A Closer Look at the CPRA’s Expansion of Individual Privacy Rights
On election day this November, Californians passed the California Privacy Rights Act (“CPRA”), also known as CCPA 2.0, as a ballot initiative. We previously provided a high-level overview of the CPRA, here, but now that the initiative passed, it is time for a deeper dive into this new round of privacy laws headed for businesses subject to the CPRA. As a refresher, the CPRA takes effect on January 1, 2023, and will apply to all information collected by businesses on or after January 1, 2022, that are otherwise subject to the law.
In this issue we’ll take a look at the individual rights afforded to California residents under the CPRA, and in later issues we’ll examine the scope of the CPRA and the new enforcement arm of the CPRA, the California Privacy Protection Agency.
A cornerstone of the CPRA is the extension of greater control over personal information to California residents. These new or expanded rights include the following:
- Right to Prevent Storage of Personal Data for Longer than Necessary. Businesses must provide notice to consumers, at or before the time of collection, as to the length of time the business intends to store each category of personal information (and sensitive personal information) it collects. If this is not possible, a business must detail the criteria it uses to determine the period of retention, where businesses must not retain personal information longer than is reasonably necessary to carry out such disclosed purposes. This storage limitation is also bolstered by enhanced deletion rights, where in response to a consumer deletion request, a business must notify not only its services providers but third parties that have received or bought personal information from the business, to delete the personal information. This notification to third parties does have an exception for impossibility or disproportionate effort, however, the scope of this exception is not clear given the amount of knowledge businesses are required to maintain on third parties that receive or buy personal information from the business.
- Right to Opt Out of Advertisers Using Precise Geolocation Data. Consumers have the right to control a business’ use of their precise geolocation data. Precise geolocation data is data that is derived from a consumer’s device and can locate a consumer to within 1/3 of a mile from their current location, although this definition may be expanded per final regulations to account for areas where population density is low. This precise geolocation data is sensitive personal information, and as such is subject to all the rights pertaining to sensitive personal information, including a consumer’s ability to restrict use of the precise geolocation data to use by the business only for the purpose of providing goods and services to the consumer.
As we can see from the above, the CPRA builds on the foundation set by the CCPA to expand individual’s rights to their personal information. While the precise scope of some of these expansions is not yet clear, businesses subject to the CPRA should begin to assess modification to their current data collection and use for CPRA compliance.