Skip to Content

A Closer Look at the CPRA’s Expansion of Individual Privacy Rights

on Wednesday, 25 November 2020 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

On election day this November, Californians passed the California Privacy Rights Act (“CPRA”), also known as CCPA 2.0, as a ballot initiative.  We previously provided a high-level overview of the CPRA, here, but now that the initiative passed, it is time for a deeper dive into this new round of privacy laws headed for businesses subject to the CPRA. As a refresher, the CPRA takes effect on January 1, 2023, and will apply to all information collected by businesses on or after January 1, 2022, that are otherwise subject to the law.

In this issue we’ll take a look at the individual rights afforded to California residents under the CPRA, and in later issues we’ll examine the scope of the CPRA and the new enforcement arm of the CPRA, the California Privacy Protection Agency. 

A cornerstone of the CPRA is the extension of greater control over personal information to California residents.  These new or expanded rights include the following:

  • Right to Correct Personal Data. Consumers have the right to request that a business correct inaccurate personal information held by the business.  To facilitate this right a business must disclose this correction right to the consumer in its privacy policy and provide mechanisms for the consumer to submit a request for correction, which includes making such request through the business’ website.
  • Right to Restrict Use of Sensitive Personal Data. Consumers have the right to more tightly control the use of their sensitive personal information.  Sensitive personal information is an expansive subset of personal information and includes, among other categories, specific identification or financial account numbers, genetic information, and the processing of biometric information for identification of an individual. A business must both (1) provide notice to the consumer if it uses sensitive personal information for purposes other than providing the goods and services (or other permitted purposes), and (2) provide consumers a right to direct the business to limit use of the sensitive personal information only to provide the goods or services, or for other limited purpose permitted by the CPRA.  Notably sensitive personal information collected or processed by a business need not comply with the foregoing restrictions if it is not collected or used for purposes of inferring characteristics of the consumer.  Additionally, sensitive personal information is otherwise subject to the same restrictions as other personal information under the CCPA, such as notice of collection in the privacy policy and opt-out rights.
  • Right to Prevent Storage of Personal Data for Longer than Necessary.  Businesses must provide notice to consumers, at or before the time of collection, as to the length of time the business intends to store each category of personal information (and sensitive personal information) it collects.  If this is not possible, a business must detail the criteria it uses to determine the period of retention, where businesses must not retain personal information longer than is reasonably necessary to carry out such disclosed purposes.  This storage limitation is also bolstered by enhanced deletion rights, where in response to a consumer deletion request, a business must notify not only its services providers but third parties that have received or bought personal information from the business, to delete the personal information.  This notification to third parties does have an exception for impossibility or disproportionate effort, however, the scope of this exception is not clear given the amount of knowledge businesses are required to maintain on third parties that receive or buy personal information from the business.   
  • Right to Opt Out of Advertisers Using Precise Geolocation Data. Consumers have the right to control a business’ use of their precise geolocation data. Precise geolocation data is data that is derived from a consumer’s device and can locate a consumer to within 1/3 of a mile from their current location, although this definition may be expanded per final regulations to account for areas where population density is low.  This precise geolocation data is sensitive personal information, and as such is subject to all the rights pertaining to sensitive personal information, including a consumer’s ability to restrict use of the precise geolocation data to use by the business only for the purpose of providing goods and services to the consumer.

As we can see from the above, the CPRA builds on the foundation set by the CCPA to expand individual’s rights to their personal information.  While the precise scope of some of these expansions is not yet clear, businesses subject to the CPRA should begin to assess modification to their current data collection and use for CPRA compliance.

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design