The CCPA's requirements are enhanced and updated in a new law, the California Privacy Rights Act (the CPRA).
- 1. Who is Affected by the CPRA?
- 3.1. Sensitive Personal Information
- 3.2. Data Retention Notification
- 3.3. New Consumer Rights
- 3.3.1. Data Sharing
- 3.3.2. Data Correction
- 3.3.3. Automated Decision Making
- 5. Summary
Who is Affected by the CPRA?
The existing CCPA's measures have been enforced since 1 July 2020. The law applies in any of three cases:
- Your business has an annual revenue exceeding $25 million
- In any one-year period, your business buys, sells or shares personal data relating to more than 50,000 consumers, devices or households in California
- Your business makes at least half of its annual revenue from selling personal data relating to California consumers
The CPRA passed as a ballot initiative in November 2020. It will take legal effect from 1 January 2023 with enforcement beginning on 1 July 2023. In effect, the CPRA will replace the CCPA. It will continue all of its requirements and add new ones, but will reduce the scope of businesses that come under the law.
If you are not currently covered by the CCPA, you will not have to follow the CPRA.
You may be covered by the CCPA but excluded from the CPRA. This is because the threshold for buying, selling or sharing data increases to 100,000 consumers or households, with devices no longer counting.
The CCPA is based around five consumer rights:
- Knowing what data you collect about them
- Knowing if you sell or disclose the data
- Stopping you from selling the data
- Accessing the data you have collected
- Exercising these rights without discrimination on price or service
You must comply with the "rights to know" by giving clear information about 11 categories of data. For each category you must separately say whether you collect data, how you use data and whether you share data.
The categories are as follows:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80. (This effectively covers any information that identifies an individual, unless that information is public knowledge.)
(C) Characteristics of protected classifications under California or federal law.
The California protected characteristics are as follows:
- Ancestry and national origin
- Gender identity or expression
- Genetic information
- Marital status
- Medical conditions
- Mental or physical disability
- Military or veteran status
- Pregnancy, childbirth, breastfeeding or related medical conditions
- Sex and gender
- Sexual orientation
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data
(H) Audio, electronic, visual, thermal, olfactory, or similar information
(I) Professional or employment-related information
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99). (This includes the name or address of a student or their family members; personal identifiers of the student such as a student number; and any information that indirectly identifies a student.)
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
VMWare gives a clear breakdown of which categories of data it shares and the types of recipient:
The CCPA also says you must allow people aged over 16 to opt out of you selling their personal data. For those aged 13 to 16, it's an opt-in system meaning you can't sell the data until you have consent. For under-13s you must get parental or guardian consent before selling data.
You must have a dedicated web page for exercising this opt-out. Your home page must link to this dedicated page using link text reading "Do Not Sell My Personal Information."
The LA Times goes a step beyond the minimum requirement by including the link on every page through its navigation menu:
Now let's take a look at what changes are coming that will affect all of this.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Sensitive Personal Information
This is a new 12th category that you must use when running down how you collect, use and share data. It covers the following:
- Any communications the consumer has with a third party (ie, somebody outside your business)
- Biometric data processed to identify an individual
- Data about sexual orientation or sex life
- Financial account details in a combination (for example card number and password) that gives access to an account
- Genetic data
- Government-issued numbers (such as a social security number or a number on a passport, or driver's license)
- Health data
- Philosophical or religious beliefs
- Precise geolocation
- Racial or ethnic origin
- Union membership
Note that any information that is already publicly available does not count as either personal or sensitive personal information.
As well as being a category for notification purposes, sensitive personal information enjoys an extra level of protection. Consumers can tell you to only use this information to provide requested goods or services. If they do so, you can't use the information for other purposes such as marketing, even if you tell the consumer you are doing so.
As with the right to opt out of data sales, the CPRA says you must have a dedicated web page where customers can exercise this right. In this case, you must link to it from your home page using the wording "Limit the Use of My Sensitive Personal Information."
However, you can combine both opt outs into a single page and use a single home page link. In this case you can use any appropriate wording for the link.
Data Retention Notification
The CPRA adds a new notification requirement (alongside data you collect, use of data and sharing of data). This fourth notification must say either how long you will keep the data or how you will decide when to dispose of it.
As with the other three notifications, you must list this data retention detail for each and any of the 12 categories (including the new "sensitive personal information") in which you hold data.
Clauses like this will need to be updated to be more specific if they're to comply with the CPRA.
New Consumer Rights
While the CCPA only gave consumers the right to opt out of you selling their data, the CPRA expands this right so they can opt out of you sharing or disclosing it to a third party in any way, even without payment.
The CPRA gives consumers the right to ask that you correct any inaccuracies in their personal information.
If you only operate online and you deal with the consumer directly, you can give them an email address for making correction requests.
If you have an offline presence, you must offer two ways to exercise this right. One must be a toll-free phone number.
House of Air already provides a way to request a correction by email. It will need to add the toll-free number when the CPRA takes effect:
Automated Decision Making
Under the CPRA, you must tell consumers if you use their data for automated decision making (also called data profiling). This is a simple yes or no covering all types of data. You don't have to break it down by category.
Consumers don't have the blanket right to stop you using their data for any form of automated decision making but can tell you not to use it for profiling any of the following:
- Economic situation
- Location or movements
- Performance at work
- Personal preferences
The law's stated purpose is to enable consumer rights including having "the information necessary to exercise meaningful control over businesses' use of their personal information..." Hiding or downplaying this information would restrict this right.
The information you must publish is as follows:
- The consumer's rights under the CPRA including how they can make data access requests.
- A category-by-category breakdown of whether you have collected data, where you got it, why you use it, and who (or what type of organization) you've disclosed it to in the past 12 months.
Aramark has a dedicated California page, organized around the CCPA consumer rights:
The San Diego Union-Tribune has a dedicated link that appears at the bottom of every page of its website:
- The CPRA takes effect in 2023 and builds upon the existing CCPA. It incorporates most of the CCPA's measures.
The CPRA will apply to your business if:
- Your annual revenue is more than $25 million,
- You buy, sell or share personal data about more than 100,000 California residents or households in a year, OR
- You make at least half your annual revenue by selling California consumers' personal data
- The CCPA says you must tell consumers about your data practices in 11 defined categories. For each category you must say whether you collect data, how you use it, and whether you share it.
- People can opt out of you selling their personal data. You must have a dedicated page for exercising this opt out and link to it from your home page.
- The CPRA adds a new category of "sensitive personal information." You must use this alongside the original 11 categories when giving details of your data practices.
- Under the CPRA, consumers can opt out of you using sensitive personal information for anything other than supplying requested goods or services. Again, you must have a dedicated page for exercising this opt out and link to it from your home page. (You can combine this with the page for exercising the opt out from data sales.)
- Under the CPRA, you must give a category-by-category breakdown of how long you will keep personal data.
- The consumer right to opt out of data sales expands under the CPRA to cover any form of data sharing.
- The CPRA gives consumers the right to correct their personal data.
- Under the CPRA, you must tell consumers if you use personal data for automated decision making (profiling). Consumers can stop you using their data for some, but not all, types of profiling.
- The consumer's rights and how to make data access requests
- The category-by-category breakdown of what data you collect, where you got it, the purpose for using it, and who you've disclosed it to