Upon going into effect on Jan. 1, 2020, the California Consumer Privacy Act (CCPA) sent shock waves across the online business and marketing worlds by ushering in the nation’s toughest consumer-geared digital privacy protections. For many enterprises doing in-person or online business in California (and even for some whose websites were simply visited by California consumers), it created a host of new requirements regarding the collection and use of consumers’ personal data. For businesses meeting certain thresholds defined in the law, it required making revisions to their websites and other digital assets, including updating their privacy policies, preparing to respond to consumers’ requests regarding the data collected about them and more.
Now, the law’s sequel has arrived. Approved by California voters on Election Day 2020, the California Privacy Rights Act of 2020 (CPRA) will expand upon the data privacy protections created by the CCPA. It adds provisions allowing consumers to prevent businesses from sharing their personal information, speeds the imposition of penalties on business that violate the state’s consumer privacy laws and creates a new enforcement entity in the state’s Privacy Protection Agency, among other things.
The CPRA may be a California law, but due to the United States’ interconnected national economy, it will have sweeping effects on data-privacy practices for businesses throughout the nation, including in South Carolina. This is because, for businesses that meet the law’s applicability criteria (see details below), doing business with any California resident would make them subject to the law’s requirements. So any applicable business that collects information from any California resident, including via digital communications and transactions, would need to meet the law’s requirements.
The CPRA’s top business impacts
While most of the provisions of the CPRA are not set to fully take effect until January 2023 and will not be enforced until July 2023, the law will apply to information collected starting in January 2022, and impacted businesses will want to start making preparations for the changes well before that date.
While this is by no means an exhaustive list, some of the biggest responsibilities created by the CPRA that affected businesses will want to anticipate moving forward include:
- Applicability evaluation: The CPRA makes some changes regarding which businesses fall under the law’s expanded requirements. The thresholds businesses must meet for the law to apply to them include:
– at least 50 percent of annual revenues being derived from sharing or selling California consumers’ personal information
or
– a gross revenue exceeding $25 million
or
– the purchase, sale or sharing by the business of more than 100,000 California consumers/householdsBusiness owners will want to carefully review the criteria to determine whether their business qualifies.
- Increased security measures: The CPRA makes it easier for consumers to bring claims against businesses that allow their information to be accessed without their authorization, including data breaches that disclose login information and passwords, answers to security questions, and other personal information. Businesses should be prepared to bulk up their security protections to avoid new penalties created by the CPRA.
- Compliance mechanisms: Because the CPRA broadens privacy protections for consumers and extends a number of protections to employees, job applicants and independent contractors, businesses will need to create and/or update their processes for allowing these individuals to exercise their new rights regarding their personal data, including placing limitations on the sharing of this data. Additionally, businesses will need to create processes by which consumers can correct inaccurate data about themselves that the business may request, another new requirement presented by the CPRA.
- Examination of information use: The CPRA further restricts the allowed uses of the information a business collects, placing additional limits on the sharing of personal information and the use of consumers’ personal information for the purposes of behavioral/targeted advertising. It also further restricts the use of what it deems “sensitive personal information” such as location, race, religion, sexual orientation and more.
- Process for information deletion/disposal: Because the CPRA places limits on how long a business can retain a consumer’s personal information once there is no longer a valid business reason to keep it, businesses will need to create mechanisms for deleting or destroying this information once a designated period of non-use has expired. Further, businesses are required to let consumers know how long they intend to retain this type of information.
- Website and privacy policy updates: Businesses that must adhere to the CPRA’s new restrictions will need to update their websites and their websites’ privacy policies to convey compliance with the new law’s added requirements. Additionally, the CPRA allows users to opt out of the sharing and selling of their personal information, requiring businesses to provide website functionality that allows consumers to share this decision and to ensure that their decision will be respected once it is made.
Business owners and managers should be aware that the list above contains just a portion of some of the biggest responsibilities the CPRA will create for businesses that collect digital information about California consumers. The law’s full 50-plus pages can be reviewed here, and businesses that will be impacted by the new regulations are highly advised to seek legal counsel to determine just what steps they will need to take to ensure compliance with the law.
Looking for guidance and insights on the latest developments in the business-technology world? Keep an eye on the FTC Business Blog, where we regularly dive into technology-related topics affecting local and national businesses large and small. You can also follow us on Facebook and LinkedIn to stay up to date in the latest news and offerings from FTC.