As Californians for Consumer Privacy announced last week, a new privacy law is likely to be on the California ballot in November. The California Privacy Rights Act is a ballot initiative, which, if adopted — and most agree it will be — would replace the California Consumer Privacy Act, which entered into force earlier this year. The CPRA is truly an omnibus data protection law, modeled on the EU General Data Protection Regulation, and would create a much broader set of privacy rights and obligations than the CCPA. DLA Piper’s Jim Halpert, Lael Bellamy, CIPP/US, and Marco Berrios recently outlined the business ramifications of potential CPRA approval.
Here, we go deeper, offering a top-10 (and a half) list of the CPRA’s most impactful provisions. Click on the drop-downs following the brief commentary to view the relevant provisions. Text shown in bold has been added by the CPRA to current CCPA requirements (which are not bolded). Text shown with strikethroughs has been removed by the CPRA compared to current CCPA requirements.
1/2. Entry into force January 2023 with look back to January 2022
It feels strange to point to the date a law enters into force as an “impactful provision,” so we’re calling this the half. That being said, it is arguably the most impactful. By providing over two years between notional adoption and implementation, the CPRA would create the impetus and time for adoption of U.S. privacy legislation. Some following the ballot initiative closely say that’s the whole idea.
Industry stakeholders with concerns about CPRA requirements recognize defeating the ballot initiative is unlikely — a fall poll suggested that almost 9 out of 10 Californians would vote for it. This and the growing number of states proposing new privacy legislation will likely increase industry demands for a new federal law.
SEC. 31. Effective and Operative Dates.
(a) This Act shall become effective as provided in subdivision (a) of section 10 of article II of the California Constitution. Except as provided in subdivision (b), this Act shall become operative January 1, 2023, and with the exception of the right of access, shall only apply to personal information collected by a business on or after January 1, 2022.
SEC. 21.
1798.185. Regulations
(d) Notwithstanding subdivision (a), the timeline for adopting final regulations required by the Act adding this subdivision shall be July 1, 2022....
1. Sensitive data: New definition, limits on use and sharing, mandated link or respect of global opt-out
The CPRA would create significant new obligations for those processing sensitive data. There are three sets of provisions worth examining closely.
The first is the definition of “sensitive data.” The definition is broad, including government-issued identifiers, account log-in credentials, financial account information, precise geolocation, contents of certain types of messages, genetic data, racial or ethnic origin, religious beliefs, biometrics, health data, and data concerning sex life or sexual orientation (exact text in drop-down below). It is certainly broader than the definition of “special categories of personal data” under the GDPR, to which some might be tempted to compare it. Here it is worth noting that under CPRA, while additional rules, discussed below, would govern the processing of sensitive data, doing so would not require express consent, as is the case with the narrower set of “sensitive” data under the GDPR.
SEC. 14.
1798.140. Definitions
(ae) “Sensitive personal information” means: (1) personal information that reveals (A) a consumer’s social security, driver’s license, state identification card, or passport number;
(B) a consumer’s account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (2)(A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer's sex life or sexual orientation. Sensitive personal information that is “publicly available” pursuant to paragraph (2) of subdivision (v) of Section 1798.140 shall not be considered sensitive personal information or personal information.
Second, the CPRA would allow consumers to limit the use and disclosure of their sensitive personal information. Specifically, a consumer could direct a business to use sensitive personal information only for purposes necessary to perform the service or provide the goods requested or as prescribed by the CPRA or implementing regulations. Businesses would be required to respect such requests unless a consumer provides subsequent authorization to use the sensitive personal information for additional purposes.
SEC. 10.
1798.121. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information
1798.121. (a) A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (19) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumer’s sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.
(b) A business that has received direction from a consumer not to use or disclose the consumer’s sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumer’s sensitive personal information for any other purpose after its receipt of the consumer’s direction, unless the consumer subsequently provides consent for the use or disclosure of the consumer’s sensitive personal information for additional purposes.
(c) A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information, after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.
(d) Sensitive Personal information that is collected or processed without the purpose of inferring characteristics about a consumer, is not subject to this Section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (19) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this Act, including Section 1798.100.
Third, the CPRA prescribes the methods by which businesses would be required to enable consumers to limit the sale, sharing and use of sensitive personal information (just as it prescribes the methods for limiting the sale or sharing of “personal information”). Businesses that use or disclose consumers sensitive personal information for purposes other than those authorized by the CPRA must either:
- Provide a link on their homepage(s) titled, “Limit the Use of My Sensitive Personal Information,” which enables consumers to exercise the rights described above.
- Provide a link on their homepage(s) that both accomplishes #1 and allows a consumer to opt out of the sale or sharing of “personal information.”
- Respects an opt‐out preference signal sent with the consumer’s consent by a platform, technology or mechanism to accomplish #1, #2 or both, as relevant and prescribed by regulations.
SEC. 13.
