The CRPA: California’s Second Take on Privacy Rights
Late last month the California Secretary of State certified the signatures required to put the California Privacy Rights Act (“CPRA”), or CCPA 2.0 as it has been alternatively dubbed, on the November ballot. The CPRA ballot initiative builds on the California Consumer Privacy Act (“CCPA”) that went into effect January 1 of this year and is intended to provide additional individual privacy rights and to eventually consolidate enforcement of the law into a single agency. Some of the more notably aspects of the CPRA include:
- Scope of Applicability of the CCPA. The definition of a “business” has been modified to both narrow and also expand those business that must comply with the privacy law. Specifically, one prong of applicability is now narrowed to require that a business must buy, sell, or share the information of 100,00, rather than 50,000, California residents. Alternatively, the scope is expanded by clarifying how commonly controlled organizations are brought within the scope of the CCPA by expounding upon the definition of common branding. The sharing of information from a CCPA covered business to a commonly controlled and commonly branded company, brings the latter under purview of the CCPA, where common branding means the use of trademarks or service marks in a manner that the average consumer would believe the businesses are commonly owned.
- Expansion of Individual Rights.
- Similar to the European Union’s General Data Protection Regulation (“GDPR”), the CPRA provides for an additional category of personal information, namely sensitive information. Sensitive information is an expansive subset of personal information and includes specific identification or financial account numbers, genetic information, and the processing of biometric information for identification of an individual, among others. Sensitive information is subject to additional protections where business must provide detailed notice to consumers regarding how the sensitive information is used and their right to limit such use, as well as requiring businesses to restrict how their service providers use the sensitive information.
- Also similar to the GDPR, the CPRA provides for a data minimization principle where the collection, use, and retention of personal information shall only be as “reasonably necessary and proportionate to achieve the purposes” that the personal information was collected for or disclosed to the individual.
- The CPRA establishes a new administrative agency to be known as the California Privacy Protection Agency, which will be vested with full administrative power, authority, and jurisdiction to implement and enforce the CCPA. The agency would have rule making authority, as well as a directive to promote awareness of and provide guidance to consumers regarding their privacy rights.
If passed, the CPRA would take effect on January 1, 2023, and will apply to all information collected by businesses on or after January 1, 2022. Unlike the CCPA, if the CPRA is adopted by voters in November it can only be amended by the California legislature through normal processes if the amendments are “consistent with and further the purposes” of the CPRA. We will continue to update you with the progress of the CPRA.