CCPA 2.0: The California Privacy Rights Act
On November 3rd, the voters of California passed a ballot referendum entitled Proposition 24. The measure is called the California Privacy Rights Act of 2020 or the CPRA. The CPRA amends the California Consumer Privacy Act (CCPA) which went into effect on January 1, 2020. It aligns the CCPA more closely to the GDPR.
It is important to note that information subject to the Gramm-Leach-Bliley Act is still exempt from the CCPA’s requirements, with the exception of the personal right of action in response to security breaches. The below changes will primarily be of concern for non-consumer data and any other data that falls outside of the scope of the GLBA and Regulation P.
Amended Definition of “Business”
The CPRA slightly raises the CCPA’s threshold for what businesses fall within the scope of the rule. Currently, in order to be covered by the CCPA, a credit union must meet one of three thresholds. (1) Have annual gross revenues in excess of $25 million; (2) Buy, sell or share the personal information of 50,000 consumers, households or devices; or (3) Derive 50% or more of its revenue from selling or sharing consumers’ personal information.
The CPRA amends prong #2 by raising the threshold from 50,000 to 100,000 consumers or households and eliminating the inclusion of devices in reaching that number. For credit unions with annual gross revenues below $25 million, this threshold adjust may be useful.
A Definition of and New Requirements for Sensitive Personal Information
One important change is the addition of a definition for “sensitive personal information” and additional requirements regarding the use and disclosure of information that meets the definition. “Sensitive personal information” that might be commonly held by a credit union could include a member’s:
- social security number, driver’s license number, or passport number;
- log-in information, account number, debit or credit card number in conjunction with a password or other access credentials;
- precise geolocation information;
- racial or ethnic origin; or
- biometric information for identifying the consumer.
The CPRA creates a new consumer right to limit the use and disclosure of this sensitive information to what is necessary to provide the goods or services the consumer is requesting and performing certain business purpose activities like ensuring information security, advertising of the credit union’s own products, and doing quality reviews. If a credit union uses the sensitive personal information to infer specific characteristics, it must disclose that use and provide the consumer with a right to opt out.
While the words “data minimization” do not appear in the CPRA, it nonetheless contains a requirement in that vein. New 1798.100(a)(3) requires businesses to disclose the length of time the business will retain each category of personal information it collects.
If the business is not able to describe that length of time, it can describe the criteria it uses to determine the period, “provided that a business shall not retain a consumer's personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”
In other words, if a credit union cannot commit to a specific time period for retaining the information, it must commit to a principle of data minimization, requiring it to no longer retain information once it is no longer necessary for that original disclosed purpose.
The Definition of “Sharing “
The CPRA amends the opt out provisions of the CCPA to apply not only to businesses that sell personal information, but also businesses that share personal information. However, the definition of “sharing” is quite limited. It means:
“sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal Information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged.”
So the disclosure of information in the context of processing transactions, servicing accounts, or responding to legal process would not be included in this definition of sharing. However, sharing information with third-parties to undertake joint marketing efforts may now trigger the opt-out provision of the CCPA if the activity meets the definition of “cross-context behavioral advertising.”
Right to Correct Inaccurate Personal Information
In addition to the CCPA’s “right to know,” “right to delete,” and “right to opt out,” the CPRA adds a new “right to correct.” This allows a consumer to request a business correct any “inaccurate personal information” held about the consumer. The law says this right must take into account “the nature of the personal information and the purposes of the processing of the personal information.”
The CPRA does not discuss what “inaccurate” means. It does state that a credit union is not required to correct inaccurate information where it would be impossible or involve disproportionate efforts. The CCPA tasks the California Attorney General with issuing regulations governing responses to these requests, including appropriate exceptions and the resolutions of concerns regarding the accuracy of information.
Creation of the California Privacy Protection Agency and Implementing Regulations
The CPRA creates a new administrative agency – the California Privacy Protection Agency – to implement and enforce the CCPA. The CCPA and the CPRA allow the California Attorney General to issue implementing regulations. However, the California Privacy Protection Agency will assume rulemaking responsibilities under the CCPA on the earlier of July 1, 2021 or within six months of the agency notifying the Attorney General that it is prepared to do so. Final regulations implementing the CPRA must be adopted by July 1, 2022.
The CPRA extends the CCPA’s temporary exemptions for implementation regarding data collected in the context of business-to-business transactions or employment from January 1, 2022 until January 1, 2023.
The CPRA’s amendments generally become legally effective on January 1, 2023. However, except for the right to know and access to collected personal information, the provisions have a look-back to data collected beginning on January 1, 2022. Enforcement of the CPRA amendments will begin on July 1, 2023 and only include violations occurring on or after that date. In the meantime, the CCPA as it currently exists continues in full force.