1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information
1798.135. (a) A business that is required to comply with Section 1798.120 sells or shares consumers’ personal information or uses or discloses consumers’ sensitive personal information for purposes other than those authorized by subdivision (a) of Section 1798.121 shall, in a form that is reasonably accessible to consumers:
(1) Provide a clear and conspicuous link on the business’s Internet internet homepage(s), titled “Do Not Sell or Share My Personal Information,” to an Internet Web page internet webpage that enables a consumer, or a person authorized by the consumer, to opt‐out of the sale or sharing of the consumer’s personal information.
(2) Provide a clear and conspicuous link on the business’s internet homepage(s), titled “Limit the Use of My Sensitive Personal Information” that enables a consumer, or a person authorized by the consumer, to limit the use or disclosure of the consumer’s sensitive personal information to those uses authorized by subdivision (a) of Section 1798.121.
(3) At the business’s discretion, utilize a single, clearly‐labeled link on the business’s internet homepage(s), in lieu of complying with paragraphs (1) and (2), if such link easily allows a consumer to opt‐out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.
4) In the event that a business responds to opt‐out requests received pursuant to paragraphs (1), (2), or (3) by informing the consumer of a charge for the use of any product or service, present the terms of any financial incentive offered pursuant to subdivision (b) of Section 1798.125 for the retention, use, sale, or sharing of the consumer’s personal information.
(b) (1) A business shall not be required to comply with subdivision (a) if the business allows consumers to opt‐out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt‐out preference signal sent with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications set forth in regulations adopted pursuant to paragraph (20) of subdivision (a) of Section 1798.185, to the business indicating the consumer’s intent to opt‐out of the business’s sale or sharing of the consumer’s personal information or to limit the use or disclosure of the consumer’s sensitive personal information, or both.
2. New enforcement agency: California Privacy Protection Agency
The CPRA would create the first agency in the United States dedicated solely to privacy — the California Privacy Protection Agency. This, too, is significant. The CPPA would be governed by a five-member board with expertise in privacy, technology and consumer rights. This board would appoint an executive director, which would then staff the agency. The agency would implement and enforce the act and have subpoena and audit powers. The CPPA would also be charged with building public awareness about privacy risks and providing guidance to businesses and consumers. The agency could levy administrative fines of up to $2,500 per violation of the act or up to $7,500 per intentional violation or violations involving minors. It would also absorb the rulemaking authority granted under the act from the Attorney General’s Office. The CPPA would receive at least $10 million in annual funding beginning in 2021–22 with $5 million in the first year.
SEC. 24.
Establishment of California Privacy Protection Agency
1798.199.10. (a) There is hereby established in state government the California Privacy Protection Agency, which is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act. The Agency shall be governed by a five‐member board, including the Chair. The Chair and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.
(b) The initial appointments to the Agency shall be made within 90 days of the effective date of the Act adding this section.
1798.199.15. Members of the Agency board shall:
(a) have qualifications, experience and skills, in particular in the areas of privacy and technology, required to perform the duties of the Agency and exercise its powers;
(b) maintain the confidentiality of information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers, except to the extent that disclosure is required by the Public Records Act;
(c) remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from another;
(d) refrain from any action incompatible with their duties and engaging in any incompatible occupation, whether gainful or not, during their term;
(e) have the right of access to all information made available by the Agency to the Chair;
(f) be precluded, for a period of one year after leaving office, from accepting employment with a business that was subject to an enforcement action or civil action under this Title during the member’s tenure or during the five‐year period preceding the member’s appointment; and
(g) be precluded for a period of two years after leaving office, from acting, for compensation, as an agent or attorney for, or otherwise representing any other person in a matter pending before the Agency if the purpose is to influence an action of the Agency.
1798.199.20. Members of the Agency board, including the Chair, shall serve at the pleasure of their appointing authority but shall serve for no longer than eight consecutive years.
1798.199.25. For each day on which they engage in official duties, members of the Agency board shall be compensated at the rate of one hundred dollars ($100), adjusted biennially to reflect changes in the cost of living, and shall be reimbursed for expenses incurred in performance of their official duties.
1798.199.30. The Agency board shall appoint an executive director who shall act in accordance with Agency policies and regulations and with applicable law. The Agency shall appoint and discharge officers, counsel, and employees, consistent with applicable civil service laws, and shall fix the compensation of employees and prescribe their duties. The Agency may contract for services that cannot be provided by its employees.
1798.199.35. The Agency board may delegate authority to the Chair or the executive director to act in the name of the Agency between meetings of the Agency, except with respect to resolution of enforcement actions and rulemaking authority.
1798.199.40. The Agency shall perform the following functions:
(a) Administer, implement, and enforce through administrative actions, Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code.
(b) On and after the earlier of July 1, 2021, or within six months of the Agency providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities under this title, adopt, amend, and rescind regulations pursuant to Section 1798.185 to carry out the purposes and provisions of the California Consumer Privacy Act, including regulations specifying record keeping requirements for businesses to ensure compliance with this title.
