As readers of my blog may know, starting last November I have been spending a lot of time diving into data privacy, and have done detail comparisons of the scope, consumer privacy rights, business obligations and enforcement of data protection and privacy laws such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Turns out all my research has been timely, as last month “Version 2.0” of the CCPA — the California Privacy Rights Act (CPRA) of 2020 aka Proposition 24 — made the ballot. Based on this research, I have independently concluded that the CPRA would be a great win in strengthening privacy rights in California, and summarized my thoughts in a recent blog post entitled “Why I am Voting Yes on Prop 24.”
With this blog post I want to drill down a bit more and provide my top 12 privacy enhancements found in the CPRA, with the significance of each one:
#1 Creates a New Privacy Right — The Right to Limit the Use of Sensitive Personal Information
What Does This Mean? Like the GDPR, which has a special category of “sensitive data” that includes racial, ethnic, political beliefs, sexual orientation, etc. that cannot be processed with a few exceptions, the CPRA adds a concept of “sensitive personal information” (SPI) that is not in the existing CCPA law. SPI includes personal data such as social security, driver’s license and passport number; account login-in; financial account info as well as debit and credit card number; precise geolocation; racial or ethnic origin, as well as union membership; mail and text messages unless the business is the intended recipient; genetic and biometric data; and personal information regarding the consumer’s health, sex life and/or sexual orientation.
Which means with the CPRA, businesses must inform consumers that they are collecting SPI, the purposes for collection, and whether SPI will be sold and shared as well as the length of time this data will be stored. Businesses cannot collect additional SPI for additional purposes that are incompatible with the disclosed purpose and cannot store SPI beyond the expressed length of time. Furthermore, a consumer shall have the right at any time to limit the use of their SPI. In addition, a business must also either put on its homepage a clear link titled “Limit the Use of My SPI” or support an opt-out signal. Finally, as SPI is personal information, a consumer can also request that the business does not sell or share SPI, as well as a business must respect the other consumer rights re: personal information (right to access, delete, rectify, etc.).
Specific to geolocation, the CPRA lets consumers to prohibit businesses from track their precise geolocation to a location within 250 acres.
Why is this Important? This is a very big enhancement to the CCPA because do we really want a business making decisions about us such as approving medical insurance based on our geolocation data they have on you (e.g. you visiting a Cancer treatment center)? Or businesses being able to make decisions based on your race, ethnicity or sexual orientation? So, it is not a surprise that groups like the NAACP are supporting CPRA:
#2 Provides Further Safeguards for Kids
What Does This Mean? The existing CCPA law does protect minors by requiring that “a business shall not sell the personal information” of children aged from 13-16 unless the child directly “opts-in” to the sale. For children under 13, a business requires parental consent to the sale of their child’s personal data.
In the case of the CPRA, the protection for children is further strengthened with the addition of stopping the selling and sharing of personal information. Furthermore, for children under 16 who did not give consent, businesses must “wait for at least 12 months before requesting the consumer’s consent again” or “until the consumer attains 16 years of age.” Finally, the CPRA enables the Privacy Protection Agency to be able level administrative enforcement fines of $7500 per violation of the law in cases where the “business, service provider, contractor or other person has actual knowledge that the consumer is under 16 years of age.”
Why is this Important? By adding more fines and further restrictions, the bar is now higher for the safeguarding of children.
#3 Creates a New Privacy Right — The Right to Correct
What Does This Mean? Consumers in California will now have the right to rectify any personal data that a business has collected on them. This was a right under GDPR but not with CCPA.
Why is this Important? What if you submit application for a good or service (e.g. for insurance) and the application is rejected by a business because of bad or incorrect data on you? With the CPRA you will have the right to rectify that data.
#4 Extends the Right to Opt-out of the Sale of Personal Data to Include Opt-out of the Sharing of Personal Data
What Does This Mean? With the existing CCPA law, “a consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.”
CPRA extends this right to include sharing of personal data. The CRPA defines “sharing” as transferring/disclosing/etc. personal information to a third party for cross-context behavioral advertising (think “retargeting” of digital ads based on your internet behavior and activity) — whether you do so for monetary value or not.
Why is this Important? Some business models of companies that collect and use personal data did not directly “sell” per se personal data, but they shared consumers’ personal data with other organizations to meet their business goals and objectives, thereby promulgating personal data. This enhancement takes out this loophole and gives consumers further control over the use of their personal data.
#5 Creates a New Privacy Right — Right to Reject Automated Decision Making and Profiling
What Does This Mean? The GDPR has this privacy right: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Exceptions include the data subject’s explicit consent or the performance of a contract.
The CCPA has no such right, but the CRPA add this as a privacy right with further definition to be issued as a regulation by the Privacy Protection Agency.
Why is this Important? This creates more transparency of how data is being used and processed. By giving consumers the right to know about “profiling” and “automated decision making”, this gives consumers more insight into when and how their personal or sensitive information is being used to make adverse decision that can impact their lives (e.g. housing or employment).
#6 Requires Businesses to Provide Data Protection by Design and Default
What Does This Mean? The GDPR requires controllers implement data protection by design and by default. e.g. “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner.” The CCPA has not such requirements.
The CPRA requires a business to not collect additional categories of personal information (PI) and/or sensitive personal information (SPI) that are “incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice.” In addition, a business shall not collect this data “for longer than is reasonably necessary for that disclosed purpose” (i.e. principle of storage limitation) and a “business’s collection … of a consumer’s personal Information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed” (i.e. data or purpose minimization, aka principle of proportionality).
