CPRA: New privacy obligations in California to take effect from 1 January 2023

The CPRA (California Privacy Rights Act) is set to change the face of privacy in California.

There’s been a bit happening in California since the California Consumer Privacy Act (CCPA) was passed in 2018 and took effect in 2020 with amendments and new regulations (known as the CPRA) coming into effect on 1 January 2023 … so we thought we would pull together a summary of what’s changed to help you get ready.

A quick recap

When the CCPA passed the California legislature, it marked the first state based comprehensive privacy law in the United States.  The focus of the CCPA was on strong consumer data protections and individual rights.  The passing of the CCPA was a landmark moment in California law.

In 2020, the California Privacy Rights Act (CPRA) (also known as Proposition 24) was passed.  It provides for additional substantive amendments to the CCPA which take effect on 1 January 2023.  In addition to the changes to the CCPA, the CPRA introduces the California Privacy Protection Agency (CPPA) – a brand new agency which has authority to enforce the CCPA and prepare regulations to guide organisations implementing the CCPA.

What changes does the CPRA introduce?

  1. Changes to the scope.

The threshold for “buying, receiving, or selling the personal information of 50,000 or more California residents, households, or devices” has been increased to “100,000 or more” which is seen as a measure to ease pressure on small business.  The CPRA also clarifies its operation for “sharing” of information within an organisation.

However, there are some extensions to the privacy protections of the CCPA. For example, the CPRA has brought employee data into scope, something that was explicitly exempt under the CCPA.

  1. Sensitive Personal Information

A new definition of Sensitive Personal Information has been introduced which includes racial and ethnic origin, biometric information, precise geolocation as well as identifiers such as Social Security Number and Driver’s licence number.

Organisations using or disclosing Sensitive Personal Information must provide individuals with notice as well as providing a clear and conspicuous link on their websites to allow consumers to “Limit the Use of My Sensitive Personal Information”.

There are expected to be some permissible purposes which businesses can rely on to process sensitive personal information outlined in the Regulations which are currently being finalised.  See the section below for more information on the status of the Regulations.

  1. Do Not Sell or Share Personal Information

The CPRA has strengthened the CCPA’s “Do Not Sell My Personal Information” requirements, aimed at the sharing of personal information for advertising purposes by introducing a requirement to have clear and conspicuous “Do Not Sell or Share My Personal Information” link on their website.

The CPRA also provides additional clarity on what is meant by ‘sharing’ personal information (giving it a much broader interpretation than the ordinary meaning of ‘sharing’).

  1. Management of Risk

The CPRA introduces a requirement for organisations to submit regular risk assessments and an annual, independent cybersecurity audit to the CPPA when their processing activities present a significant risk to consumer privacy or security.  The scope of these risk assessments and audits will be defined in Regulations which are still being finalised.

The missing piece – the CPRA Regulations

There are important aspects of the CPRA which will be covered by the Regulations. Over the past 6 months, the CPPA has issued various versions of modified proposed regulations to support the implementation of the changes to the CCPA. However, they have not yet been finalised.

Most recently a consultation period ended for the modified proposed regulations which the CPPA are considering (they have 30 days to do that) before issuing a final version of the Regulations.  The final version is now not expected until early 2023.

Other key issues covered by the Regulations include:

  • Outlining permitted purposes for which businesses can process sensitive personal information without having to provide consumers with a right to limit processing
  • Clarifying the scope of a request to opt-out for a particular browser or device
  • Changes to purpose limitation, secondary uses and the inclusion of data minimisation requirements
  • Guidance on dark patterns
  • Clarity around what is a ‘business’
  • Guidance for data processing agreements
  • Guidance on risk assessments and audit requirements.

For those concerned by the delays, the CPPA has proposed a new Regulation which enables it to take into account the delay in issuing regulations when engaging in enforcement action which give business some breathing room for compliance.

For the most up-to-date version of the proposed regulations, check out the CPPA’s rulemaking page here.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.