(c) Through the implementation of this title, protect the fundamental privacy rights of natural persons with respect to the use of their personal information.
(d) Promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information, including the rights of minors with respect to their own information, and provide a public report summarizing the risk assessments filed with the Agency pursuant to paragraph (15) of subdivision (a) of Section 1798.185 while ensuring that data security is not compromised.
(e) Provide guidance to consumers regarding their rights under this title.
(f) Provide guidance to businesses regarding their duties and responsibilities under this title, and appoint a Chief Privacy Auditor to conduct audits of businesses to ensure compliance with this title pursuant to regulations adopted pursuant to paragraph (18) of subdivision (a) of Section 1798.185.
(g) Provide technical assistance and advice to the Legislature, upon request, with respect to privacy‐related legislation.
(h) Monitor relevant developments relating to the protection of personal information, and in particular, the development of information and communication technologies and commercial practices.
(i) Cooperate with other agencies with jurisdiction over privacy laws and with data processing authorities in California, other states, territories, and countries to ensure consistent application of privacy protections.
(j) Establish a mechanism pursuant to which persons doing business in California that do not meet the definition of business set forth in paragraphs (1), (2), or (3) of subdivision (d) of section 1798.140 may voluntarily certify that they are in compliance with this title, as set forth in paragraph (4) of subdivision (d) of Section 1798.140, and make a list of such entities available to the public.
(k) Solicit, review, and approve applications for grants to the extent funds are available pursuant to paragraph (2) of subdivision (b) of Section 1798.160.
(l) Perform all other acts necessary or appropriate in the exercise of its power, authority, and jurisdiction, and seek to balance the goals of strengthening consumer privacy while giving attention to the impact on businesses.
1798.199.45. Upon the sworn complaint of any person or on its own initiative, the Agency may investigate possible violations of this title relating to any business, service provider, contractor, or person. The Agency may decide not to investigate a complaint or decide to provide a business with a time‐period to cure the alleged violation. In making a decision not to investigate or provide more time to cure, the Agency may consider: (a) the lack of intent to violate this title; and (b) voluntary efforts undertaken by the business, service provider, contractor, or person to cure the alleged violation prior to being notified by the Agency of the complaint. The Agency shall notify in writing the person who made the complaint of the action, if any, the Agency has taken or plans to take on the complaint, together with the reasons for such action or non‐action.
1798.199.50. No finding of probable cause to believe this title has been violated shall be made by the Agency unless, at least 30 days prior to the Agency’s consideration of the alleged violation, the business, service provider, contractor, or person alleged to have violated this title is notified of the violation by service of process or registered mail with return receipt requested, provided with a summary of the evidence, and informed of their right to be present in person and represented by counsel at any proceeding of the Agency held for the purpose of considering whether probable cause exists for believing the person violated this title. Notice to the alleged violator shall be deemed made on the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. A proceeding held for the purpose of considering probable cause shall be private unless the alleged violator files with the Agency a written request that the proceeding be public.
1798.199.55. (a) When the Agency determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred. Notice shall be given and the hearing conducted in accordance with the Administrative Procedure Act (Chapter 5 (commencing with Section 11500), Part 1, Division 3, Title 2, Government Code). The Agency shall have all the powers granted by that chapter. If the Agency determines on the basis of the hearing conducted pursuant to this subdivision that a violation or violations have occurred, it shall issue an order that may require the violator to do all or any of the following:
(1) Cease and desist violation of this title.
(2) Subject to Section 1798.155, pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state. When the Agency determines that no violation has occurred, it shall publish a declaration so stating.
(b) If two or more persons are responsible for any violation or violations, they shall be jointly and severally liable.
1798.199.60. Whenever the Agency rejects the decision of an administrative law judge made pursuant to Section 11517 of the Government Code, the Agency shall state the reasons in writing for rejecting the decision.
1798.199.65. The Agency may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records or other items material to the performance of the Agency’s duties or exercise of its powers, including but not limited to its power to audit a business’s compliance with this title.
1798.199.70. No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred.
(a) The service of the probable cause hearing notice, as required by Section 1798.199.50, upon the person alleged to have violated this title shall constitute the commencement of the administrative action.
(b) If the person alleged to have violated this title engages in the fraudulent concealment of his or her acts or identity, the five‐year period shall be tolled for the period of the concealment. For purposes of this subdivision, “fraudulent concealment” means the person knows of material facts related to their duties under this title and knowingly conceals them in performing or omitting to perform those duties, for the purpose of defrauding the public of information to which it is entitled under this title.
(c) If, upon being ordered by a superior court to produce any documents sought by a subpoena in any administrative proceeding under this title, the person alleged to have violated this title fails to produce documents in response to the order by the date ordered to comply therewith, the five‐year period shall be tolled for the period of the delay from the date of filing of the motion to compel until the date the documents are produced.
