The IAPP has been diving deep into the California Privacy Rights Act, a ballot initiative passed in November 2020 that amends and adds to the California Consumer Privacy Act. Previous articles in our 10-part series analyzing the operational impacts of the CPRA include Part 1, discussing the new enforcement agency, the California Privacy Protection Agency; Part 2, exploring whether an entity is a “business” within the law’s scope; and Part 3, examining the CPRA’s new provisions regarding the right to correct and the treatment of sensitive personal information.
This fourth installment in the series discusses some of the other expanded rights and obligations included in the CPRA and how they compare to the now-operative CCPA, as well as the EU General Data Protection Regulation. It looks in particular at Section 1798.100, which covers the general duties of businesses that collect personal information. The CPRA expands the requirements in this section regarding the right to know length of data retention, data minimization and purpose limitation, reasonable security requirements, and contract requirements with third parties, service providers and contractors. The CPRA also includes updated requirements regarding data portability, precise geolocation data and children’s data.
Right to know length of data retention
CPRA Section 1798.100(a) requires “[a] business that controls the collection of a consumer’s personal information” to provide consumers with certain information “at or before the point of collection.” Under Section 1798.100(a)(3), consumers now have a right to know “[t]he length of time the business intends to retain each category of personal information, including sensitive personal information.”
If a business is unable to provide a specific retention period, the business instead must provide the “criteria used to determine such period.” These new notification requirements and the substantive data retention limits discussed below may encourage businesses to approach data collection and storage more strategically, recognizing they will now have to report their data retention timelines.
Data minimization and purpose limitation
The CPRA pairs the above notice provisions with new data minimization and purpose limitation requirements. Under Section 1798.100(a)(3), “a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose” for a period “longer than is reasonably necessary” for the disclosed purpose for which the data was collected. Pursuant to 1798.100(c), “[a] business’s collection, use, retention and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed...” Furthermore, under Section 1798.100(c), the information can also be used for “another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”
These data minimization and purpose limitation requirements are similar to principles in the GDPR. Under Article 5 of the GDPR, the personal data company's process must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).” Regarding purpose limitations, also under Article 5, personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes... (‘purpose limitation’).”
While the GDPR requires data collection be “limited to what is necessary,” the CPRA approaches the same concept from a different angle by requiring collected data to be “reasonably necessary and proportionate.” It has yet to be seen if the limiting language in the GDPR is more stringent when applied than the CPRA’s reasonably necessary and proportionate language.
Reasonable security requirement
CPRA Section 1798.100(e) directs any business that collects a consumer’s personal information to “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.”
Though the CCPA does not specifically include a “reasonable security” requirement, the private right of action provision, Section 1798.150, is based on a business violating its “duty to implement and maintain reasonable security procedures and practices” and uses the definition of “personal information” from California’s Customer Records Act, Section 1798.81.5. The CRA generally requires a business “that owns, licenses, or maintains personal information about a California resident” to “implement and maintain reasonable security procedures and practices ... to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
Although “reasonable security” is an existing concept, including in California law, the CPRA provides no definition for “reasonable security procedures and practices.” Prior suggestions on how to implement “reasonable security” standards may be used to better understand what may constitute reasonable security under the CPRA. For example, in 2016, then-California Attorney General Kamala Harris released the "California Data Breach Report." The report included 20 controls identified from the Center for Internet Security’s Critical Security Controls that constitute a “minimum level of information security that all organizations that collect or maintain personal information should meet.” Failure to implement all 20 controls “constitutes a lack of reasonable security.” Beyond these 20 controls, the 2016 report also strongly suggests that organizations use multifactor authentication for consumer-facing online accounts and encryption.
Contracts when sharing, selling or disclosing personal information to a third party, service provider or contractor
The CPRA also includes contractual requirements for a business and third parties, service providers and contractors. These contractual requirements are laid out in Sections 1798.100(d), 1798.140(j)(1) and 1798.140(ag)(1) and are paired with direct obligations on service providers and contractors in Sections 1798.105(c)(3), 1798.121(c) and 1798.130(a)(3)(A). Each of these new requirements and their impacts on vendor management will be discussed in-depth in part six of this series.
Data portability
The right to data portability was already included in the CCPA, but the CPRA has modified the requirement. Under CCPA Section 1798.100(d), businesses are already required to provide personal information to consumers who made a verifiable request in a portable format if provided electronically, and, if “technically feasible,” in a “useable format that allows the consumer to transmit this information to another entity without hindrance.”
The data portability under CPRA Section 1798.130(a)(3)(B)(iii) gives consumers increased ease in transferring data from one business to another. A business must provide the “specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format.” That information may then “be transmitted to another entity at the consumer’s request without hindrance.” For businesses, it means that data must be, to the extent technically feasible, available in a commonly used and machine-readable format, not just a format that allows the consumer to transmit the data.
Right to limit the use and disclosure of precise geolocation
Under CPRA Section 1798.121, a consumer has the right to limit the use and disclosure of “sensitive personal information,” as discussed in detail in part three of this series. The term “sensitive personal information” is defined in Section 1798.140(ae) to include personal information that reveals “a consumer’s precise geolocation.” The CPRA defines “precise geolocation” as “any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet...” (or roughly 0.35 miles).
Children’s data
Under CCPA Section 1798.155, a violator will be assessed a civil penalty of no more than $2,500, and each intentional violation will be assessed a civil penalty of no more than $7,500. The CPRA extends this civil penalty to not just cover each intentional violation, but violations involving information from minors under 16 years of age. Under Section 1798.155, each violation will include a penalty “up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers whom the business … has actual knowledge are under 16 years of age.” The money will go to the Consumer Privacy Fund within the state’s General Fund.
Conclusion
The CPRA is bound to change how consumers interact with companies to understand their data. Consumers will have new rights, and companies will have to work to meet an expanded set of data protection obligations under the CPRA. The IAPP will continue to offer insight into the CPRA in our other articles in the series and as regulations or amendments to the law are adopted.
Photo by Steven Pahel on Unsplash