In November of 2020, California enacted the California Privacy Rights Act (CPRA), which modified and expanded upon the already far-reaching California Consumer Privacy Act (CCPA). Most of the CPRA takes effect on January 1, 2023, which may sound like a long way off. The problem is that much of the CPRA will apply to data collected as of January 1, 2022. This effectively advances the date by which you must implement some key CPRA provisions by a year. We recommend that companies begin adapting their privacy practices now to avoid a last minute scramble and the need to redesign programs down the road that are in development now.
There are a number of consumer rights that have been changed and expanded upon under the CPRA, including the following:
- The Right to Know: The CPRA removes the CCPA’s 12-month lookback period for access requests and gives consumers the right to make requests that extend beyond the 12 months preceding the request. Additionally, the CPRA makes clear that the new regulation applies to personal information collected as of January 1, 2022. This is the primary requirement driving the need to implement parts of the CPRA one year early. Evaluate whether your systems have the capability to honor these requests.
- The Right to Delete: The CCPA already required covered businesses to delete a consumer’s personal information upon request and to direct any service providers to do the same. The CPRA expands this requirement to add that, in responding to a consumer’s deletion request, service providers and contractors must direct their own service providers or contractors to delete personal information about the consumer. Businesses that receive a deletion request must also notify and instruct third parties who have purchased or received the consumer’s personal information to delete it. Covered businesses should begin adding this requirement to your contracts with service providers, contractors, and third parties now to avoid future amendments.
The CPRA also creates the following new consumer rights:
- The Right to Correct: Consumers can request that a business correct the information it has about them. Businesses must disclose the right to request correction and must use commercially reasonable efforts to correct inaccurate information upon request. Start incorporating this capability into your systems.
- The Right to Opt-Out of Sharing Personal Information: Under the CCPA, California consumers had the right to opt-out of the “sale” of their personal information. Under the CPRA, consumers can opt-out of the sharing of their personal information as well. If you engage in data sharing like many companies, be aware of how this will affect your operations and adapt your contracts going forward.
- The Right to Restrict Sensitive Information Processing: The CPRA has added a new category of personal information called “sensitive personal information.” This term includes information such as social security numbers, passport numbers, racial or ethnic origin, and financial account and payment card information. The CPRA grants California consumers the right to opt-out of a business’ use and disclosure of their sensitive personal information. Be mindful of this right if you are developing a product that incorporates this information.
What Do These Changes Mean For Your Business
The CPRA requires that businesses make changes to their privacy notices and implement measures so they can respond to these new consumer rights. Not only do businesses need to provide California consumers with notice of their new and modified rights under the CPRA, but the CPRA also requires that businesses disclose the retention period or retention criteria for each category of personal information they collect.
While some steps like privacy notice updates can wait, businesses would be wise to start assessing their current state of compliance to gain clarity regarding changes that need to be made, both internally and externally, to become compliant with the new law. You may not need to enable all of these capabilities right away, but work them into your product design going forward. As businesses budget for future compliance, CPRA should remain top of mind.
Since the deadline for the adoption of the final regulations to the CPRA is not until July 1, 2022, it is likely we won’t know the final CPRA requirements until this date. As we saw with the CCPA, these regulations can have a significant impact on the requirements and specific compliance steps that companies should take.
While this article only touches on some of the CPRA’s changes to the CCPA, we hope it gets businesses thinking about their future plans to comply.
We will continue to provide updates and analysis of the CPRA's detailed requirements. Please do not hesitate to reach out to our Data Security and Privacy team with your questions about the new CPRA requirements. Our team would be happy to assist your business in revisiting or implementing your compliance plans as deadlines approach.