1798.199.75. (a) In addition to any other available remedies, the Agency may bring a civil action and obtain a judgment in superior court for the purpose of collecting any unpaid administrative fines imposed pursuant to this title after exhaustion of judicial review of the Agency’s action. The action may be filed as a small claims, limited civil, or unlimited civil case, depending on the jurisdictional amount. The venue for this action shall be in the county where the administrative fines were imposed by the Agency. In order to obtain a judgment in a proceeding under this section, the Agency shall show, following the procedures and rules of evidence as applied in ordinary civil actions, all of the following:
(1) That the administrative fines were imposed following the procedures set forth in this title and implementing regulations.
(2) That the defendant or defendants in the action were notified, by actual or constructive notice, of the imposition of the administrative fines.
(3) That a demand for payment has been made by the Agency and full payment has not been received.
(b) A civil action brought pursuant to subdivision (a) shall be commenced within four years after the date on which the administrative fines were imposed.
1798.199.80. (a) If the time for judicial review of a final Agency order or decision has lapsed, or if all means of judicial review of the order or decision have been exhausted, the Agency may apply to the clerk of the court for a judgment to collect the administrative fines imposed by the order or decision, or the order as modified in accordance with a decision on judicial review.
(b) The application, which shall include a certified copy of the order or decision, or the order as modified in accordance with a decision on judicial review, and proof of service of the order or decision, constitutes a sufficient showing to warrant issuance of the judgment to collect the administrative fines. The clerk of the court shall enter the judgment immediately in conformity with the application.
(c) An application made pursuant to this section shall be made to the clerk of the superior court in the county where the administrative fines were imposed by the Agency.
(d) A judgment entered in accordance with this section has the same force and effect as, and is subject to all the provisions of law relating to, a judgment in a civil action and may be enforced in the same manner as any other judgment of the court in which it is entered.
(e) The Agency may bring an application pursuant to this section only within four years after the date on which all means of judicial review of the order or decision have been exhausted.
(f) The remedy available under this section is in addition to those available under any other law. 1798.199.85. Any decision of the Agency with respect to a complaint or administrative fine shall be subject to judicial review in an action brought by an interested party to the complaint or administrative fine and shall be subject to an abuse of discretion standard. 1798.199.90. (a) Any business, service provider, contractor, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The court may consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of the civil penalty.
(b) Any civil penalty recovered by an action brought by the Attorney General for a violation of this title, and the proceeds of any settlement of any said action, shall be deposited in the Consumer Privacy Fund.
(c) The Agency shall, upon request by the Attorney General, stay an administrative action or investigation under this title to permit the Attorney General to proceed with an investigation or civil action, and shall not pursue an administrative action or investigation, unless the Attorney General subsequently determines not to pursue an investigation or civil action. The Agency may not limit the authority of the Attorney General to enforce this title.
(d) No civil action may be filed by the Attorney General under this Section for any violation of this title after the Agency has issued a decision pursuant to Section 1798.199.85 or an order pursuant to Section 1798.199.55 against that person for the same violation.
(e) This section shall not affect the private right of action provided for in Section 1798.150.
1798.199.95. (a) There is hereby appropriated from the General Fund of the state to the Agency the sum of five million dollars ($5,000,000) during the fiscal year 2020‐2021, and the sum of ten million dollars ($10,000,000) adjusted for cost‐of‐living changes, during each fiscal year thereafter, for expenditure to support the operations of the Agency pursuant to this title. The expenditure of funds under this appropriation shall be subject to the normal administrative review given to other state appropriations. The Legislature shall appropriate such additional amounts to the Commission and other agencies as may be necessary to carry out the provisions of this title.
(b) The Department of Finance, in preparing the state budget and the Budget Bill submitted to the Legislature, shall include an item for the support of this title, which item shall indicate all of the following: (1) the amounts to be appropriated to other agencies to carry out their duties under this title, which amounts shall be in augmentation of the support items of such agencies; and (2) the additional amounts required to be appropriated by the Legislature to the Agency to carry out the purposes of this title, as provided for in this section; and (3) in parentheses, for informational purposes, the continuing appropriation during each fiscal year of ten million dollars ($10,000,000), adjusted for cost‐of‐living changes made pursuant to this section.
(c) The Attorney General shall provide staff support to the Agency until such time as the Agency has hired its own staff. The Attorney General shall be reimbursed by the Agency for these services.
1798.199.100. The Agency and any court, as applicable, shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title. A business shall not be required by the Agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation.
3. Expanded breach liability: Definition now includes email/password combos
The CPRA would add 21 impactful words to the data breach liability created by the CCPA. In addition to the private right of action for breaches of nonencrypted, nonredacted personal information under the CCPA, the CPRA would add a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security. Given how frequently such breaches seem to occur, this is a major addition.
SEC. 16.
