California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act of 2020 (“CPRA”) (effective January 1, 2023)

Home > Blog > Litigation > California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act of 2020 (“CPRA”) (effective January 1, 2023)

The CCPA went into effect on January 1, 2020. Thereafter, the CCPA was effectively amended via the CPRA. Critically, though the CPRA becomes effective on January 1, 2023, it covers data collected as of January 1, 2022. However, enforcement does not commence until July 1, 2023. Unfortunately, the final regulations related to the rollout of the CPRA have not yet been finalized.

THE CCPA

The CCPA applies to you if:

  1. You have annual gross revenues in excess of $25 million (whether or not you conduct business in California – so assume if you conduct any business in California and have revenues over $25 million, the law applies); OR
  2. You buy OR receive for commercial purposes OR sell OR share for commercial purposes, the personal information of 50,000 or more consumers, households or devices; OR
  3. You derive 50% or more of your annual revenue from selling consumers’ personal information;

AND

  1. You are any form of entity (including a sole proprietorship); AND
  2. You collect consumers’ personal information or someone collects it on your behalf; AND
  3. You (alone or with others) determine the purposes and means of the processing of the personal information (under GDPR, this would make you a “controller”); AND
  4. You conduct business in California (which would include selling to people located in California, having customers in California, etc.).

The CCPA excludes from the term “personal information” the following:

  1. Publicly available information (presumably easily and legally publicly available);
  2. PHI already covered by HIPAA;
  3. The sale of information to or from a consumer reporting agency for use in a consumer report in accordance with the Fair Credit Reporting Act;
  4. Personal information collected, processed, sold or disclosed in connection with the Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act of 1994, or the extent of a conflict with the CCPA.

The term “consumer” includes:

  1. Anyone in California for other than temporary or transitory purpose; and
  2. Anyone who loves in California who is outside the state for temporary or transitory purposes.

THE CPRA

The first thing to recognize with respect to the CPRA is that it is basically a supplement or amendment to the CCPA. Thus, the provisions of CCPA remain UNLESS replaced by the CPRA. As a result, the analysis below focuses on changes/supplements to the CCPA by the CPRA.

Applicability of the CPRA:

  1. Business had at least $25 million in annual gross revenue as of Jan 1 of the prior year (this makes clear that the revenue requirement is annual whereas the CCPA was slightly ambiguous) ; OR
  2. Business buys, sells or shares personal information of 100,000 or more California consumers or households [THIS USED TO BE 50k]; OR
  3. Business derives more than 50% of its revenue from selling or sharing personal information.

Primary Changes from CCPA:

  1. The exception for employee personal information and B2B personal information ends on January 1, 2023 (largely involves California employees).
  2. All personal information collected is subject to limits of principles of necessity, proportionality and compatibility.
  3. Companies must provide notice at or before point of collection of personal information with such notice indicating whether information will be sold or shared, length of data retention, and additional disclosures below as to “sensitive personal information.”
  4. Creation of a new category of “sensitive personal information” more in line with GDPR, and increasing obligations with respect to “sensitive personal information.”
  5. Limits to exceptions of CCPA’s existing right to delete.
  6. Explicit rights, similar to GDPR, with respect to personal information.
  7. Expanding “Do Not Sell” opt-out to mere “sharing” for purposes of cross-context or third-party advertising.
  8. Additional exemptions from compliance spelled out.
  9. Must affirmatively respect opt-out preference signal from consumers.
  10. New vendor flow-down requirements that will require review of prior CCPA flow-down contracts. Specific requirements for all such contracts.
  11. Addition of independent security obligation – reasonable security procedures and practices appropriate to the nature of the personal information to protect that personal information from unauthorized or illegal access, destruction, use modification or disclosure.
  12. New regulations coming to address processing that presents “significant risk” to consumers’ privacy or security.

What Needs To Be Done

In anticipation of January 1, applicable businesses need to:

1. Engage in data mapping to determine what applicable personal information they have, where it is located, with whom it is (or is to be) shared/sold.

2. Review security used in connection with applicable personal information.

3. Determine any third-party contractual obligations to comply with “applicable law,” CCPA, or the CPRA.

4. Determine which vendors/contractors/service providers receive or process any of the subject personal information on behalf of the business or in connection with any contractual obligation or right.

5. Determine which of the above CCPA/CPRA obligations need to be implemented (i.e., those which are not currently in place).

6. Update website Privacy Policy.

for more information, contact:  Michael Feldman at , or 908-964-2486

Litigation