In November 2020, the California Privacy Rights Act ballot initiative passed. The CPRA includes additional rights not part of the existing California Consumer Privacy Act, including the right to correct inaccurate personal information and the right to limit the use and disclosure of “sensitive personal information,” a new category of information created by the CPRA. Though the majority of the CPRA’s provisions will not be operative until Jan. 1, 2023, learning about these new rights and the corresponding obligations is essential to prepare.
It is worth noting the California law section of the California Legislative Information website now includes both the CCPA and the CPRA provisions.
Right to correct
Section 1798.106 of the CPRA gives consumers the right to correct inaccurate personal information. Businesses will be required to disclose to consumers information about their right to correct and provide consumers with a means to request a correction. The CPRA requires businesses to use “commercially reasonable efforts” to correct inaccurate personal information.
Commercially reasonable
The CPRA uses the phrase “commercially reasonable” in three different provisions related to handling consumer requests, including in the definition of “verifiable consumer requests.” The CPRA does not define nor provide examples of what this phrase means, and it is not a phrase used in the CCPA. Instead, the CCPA uses the term “reasonable” in the context of verifying consumer requests and in the CCPA regulation regarding verification, Section 999.323. “Commercially reasonable” signals that there is some distinction intended by introducing this phrase, though the level of distinction is unclear.
As noted in an article by the Goodwin law firm, California courts generally refer to “efforts” clauses such as “commercially reasonable efforts” as “something different than ‘a promise to act in good faith,’ and something less than fiduciary duty.” The California cases cited in the article are instructive. In one case, the parties disagreed over whether the “best efforts” requirements in a contract were met. The Court held that when there is no definition of “best efforts,” parties must act with the “diligence of a reasonable person under compatible circumstances” and not that of a fiduciary. In another case, the Court considered several decisions analyzing the term and noted: “[t]hese cases are consistent with the principle that ‘commercially reasonable efforts’ permits the performing party to consider its economic business interests.”
Watching to see if the CPRA regulations anticipated regarding 1798.106 defines “commercially reasonable efforts” will be interesting.
Submitting and responding to requests to correct
Under Section 1798.130 of the CCPA, businesses are required to provide consumers at least two designated methods for submitting requests to disclose information. The CPRA extends this requirement to requests to correct. Pursuant to CPRA Section 1798.130, one of the designated methods must be a toll-free telephone number for consumers to make a request. If a business maintains a website, the business must enable consumers to make a request through their site. When a business “operates exclusively online and has a direct relationship with a consumer,” the business is only required to provide an email address for submitting requests.
Like the CCPA, Section 1798.130(a)(2)(A) of the CPRA requires that within 45 days of receiving a consumer request, a company must determine whether the request is a verifiable consumer request and correct the inaccurate personal information. This time period may be extended once when “reasonably necessary” if the consumer receives notice of the extension before the end of the initial 45-day period.
The obligation to act on a request to correct also applies to service providers and contractors who have a contractual relationship with a business per Section 1798.130(a)(3)(A). Service providers and contractors are required to provide assistance to a business in responding to a consumer request “by correcting inaccurate information or by enabling the business to do the same.”
Future regulation regarding the right to correct
Businesses and consumers should note that further guidance on the right to correct is anticipated per the CPRA regulations provision, including Sections 1798.185(a)(7) & (8). Areas to be addressed include how exactly a business may respond to a request for correction and “[h]ow concerns regarding the accuracy of the information may be resolved.”
Treatment of sensitive personal information
The CPRA establishes a new category of “sensitive personal information,” which offers additional protections for consumers. Recognizing the need to protect “sensitive personal information” moves California privacy law closer to aligning with the GDPR, which refers to processing “special categories of personal data” in Article 9 and “protecting sensitive personal data” in Recital 51. However, key differences still distinguish the two, including with regard to sensitive data. Some differences include the CPRA not requiring express consent in the processing of sensitive personal information and the GDPR not prescribing the specific methods companies must deploy (and even the wording required) to enable consumers to limit the use and disclosure of sensitive personal information, as explained below.