Why is this Important? For two reasons, namely because it codifies the principle of “storage limitation” — which prevents businesses from collecting more information than necessary — and the principle of “data minimization” — which prevents businesses from collecting more information than required. The net result is less of our personal data is being propagated/collected/sold/shared/etc. and therefore more under our control and less likely to be stolen or misused.
#7 Requires Businesses to Maintain Records of Processing Activity of Personal Data
What Does This Mean? The GDPR does require that each controller “maintain a record of processing activities under its responsibility.” The CCPA does not require this. The CPRA does via the Privacy Protection Agency that will create regulations “specifying record keeping requirements for businesses to ensure compliance with this title.”
Why is this Important? The CPRA forces businesses to better manage and track how they are using personal information, who they are selling and sharing it with, etc. Which means more accountability, which in turns our personal information is better managed by us and regulated for our protection.
#8 Requires Business to Do Data Protection Impact Analyses
What Does This Mean? This is required in the EU with the GDPR but not in California with the current CCPA. But in the case of the CPRA the Privacy Protection Agency will issue regulations “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent” … and (B) “submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal Information.”
Why is this Important? As in the case of #7, this again puts more onus on businesses to be more careful and accountable with our personal data.
#9 Establishes a New Enforcement Arm — the Privacy Protection Agency
What Does This Mean? In the EU each Member State has a dedicated and independent “Supervisory Authority” (SA) that is responsible for enforcement of the GDPR, with the European Data Protection Board providing oversight across all SAs.
In the case of the CCPA, enforcement is through the office of the California Attorney General and there is not a dedicated agency to enforce the CCPA. The California Attorney General (AG) is tasked with adopting regulations re: the CCPA based on public participation. The AG can issue civil fines (see below). Any proceeds from civil actions will go into a dedicated Consumer Privacy Fund.
The CPRA establishes Privacy Protection Agency (PPA), whose primary mission is to “protect the fundamental privacy rights of natural persons with respect to the use of their personal information” and is vested with full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act. The PPA enforces the CPRA through administrative actions and is also tasked to “promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information.” The PPA is funded through the Consumer Privacy Fund, with annual budget of $10 million from the State’s General Fund. The regulations associated with the CPRA will be adopted by the California Attorney General with “broad public participation” but once the PPA is operational will assume ownership of the regulation process.
Why is this Important? The $10 million is estimated to be 2-3x the amount of money the Cal AG office is currently spending on CCPA enforcement. Furthermore, this funding is equivalent to what the Federal Government through the FTC has in terms of privacy enforcement personnel for the entire country.
#10 Stricter Fines and Enforcement
What Does This Mean? The CCPA states that “a business shall be in violation … if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance…” and can “be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation.” This will be assessed and recovered in a civil action brought by the Attorney General.
The CPRA enables the PPA to “investigate possible violations of this title relating to any business, service provider, contractor, or person.” Violators of the CPRA will be given 30 day notice by the PPA, and when the PPA “determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred.” If the PPA determines a violation has occurred, it can issue a cease and desist order, as well order an entity to “pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state.” So note that the CPRA really puts more teeth into fines for violations involving minors’ personal data as compared to the CCPA.
Also note that CCPA has a “two-strikes you’re out” framework while the CPRA changes this to penalties on the first violation.
Why is this Important? California will have significantly more resources dedicated to protecting the privacy of Californians, and with stricter fines and enforcement, businesses will be more motivated to ensure we can exercise our privacy rights.
#11 Improves Private Right of Action
What Does This Mean? The CCPA enables a consumer’s private right of action only in the narrow context of their “nonencrypted and nonredacted personal information” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Damages may be “not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.”
The CPRA enables a consumer’s private right of action if their “nonencrypted and nonredacted personal information” and “whose email address in combination with a password or security question and answer that would permit access to the account” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” The damages and definition of personal information are the same as the CCPA, as well as the 30 day notices but the key differences with the CCPA are (a) the inclusion of the email address/password combo being part of the breach that could trigger a right of private action; and (b) “implementation and maintenance of reasonable security procedures and practices … following a breach does not constitute a cure with respect to that breach.”
Why is this Important? The addition by CPRA of email and password to the private right of action will help motivate businesses to better protect account logins and help curb identity theft. Furthermore, by clearing making it clear that businesses must maintain reasonable security procedures and practices, this will motivate businesses to invest in improving overall security vis a vis the storage and use of our personal data.
#12 Reduces the ability to weaken privacy law in California
What Does This Mean? In the case of the GDPR and CCPA, there is no provision to limit its ability for the respective legislatures to water down the two laws. In the case of the CPRA, the resulting law may be amended after its approval by the voters by a statute that is passed by a vote of a majority of the members of each house of the Legislature and signed by the Governor, provided that such amendments are “consistent with and further the purpose and intent” of the CPRA. So, the backers of the ballot initiative have tried to put the CPRA in a “lockbox.”
Why is this Important? It makes it very difficult to weaken privacy rights in California, barring a new initiative that overrides the CPRA. Note the legislature can in fact amend the CPRA by a simple majority, with the caveat that “any amendment must be in furtherance of the purpose and intent of the measure.”
Mapping this Top 12 to My Executive Summary of GDPR vs. CCPA vs. CPRA
Here is how these Top 12 map to my executive summary of GDPR vs. CCPA vs. CPRA.
As noted by @DLTsays, I think that anyone who has in fact carefully read the CPRA and compared it to the CCPA will conclude that the CPRA greatly strengthens overall privacy rights vis a vis the CCPA.