggests that some version of the ADPPA could reappear in the US legislature this session. However, it is unclear whether the now Republican-controlled House will support a bill that significantly restricts business activity. 

Unless a federal law passes (and perhaps even if it does), businesses will continue to grapple with the various local and sectoral privacy laws passing across many US states. Either way, a long era of lax US privacy regulation seems to be coming to an end. 


Ibrahim Hasan will be speaking about the CCPA and CPRA at the MER Information Governance Conference in Chicago in May.  

Interested in US privacy law? Check out our US privacy programme 

The CCPA Becomes Enforceable on 1st July 2020 (and there is more to come!)

photo-1523595857-fe9ee689f76f

The California Consumer Privacy Act (CCPA) becomes fully enforceable on 1st July 2020. The Act regulates the processing of California consumers’ personal data, regardless of where a company is located. CCPA provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

Like the EU General Data Protection Regulation (GDPR), CCPA is about giving individuals control over how their personal data is used by organisations. It requires transparency about how such data is collected, used and shared. It gives Californian consumers various rights including the right to:

  • Know and access the personal being collected about them
  • Know whether their personal data is being sold, and to whom
  • Opt out of having their personal data sold
  • Have their personal data deleted upon request
  • Avoid discrimination for exercising their rights

CCPA also requires that a security breach involving personal data, must be notified to each individual it affects. It does not matter if the data is maintained in or outside of California.

CCPA is often called the US equivalent of the EU General Data Protection Regulation (GDPR). Both laws give individuals rights to access and delete their personal information. They require organisations to be transparent about information use and necessitate contracts between businesses and their service providers. In some respects, however, the CCPA does not go as far as GDPR. For example, it only applies to for profit entities, it does not require a legal basis for processing personal data (like Article 6 of GDPR), there are no restrictions on international transfers and no requirement to appoint a data protection officer.

Enforcement

Unlike GDPR, CCPA does not have a regulator like the Information Commissioner in the UK. It is primality enforced by the California Attorney General (AG) through the courts; although there is a private right of right action for a security breach. The courts can impose fines for breaches of CCPA depending on the nature of the breach:

  • $2,500 for an unintentional and $7,500 for an intentional breach
  • $100-$750 per incident per consumer, or actual damages, if higher – for damage caused by a security breach

A business shall only be in breach of the CCPA if it fails to cure any alleged breach within 30 days after being notified of the same.

The AG has now published the final proposed CCPA Regulations. These have to be read alongside the Act. The accompanying Final Statement of Reasons provides some interesting insights into the AG’s views and potential positions on certain issues.

While the CCPA fines and damages may appear relatively low, it is important to note that they are per breach. A privacy incident can affect thousands or tens of thousands of consumers, in which case it could cost a company hundreds of thousands or even millions of dollars.

Two big US companies, Hanna Andersson and Salesforce, are already facing a class action lawsuit alleging CCPA violations. Both suffered a data breach that compromised the names, addresses, and credit card information of over 10,000 California residents, which were then sold on the dark web. The lawsuit claims the companies failed to protect consumer data, provide adequate security measures, safeguard their systems from attackers, and delayed notification of the breach.

During the coronavirus pandemic there has been an increased use of video chat and conferencing apps to stay connected. Both Zoom and Houseparty have class actions claiming that they failed to obtain consent from customers for the disclosure of their personal information to third parties like Facebook.

CCPA 2.0

There is more to come! The California State Assembly held a hearing on 12th June 2020 on the California Privacy Rights Act (CPRA) ballot initiative. Californians for Consumer Privacy, an advocacy group and the proponent of the 2018 ballot initiative that led to the enactment of the CCPA, has gathered more than 900,000 signatures to place the CPRA on the ballot in November of 2020. This is now looking very likely after Friday’s California Superior Court ruling although a deal could be struck to amend the CCPA in exchange for withdrawing the ballot initiative.

The CPRA (or an amendment to the CCPA) will further expand privacy rights of California consumers as well as compliance obligations of businesses, their service providers and contractors. It will, among other things, permit consumers to (1) prevent businesses from sharing (in addition to selling) their personal data; (2) correct inaccurate personal data about them; and (3) limit businesses’ use of “sensitive personal information,” known as Special Category Data under GDPR. This includes information about their race, ethnicity, religion, union membership and biometric data. The proposed law will prohibit businesses from collecting and using personal information for purposes incompatible with the disclosed purposes, and from retaining personal information longer than reasonably necessary. Readers with knowledge of GDPR will agree that this new law is even more like GDPR than the CCPA.

The CPRA will also establish a new California Privacy Protection Agency which will be tasked with enforcing and implementing consumer privacy laws and imposing administrative fines. If enacted CPRA will become operative on 1st January 2023 although its obligations would only apply to personal data collected after 1st January 2022.

A Federal Privacy Law?

CCPA represents the first real, comprehensive privacy legislation in the U.S. It will, no doubt, form the foundation for other state privacy regulations in the future, and quite possibly a U.S federal privacy regulation. Nevada residents also now have more control over how their personal information is used. Senate Bill 220 went into law recently, giving consumers more ability to keep websites from selling their information to third-party firms. Proactive businesses are already considering CCPA as a de facto US privacy law. Recently Microsoft announced that it will apply the main CCPA rights to all its customers in the U.S.

CCPA’s impact will not just be felt by California based businesses. Any business which processes personal data about Californian consumers needs to revaluate its privacy practices. With 40 million Californian residents, making up 12 percent of the US population, it is likely that most big business wherever they are based will have to comply with the CCPA. With substantial fines and penalties for breaches and a 6 month ‘look back’ period, now is the time to implement CCPA compliance measures.

Act Now has launched a US privacy programme covering every thing US and international business need to know about CCPA and GDPR.

 

.

online-gdpr-banner

%d