1798.150. Personal Information Security Breaches
1798.150. (a) (1) Any consumer whose nonencrypted or and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security question and answer that would permit access to the account, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
4. Audits and risk assessments: To be prescribed through regulation for high-risk processing
The attorney general and then the new California Privacy Protection Agency would be charged with issuing regulations requiring annual audits and regular risk assessments by businesses undertaking high-risk processing. In particular, such regulations would require businesses whose processing presents significant risks to consumer privacy or security to perform a thorough and independent cybersecurity audit annually. In determining what processing merits such audits, the regulations would consider the size and complexity of the business and the nature and scope of the processing. Businesses undertaking such processing would also need to submit regular risk assessments to the CPPA, weighing benefits and risks to various audiences with “the goal” or restricting processing if the risks to the consumer outweigh the benefits to all stakeholders. Regulations must be adopted by Jan. 1, 2022.
SEC. 21.
1798.185. Regulations
1798.185. (a) On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:
…
(15) Issuing regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities,
(B) submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing, with the goal of restricting or prohibiting such processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public. Nothing in this section shall require a business to divulge trade secrets.
….
(d) Notwithstanding subdivision (a), the timeline for adopting final regulations required by the Act adding this subdivision shall be July 1, 2022….
5. Automated decision-making and profiling: Restrictions for certain industries
The CPRA defines “profiling” and would create new access and opt-out rights related to automated-decision making. Under the CPRA, profiling generally means automated processing of personal information to evaluate personal aspects of an individual and to make predictions concerning that individual’s performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements. The CPRA mandates the development of regulations governing access and opt‐out rights with respect to businesses’ use of automated decision‐making technology, which will require businesses to provide meaningful information about the logic involved in decision-making processes and descriptions of the likely outcome. These new provisions will be familiar to many businesses already complying with the GDPR, which the CPRA mirrors in this regard.
SEC. 14
1798.140. Definitions
(z) “Profiling” means any form of automated processing of personal information, as further defined by regulations pursuant to paragraph (16) of subdivision (a) of Section 1798.185, to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
SEC. 21.
1798.185. Regulations
1798.185. (a) On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:
(16) Issuing regulations governing access and opt‐out rights with respect to businesses’ use of automated decision‐making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved in such decision‐ making processes, as well as a description of the likely outcome of the process with respect to the consumer.
….
(d) Notwithstanding subdivision (a), the timeline for adopting final regulations required by the Act adding this subdivision shall be July 1, 2022….
6. Data correction: New consumer rights
The CPRA’s data correction provisions are fairly straightforward and also quite meaningful. The CPRA would enable consumers to request and oblige businesses to carry out correction of inaccurate personal information. These requirements are subject to reasonableness standards, any required authentication, specified exemptions and future regulations, as outlined in the text below. Service providers and contractors are required to assist businesses in complying with these requirements.
SEC. 6. Section 1798.106 is added to the Civil Code to read:
1798.106. Consumers’ Right to Correct Inaccurate Personal Information
1798.106 (a) A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer correct such inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.
(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer’s right to request correction of inaccurate personal information.
(c) A business that receives a verifiable consumer request to correct inaccurate personal information shall use commercially reasonable efforts to correct the inaccurate personal information, as directed by the consumer, pursuant to Section 1798.130 and regulations adopted pursuant to paragraph (8) of subdivision (a) of Section 1798.185.
SEC. 12.
1798.130. Notice, Disclosure, Correction, and Deletion Requirements
1798.130. (a) In order to comply with Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably accessible to consumers:
(1) (A) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively, including, at a minimum, a toll‐free telephone number, and if the business maintains an Internet Web site, a Web site address. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or for requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.
(B) If the business maintains an internet website, make the internet website available to consumers to submit requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.
(2) (A) Disclose and deliver the required information to a consumer free of charge, or correct inaccurate personal information, or delete a consumer’s personal information, based on the consumer’s request, within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’s duty to disclose and deliver the information, or correct inaccurate personal information or delete personal information, within 45 days of receipt of the consumer’s request. The time period to provide the required information, or to correct inaccurate personal information or delete personal information, may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45‐day period. The disclosure of the required information shall cover the 12‐month period preceding the business’s receipt of the verifiable consumer request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a verifiable consumer request, provided that if the consumer has an account with the business, the business may require the consumer to use that account to submit a verifiable consumer request.
…
(3) (A) A business that receives a verifiable consumer request pursuant to sections 1798.110 or 1798.115 shall disclose any personal information it has collected about a consumer, directly or indirectly, including through or by a service provider or contractor, to the consumer. A service provider or contractor shall not be required to comply with a verifiable consumer request received directly from a consumer or a consumer’s authorized agent pursuant to sections 1798.110 or 1798.115 to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor. A service provider or contractor shall provide assistance to a business with which it has a contractual relationship with respect to the business’s response to a verifiable consumer request, including but not limited to by providing to the business the consumer’s personal information in the service provider or contractor’s possession, which the service provider or contractor obtained as a result of providing services to the business, and by correcting inaccurate information, or by enabling the business to do the same. A service provider or contractor that collects personal information pursuant to a written contract with a business shall be required to assist the business through appropriate technical and organizational measures in complying with the requirements of subdivisions (d) through (f) of Section 1798.100, taking into account the nature of the processing.