Defining sensitive personal information
Under CPRA Section 1798.140(ae), the definition of sensitive personal information covers a large spectrum of information and builds on the definition of personal information. Specifically, “sensitive personal information” is defined as “personal information that reveals” a consumer’s:
- Social Security, driver’s license, state identification card, or passport number.
- Account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
- Precise geolocation.
- Racial or ethnic origin, religious or philosophical beliefs, or union membership.
- Mail, email and text message content, unless the business is the intended recipient of the communication.
- Genetic data.
Biometric information processed “for the purpose of uniquely identifying a consumer,” and “personal information collected and analyzed concerning a consumer’s” health, sex life or sexual orientation is also considered sensitive personal information. In comparison, the CCPA defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Like “personal information,” the definition of “sensitive personal information” excludes “publicly available” information. The term “publicly available” is defined in the definition of “personal information” and means “information that is lawfully made available from federal, state, or local government records” and information a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media.
Notice of collection
Pursuant to 1798.100(a)(2), a business that collects sensitive personal information must provide notice of the collection to consumers. Businesses must inform consumers of “the categories of sensitive personal information” that are being collected, the “purposes for which the categories of sensitive personal information are collected or used,” and whether the information is sold or shared. Businesses cannot collect additional categories of sensitive personal information or use sensitive personal information for additional purposes that are “incompatible with the disclosed purpose” stated for its collection without providing the consumer notice.
Right to limit use and disclosure
Consumers have the right to limit the use of their sensitive personal information pursuant to CPRA Section 1798.121. A consumer can request that a business use sensitive personal information only as “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services,” to provide certain services, and as authorized by further regulations. Sensitive personal information “collected or processed without the purpose of inferring characteristics about a consumer” is not subject to this provision and is treated as “personal information.”
Additionally, service providers or contractors assisting a business in providing certain authorized services may not use sensitive personal information after receiving instructions from a business and to the extent they have “actual knowledge that the personal information is sensitive personal information” for non-approved purposes.
The CPRA regulations section, 1798.185, anticipates further guidance regarding the treatment of sensitive personal information in several areas, including whether additional categories of sensitive personal information are appropriate, how to “facilitate and govern” consumer requests to limit the use of sensitive personal information “to ensure that consumers have the ability to exercise their choices without undue burden,” and opt-out specifications.
Methods for limiting use and disclosure
The CPRA prescribes specific methods to limit the use and disclosure of sensitive personal information, building on the “Do Not Sell My Personal Information” link mandated by the CCPA and offering an alternative.
Under CPRA Section 1798.135, businesses that sell or share consumers’ personal information or use or disclose consumers’ sensitive personal information, for purposes other than those allowed by the CPRA, are required to provide a “clear and conspicuous link” where consumers may opt-out of the selling or sharing of their personal information as well as the use or disclosure of their sensitive personal information. These links must be on a business’s homepage(s) and be labeled “Do Not Sell or Share My Personal Information” and “Limit the Use of my Sensitive Personal Information” respectively.
The CPRA also authorizes two alternatives to this pair of links. Under the first option, a business may choose to “utilize a single, clearly labeled link on the business’” homepage(s) instead of having the two links noted above, if the single link “easily allows a consumer to opt-out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.” Under the second option, businesses may respect an opt-out preference signal “sent with the consumer’s consent by a platform, technology, or mechanism” to accomplish the same purposes. Future regulations will provide technical specifications regarding this signal.
Covered businesses should take note that in addition to the new methods prescribed to limit the use or disclosure of sensitive personal information, the CPRA adjusts the text of the “Do Not Sell My Personal Information” link mandated by the CCPA, adding the words “or Share” to reflect the expanded scope of the CPRA.
Conclusion
The CPRA’s right to correct inaccurate information and the new category of sensitive personal information imposes new obligations on businesses. As Jan. 1, 2023 approaches, regulations are likely to offer greater clarity and specificity regarding these obligations. We will continue to offer insight into the CPRA in the other articles in this series and as new regulations are released.
Photo by Wil Stewart on Unsplash