Here We Go Again: New Consumer Privacy Law Passed in California Through Ballot Initiative

If you’ve been craving consistency and finality in the data privacy regulatory landscape after learning that the “final” regulations of the CCPA are not so finalized, then yesterday was not your day. Unofficial results released by the California Secretary of State show that California voters passed the California Privacy Rights Act (CPRA) ballot initiative, with 56% of the votes.

The CPRA was spearheaded by the non-profit group, Californians for Consumer Privacy, the same organization behind the CCPA. Leading up to Election Day, proponents of the CPRA argued that it strengthens consumer privacy rights by closing existing loopholes in the CCPA. Opponents, by contrast, argued that it concedes to business interests and that its creation of an independent California Privacy Protection Agency imprudently takes power out of the hands of the California legislature. In the end, the promise of a strengthened consumer privacy law won the day. The CPRA will become effective on January 1, 2023 and will apply to personal information collected on or after January 1, 2022.

Companies doing business in California will now contend with new mandates that expand the already robust suite of protections for consumers under the CCPA. Relevant to business operations, the CPRA modifies and enlarges CCPA requirements in some of the following most notable ways:

  • It creates a new category of “sensitive personal information” and implements limitations on the collection, use, and disclosure of that type of information. Sensitive personal information includes:
    • Identifying information such as Social Security Number, driver’s license number, and passport number;
    • Financial information such as debit or credit card number in combination with required security or access code, password, or credentials allowing access to an account; and
    • Sensitive information, similar to GDPR’s “special categories of personal data” such as information regarding racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric data, and data concerning a consumer’s health, sex life, or sexual orientation.
  • It regulates “sharing” of personal information with third parties in the context of “cross-context behavioral advertising” in the same way that CCPA regulates “sales” of personal information. The CCPA broadly regulates the “sale” of personal information for monetary or other valuable consideration. But whether disclosures of personal information made by a business in connection with online behavioral advertising should be considered “sales” of personal information isn’t always clear. The CPRA effectively eliminates that ambiguity: it regulates “sharing” of personal information in much the same way as CCPA regulates “sales,” and defines “sharing” as the “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . a consumer’s personal information by the business to a third party for cross-context behavioral advertising.” Cross-context behavioral advertising includes targeted advertising based on a consumer’s activity across businesses, distinctly branded websites, applications, or services. But it does not include the use of personal information for as “non-personalized advertising shown as part of a consumer’s current interaction with the business” (i.e., contextual advertising) which is permitted as a valid “business purpose.”
  • It expands individual rights. With the addition of the concept of data “sharing,” the CPRA adds individual rights to opt out of the sharing of personal information for both adults and minors, as well as a new right to limit use and disclosure of CPRA’s newly defined category of “sensitive personal information.” CPRA also adds a right to correct inaccurate personal information, and a right for consumers to obtain information about, and to opt out of, business’ use of automated decision-making technology, including profiling, pursuant to regulations to be issued by the California Attorney General’s office.
  • It imposes new opt-out requirements: CPRA expands the requirement for opt outs to cover sharing of personal information and using or disclosing sensitive personal information for purposes other than those specified by the CPRA. The law allows businesses to facilitate consumer opt-out requests though a clear and conspicuous link on the business’s homepage or through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications to be issued by the California Attorney General’s office.
  • It imposes new contracting requirements. The CPRA creates new requirements for contracts between businesses and third parties, service providers, and “contractors” (a new category created by CPRA). In particular, CPRA imposes a written contracting requirement when businesses sell personal information to, or share personal information with, third parties—a requirement that doesn’t exist under CCPA (CCPA only requires contracts with service providers). CPRA also specifies new and detailed terms that must be included in contracts with service providers and contractors.
  • It requires businesses to downstream deletion requests to third parties to whom the business has sold or shared personal information. Businesses will now be required under CPRA to notify third parties to whom the business sold or shared the consumer’s personal information to delete the personal information, unless it would be “impossible” or “involve disproportionate effort” to do so.

Businesses that have implemented robust CCPA compliance programs will likely be well-positioned to leverage those programs to address the CPRA’s expanded requirements. Although 2023 seems a long way away, the level of effort required to comply may still be significant, including, for example, to address the new third party, contractor, and service provider contracting requirements. There are also still significant areas of uncertainty—especially in those left open for Attorney General rulemaking (such as the regulation of “profiling”). And if the CCPA rulemaking process is any indication, we will be covering the evolution of the CPRA for years to come.

In the meantime, feel free to reach out to our team if you would like to discuss how the CPRA may affect your business.