SEC. 14.
1798.140. Definitions
(ak) “Verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, or by a person who has power of attorney or is acting as a conservator for the consumer, and that the business can reasonably verify, using commercially reasonable methods, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and 1798.115, to delete personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, if the business cannot verify, pursuant to this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.
SEC. 15.
1798.145. Exemptions
(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers natural persons. A verifiable consumer request for specific pieces of personal information pursuant to Section 1798.110, to delete a consumer’s personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business’s possession.
SEC. 21.
1798.185. Regulations
1798.185. (a) On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:
(8) Establishing how often, and under what circumstances, a consumer may request a correction pursuant to Section 1798.106, including standards governing: (A) how a business responds to a request for correction, including exceptions for requests to which a response is impossible or would involve disproportionate effort, and requests for correction of accurate information; (B) how concerns regarding the accuracy of the information may be resolved; (C) the steps a business may take to prevent fraud; and (D) if a business rejects a request to correct personal information collected and analyzed concerning a consumer’s health, the right of a consumer to provide a written addendum to the business with respect to any item or statement regarding any such personal information that the consumer believes to be incomplete or incorrect. The addendum shall be limited to 250 words per alleged incomplete or incorrect item and shall clearly indicate in writing that the consumer requests the addendum to be made a part of the consumer’s record.
(d) Notwithstanding subdivision (a), the timeline for adopting final regulations required by the Act adding this subdivision shall be July 1, 2022….
7. Children’s data: Strengthened opt-in rights and enhanced penalties for violations
The CPRA includes heightened administrative fines for mishandling children’s data in violation of the act. In fact, at $7,500 per violation, the potential fines are three times higher when the business has actual knowledge that the consumer is under 16 years old than fines for violations that do not concern children’s data. These increased sanctions are coupled with clarification that individuals under 16 must opt in for a business to sell “or share” their personal data. The clarification that selling also includes sharing is made throughout the CPRA. Further, businesses may not ask again for consent to sell or share data for at least 12 months after a consumer under 16 fails to provide it. Lastly, the CPRA calls for regulations to establish technical specifications for an opt-out signal that allows children or their parents to specify that a consumer is less than 13 or between 13 and 16 years old.
SEC. 17.
1798.155. Administrative Enforcement
1798.155. (a) Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.
(b) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, contractor or other person that violates this title shall be subject to an injunction and liable for an administrative fine of not more than two thousand five hundred dollars ($2,500) for each violation, or seven thousand five hundred dollars ($7,500) for each intentional violation or violations involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge is under 16 years of age, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185, in an administrative enforcement action brought by the California Privacy Protection Agency a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
SEC. 9.
1798.120. Consumers’ Right to Opt‐Out of Sale or Sharing of Personal Information
1798.120. (a) A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information. This right may be referred to as the right to opt‐out of sale or sharing.
(b) A business that sells consumers’ personal information to, or shares it with, third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold or shared and that consumers have the “right to opt‐out” of the sale or sharing of their personal information.
(c) Notwithstanding subdivision (a), a business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt‐in.”
SEC. 13.
1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information
…
(c) A business that is subject to this Section shall:
…
(5) For a consumer who has opted‐out of the sale of the consumer’s personal information, respect the consumer’s decision to opt‐out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information consumers under 16 years of age who do not consent to the sale or sharing of their personal information, refrain from selling or sharing the personal information of the consumer under 16 years of age, and wait for at least 12 months before requesting the consumer’s consent again, or as authorized by regulations or until the consumer attains 16 years of age.
SEC. 21.
1798.185. Regulations
1798.185. (a) On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:
…
(B) Issuing regulations to establish technical specifications for an opt‐out preference signal that allows the consumer, or the consumer’s parent or guardian, to specify that the consumer is less than 13 years of age or at least 13 years of age and less than 16 years of age.
…
(d) Notwithstanding subdivision (a), the timeline for adopting final regulations required by the Act adding this subdivision shall be July 1, 2022….
8. Data retention: Necessity-based limitations
This highly significant new business obligation is somewhat hidden among the CPRA’s notice obligations. The CPRA would require a business to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information or the criteria used to determine that period. More importantly, though, it would prohibit businesses from retaining such information for longer than reasonably necessary for the disclosed purpose of collection. While many privacy officers have implemented annual data deletion days as a best practice, getting all employees to comply and delete troves of outdated data, which no longer serves a purpose, has remained a perpetual challenge. This new obligation would force businesses to take a careful look at the personal data they have stored and delete unnecessary data much more regularly. Doing so would undoubtedly lessen the damage of future data breaches.
