In 2018, California passed the California Consumer Privacy Act, which was a landmark bill in data privacy in the United States. The bill would go on to become effective on January 1st 2020, with after a final lengthy regulation draft process the final draft was released on August 17th 2020. This subjected a number of organizations to revising their data collection and management processes for residents of California.
As notable as that law was however, some felt it didn’t go far enough. That it had loopholes around concepts such as ‘sale’. With that in mind, the approved proposition obtained enough signatures to be included in the November 3rd election. It was approved by ballot, and the California Privacy Rights Act of 2020 will proceed to modify the CCPA and set the stage for the new privacy requirements in California (and by extension much of the rest of the USA.
Let’s look at some of the important aspects of this 53 page proposal. As always, I encourage brands to seek legal counsel when determining how / if this applies to you, and what actions, if any, you need to take. This will not cover all requires you may be subject to, etc.
Changing Terms
A few new term definitions are worth calling out.
A business purpose for collecting data is advertising.
Providing advertising and marketing services, except for cross-context behavioral advertising,
Note the cross-context advertising there. What an interesting term. Let’s see what it means.
“Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer’s personal Information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally Interacts,
So basically, it is remarketing. Remarketing and related activities require special consideration now and since the criteria is distinctly-branded websites, that means even if you own two websites, if they are different brands you can’t just use data one collected from the other unless the customer knows and agrees to it.
But what about agreement anyway?
“Consent” means any freely given, specific, informed and unambiguous indication of the consumer’s wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or Is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.
Dark Pattern is worth a special call out.
“Dark pattern” means a user Interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation
So no more being tricky or assume intent. It has to be clearly defined.
It’s also worth mentioning was intentional interaction means in context of this law.
“Intentionally interacts” means when the consumer intends to interact with a person, or disclose personal Information to a person, via one or more deliberate Interactions, such as visiting the person’s website or purchasing a good or service from the person. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a person
So the law really wants you to be clear on this topic. I should note that willfully violating it results in a higher fine should the company come under investigation.
There are also expanded or new definitions for terms such as sensitive personal information. that are worth a look as the law did a reasonable effort to be are clear as possible and cover all the bases in a way the CCPA previously did not.
Changing Intent
One of the biggest changes is that previously businesses would spend a lot of time over the definition of ‘sale’ when it came to if they had to disclose those relationships or allow consumers to opt out. The CPRA settles this by adding in ‘sale or share’ in place of sale. So now businesses will need to disclose the categories of personal information obtained, the source they obtained it from, the business purpose for collecting it and the categories of third parties with whom that information was disclosed. Likewise, the ‘Do Not Sell’ banner you see on websites now applies to opting out of data being sold or shared.
Telling Everybody
Previously, a consumer opting out may have caused a business to tell third parties to delete the information, but said nothing about contractors in service of the original business. This has been corrected.
Contractors and Additional Parties are required to notify of any additional subcontractors, service providers etc., have access the personal information in question. They are required to delete the data upon request unless this proves impossible or involves disproportionate effort. That last part is important, and currently not defined.
Saying No
A business can refuse to delete personal information if it’s required for a few different reasons, such as:
- It’s required by law, or required for completing a warranty.
- Help ensure security to the extent the use of the information is reasonably necessary and proportionate.
- Debug to identify and repair errors that impair existing intended features.
- Exercise free speech (they can’t change what someone else is saying about them).
- Comply with the California Electronic Communications Privacy Act
- Engage in public or peer-reviewed research that conforms to all other privacy laws when the decision to delete would render impossible or seriously impair the research, if they had previously consented.
- To enable solely internal uses that are aligned to what the customer expects and are compatible with the context of the consent.
- Comply with a legal obligation
Managing Risk
A business that collects personal or sensitive data will now be required to take reasonable security procedures to protect that data for unauthorized access, destruction use or disclosure.
However of note would be the fact that a data breech resulting in a email address paired with a password or security questions due to violation of duty to have reasonable security can allow consumers to sue for between $100 and $750 dollars per consumer per incident or actual damages which ever is higher.
While not presently defined, the law goes on to state that businesses who are ‘high risk’ will be required to obtain a cyber security audit annually.
They must additionally submit on regular basis (still to be defined) a risk assessment identifying and weigh the benefits resulting from holding on to that data. The new agency may then restrict such processing if the risks to privacy of the consumer outweigh the benefits provided to the consumer.
Not seeking revenge for opt out.
Consumers who opt out of data sharing or selling had additional protections added to say a company can’t deny services, provide a different level of quality etc. of employees, applicants or contractors.
However it doesn’t prohibit a business from charging different prices or providing different quality of service provided that the difference is reasonably related to the value provided by the business having access to the consumers data. A business can offer financial incentives for opting in but requires that this be stated up front and that the consumer can opt-out at any time. This section was part of what caused the ACLU and EFF to oppose the proposal.
Not nagging
If a consumer refuses to provide opt-in consent, then the business shall wait for at least 12 months before re-requesting opt-in.
More to come
A great deal about the agency which was approved to enforce the law, and even some of the other aspects of the law are up to the California Attorney General to confirm/create. This is a exercise to take place over the next two years which could ultimately change much of what is written above and provide structure to things such as risk assessments and cybersecurity audits.
It’ll be interesting to see just how this pans out and what companies will be required to do as we get closer to Jan 1st, 2023. The only thing for sure is businesses should add this as a roadmap ‘to do’ items and begin planning for how they’ll comply once the key dates in the law come into effect.