SEC. 4.
1798.100. General Duties of Businesses that Collect Personal Information
1798.100. (a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
(b) A business that controls the collection of collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to:
…
(3) the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period, provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
9. Employee data: Expanded moratorium
Many covered businesses will surely appreciate the expanded employee data moratorium, which the CPRA extends until Jan. 1, 2023. Generally speaking, the act makes clear that personal information collected by a business in the employment context would not be covered until 2023. More specifically, the CPRA states that it does not apply to personal information collected from an individual acting as a job applicant, an employee, owner, director, officer, staff member or contractor, including with regard to benefits administration and maintenance of emergency contact information. There is a similar exclusion for communications or transactions between businesses and consumers, where the consumer is acting as an employee or one of the other roles cited above. The CPRA’s introductory provisions, outlining its purpose and intent, make clear that while the privacy interests of employees and contractors should be protected, the relationship between employees and businesses is different than that between consumers and businesses and that difference should be taken into account. For that reason, the law exempts employees and contractors from coverage until the beginning of 2023, providing time for adoption of another bill to govern data protections in that context.
SEC. 15.
1798.145. Exemptions
(m) (1) This title shall not apply to any of the following:
(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.
(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.
(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.
(2) For purposes of this subdivision:
(A) “Independent contractor” means a natural person who provides any service to a business pursuant to a written contract.
(B) “Director” means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.
(C) “Medical staff member” means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.
(D) “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.
(E) “Owner” means a natural person who meets one of the following:
(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.
(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.
(iii) Has the power to exercise a controlling influence over the management of a company.
(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150. (4) This subdivision shall become inoperative on January 1, 2023.
(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, non‐profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non‐profit, or government agency.
(2) For purposes of this subdivision:
(A) “Independent contractor” means a natural person who provides any service to a business pursuant to a written contract.
(B) “Director” means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.
(C) “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.
(D) “Owner” means a natural person who meets one of the following:
(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.
(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.
(iii) Has the power to exercise a controlling influence over the management of a company.
(3) This subdivision shall become inoperative on January 1, 2023.
10. Service provider/contractor/third party: New obligations and clarifications
Finally, the CPRA places new contractual and direct obligations on service providers, contractors and third parties. This change too aligns with the separate and distinct obligations the GDPR places on processors. Three sets of provisions merit attention.
First, the CPRA adds and augments definitions compared to the CCPA. The CPRA adds a new definition for contractors, which hinges on the business providing the data pursuant to a written contract, prohibiting the contractor from sharing or selling the personal data, processing it for any purposes other than those specified in the contract or combining it with data received or collected through other means, with limited exceptions. The contract must allow the business to monitor the contractor’s compliance and require the contractor to notify the business if other individuals are engaged in processing so that they too can be bound by the contractual protections. The definition further provides that the contractor must certify that it understands and will comply with the contractual obligations. The CPRA updates the definition for service providers so that the stipulated contractual requirements mirror those for contractors. The act also specifies that a third party is anyone other than the business, contractor or service provider, i.e., it uses the same anything but formulation as the CCPA.
SEC. 14
1798.140. Definitions
…
(j) (1) “Contractor” means a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract with the business, provided that the contract:
(A) Prohibits the contractor from:
(i) Selling or sharing the personal information.
(ii) Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted by this title.
(iii) Retaining, using, or disclosing the information outside of the direct business relationship between the contractor and the business.
(iv) Combining the personal information which the contractor receives pursuant to a written contract with the business with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that the contractor may combine personal information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) of this Section and in regulations adopted by the California Privacy Protection Agency.
(B) Includes a certification made by contractor that the contractor understands the restrictions in subparagraph (A) and will comply with them.
(C) Permits, subject to agreement with the contractor, the business to monitor the contractor’s compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.
(2) If a contractor engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the contractor engages another person to assist in processing personal information for such business purpose, it shall notify the business of such engagement and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1).
…
(ag) (1) “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, person that processes personal information on behalf of a business and to which receives from or on behalf of the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information person from: (A) selling or sharing the personal information; (B) retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services business purposes specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services the business purposes specified in the contract with the business, or as otherwise permitted by this title; (C) retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business; and (D) combining the personal information which the service provider receives from or on behalf of the business, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that the service provider may combine personal information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) of this Section and in regulations adopted by the California Privacy Protection Agency. The contract may, subject to agreement with the service provider, permit the business to monitor the service provider’s compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.
(2) If a service provider engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the service provider engages another person to assist in processing personal information for such business purpose, it shall notify the business of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1).
…
(ai) “Third party” means a person who is not any of the following:
(1) The business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer’s current interaction with the business consumers under this title.;
(2) A service provider to the business; or
(3) A contractor.
Second, the CPRA contractually extends the data protection obligations of the act to service providers, contractors and third parties. Specifically, it requires businesses that send personal information to third parties, service providers or contractors to enter into an agreement binding the recipient to the same level of privacy protection as provided by the act, granting the business rights to take reasonable and appropriate steps to remediate unauthorized use, and requiring the recipient to notify the business if can no longer comply. These requirements, too, are reminiscent of the GDPR and various international data transfer mechanisms designed to extend GDPR protections and enable cross-border compliance.
SEC. 4.
1798.100. General Duties of Businesses that Collect Personal Information
…
(d) A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with such third party, service provider, or contractor, that:
(1) specifies that the personal information is sold or disclosed by the business only for limited and specified purposes; (2) obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title; (3) grants the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’s obligations under this title; (4) requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title; (5) grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
Third, the CPRA places obligations directly on service providers and contractors. It mandates that they cooperate with and assist businesses in providing requested personal information in response to verifiable consumer requests as well as correcting or deleting information or limiting the use of sensitive personal information in response to such requests, each with some exceptions.
SEC. 5.
1798.105. Consumers’ Right to Delete Personal Information
(3) A service provider or contractor shall cooperate with the business in responding to a verifiable consumer request, and at the direction of the business, shall delete, or enable the business to delete, and shall notify any of its own service providers or contractors to delete, personal information about the consumer collected, used, processed, or retained by the service provider or the contractor.
The service provider or contractor shall notify any service providers, contractors or third parties who may have accessed such personal information from or through the service provider or contractor, unless the information was accessed at the direction of the business, to delete the consumer’s personal information, unless this proves impossible or involves disproportionate effort. A service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor to the extent that the service provider or contractor has collected, used, processed, or retained the consumer’s personal information in its role as a service provider or contractor to the business.
(d) A business, or a service provider or contractor, acting pursuant to its contract with the business, another service provider, or another contractor, shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is reasonably necessary for the business, or service provider, or contractor to maintain the consumer’s personal information in order to:
(1) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. Help to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for those purposes.
(3) Debug to identify and repair errors that impair existing intended functionality.
(4) Exercise free speech, ensure the right of another consumer to exercise his or her that consumer’s right of free speech, or exercise another right provided for by law.
(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
(6) Engage in public or peer‐reviewed scientific, historical, or statistical research in the public interest that conforms or adheres to all other applicable ethics and privacy laws, when the businesses’ business’s deletion of the information is likely to render impossible or seriously impair the achievement of ability to complete such research, if the consumer has provided informed consent.
(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business and compatible with the context in which the consumer provided the information.
(8) Comply with a legal obligation.
(9) Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
SEC. 10
1798.121. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information
…
(c) A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information, after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.
SEC. 12
1798.130. Notice, Disclosure, Correction, and Deletion Requirements
…
(3) (A) A business that receives a verifiable consumer request pursuant to sections 1798.110 or 1798.115 shall disclose any personal information it has collected about a consumer, directly or indirectly, including through or by a service provider or contractor, to the consumer. A service provider or contractor shall not be required to comply with a verifiable consumer request received directly from a consumer or a consumer’s authorized agent pursuant to sections 1798.110 or 1798.115 to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor. A service provider or contractor shall provide assistance to a business with which it has a contractual relationship with respect to the business’s response to a verifiable consumer request, including but not limited to by providing to the business the consumer’s personal information in the service provider or contractor’s possession, which the service provider or contractor obtained as a result of providing services to the business, and by correcting inaccurate information, or by enabling the business to do the same. A service provider or contractor that collects personal information pursuant to a written contract with a business shall be required to assist the business through appropriate technical and organizational measures in complying with the requirements of subdivisions (d) through (f) of Section 1798.100, taking into account the nature of the processing.
SEC. 21.
1798.185. Regulations
1798.185. (a) On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:
…
(10) Issuing regulations further defining and adding to the business purposes, including other notified purposes, for which businesses, service providers, and contractors may use consumers’ personal information consistent with consumers’ expectations, and further defining the business purposes for which service providers and contractors may combine consumers’ personal information obtained from different sources, except as provided for in paragraph (6) of subdivision (e) of Section 1798.140.
(11) Issuing regulations identifying those business purposes, including other notified purposes, for which service providers and contractors may use consumers’ personal information received pursuant to a written contract with a business, for the service provider or contractor’s own business purposes, with the goal of maximizing consumer privacy.
….
(d) Notwithstanding subdivision (a), the timeline for adopting final regulations required by the Act adding this subdivision shall be July 1, 2022…
Businesses considering CPRA requirements as they implement the CCPA should review the full text of the ballot initiative, not only the above-referenced text. The IAPP’s Westin Research Center included relevant CPRA text in each of the CCPA Genius’ topical sections next to the current CCPA text to aid companies in comparing requirements as they prepare for potential CPRA adoption.
Photo by Wil Stewart on Unsplash