California Privacy Rights Act Will Add New Layers to California Privacy Laws

California’s privacy laws continue to be a shifting landscape, creating compliance challenges for companies doing business in California.  The California Privacy Rights Act (CPRA) was approved by California voters on November 3, 2020, adding new requirements to the California Consumer Privacy Act (CCPA) that will go into effect on January 1, 2023.  The ballot measure passed only two months after California’s Attorney General released amended regulations for the CCPA on August 27, 2020, and a month after Governor Gavin Newsom signed amendments to the CCPA into law in October.

RJO’s Cybersecurity and Privacy Group is dedicated to helping our clients work through the changing landscape of the CCPA and other privacy legislation and regulations and can provide customized and practical assistance with data privacy preparation and compliance efforts.

California Privacy Rights Act Establishes a New Consumer Privacy Agency and Adds New Compliance Obligations, but Extends Key Exemptions

The most immediate impact of the CPRA is the establishment of a California Privacy Protection Agency, which will have responsibility for administering and enforcing the CCPA.  This will include issuing new regulations, likely in late 2021 or early 2022, but that must be adopted by July 1, 2022, at the latest.  California’s Attorney General has previously expressed that his office has limited ability to investigate and enforce California privacy laws given its other responsibilities, so a dedicated agency will likely mean an increase in investigations and enforcement actions.  The agency is also likely to re-examine the CCPA regulations issued by the Attorney General in light of the changes brought on by the CPRA and will have to issue new regulations to implement those changes.

As we have previously discussed, the CPRA will tighten a number of areas covered by the CCPA and adds new compliance obligations that will apply to personal information collected by businesses on or after January 1, 2022.  Some key changes include:

• Expanded Opt-Out Right. The CPRA allows consumers to prevent businesses from not only selling their data but “sharing” their data with other entities.  This expanded right will complicate a number of business relationships that were previously not covered by the consumer opt-out, including cross-advertising relationships and informal data exchanges.
• Sensitive Personal Information. The CPRA adds “sensitive personal information” as a new category of personal information, such as information concerning race and ethnicity, sexual orientation, and precise geolocation, and requires new disclosure requirements specific to this type of information.
• Data Minimization Obligations. Covered businesses must ensure that their data practices are reasonably necessary and proportionate to achieve the purposes for which the information was collected or processed.  The CPRA requires each covered business to disclose the amount of time it intends to retain personal information and prohibits businesses from retaining personal information for longer than is reasonably necessary for the purpose it was collected.
• Data Breach Liability. The CPRA changes California’s data breach laws as well.  Consumers will now have an expanded right of action to sue businesses if their email address and password or security question and answer are breached due to the business’s failure to employ proper security measures.  In connection with this, the CCPA’s 30-day cure provision has been dramatically weakened, and now only applies to security violations and does not extend to other violations of the law.  Further, businesses implementing a post-breach cure can now only cure statutory damages, not actual damages, and cannot claim that post-breach security measures are a sufficient cure for the breach itself.

The California Privacy Rights Act also extends two key California Consumer Protection Act exceptions for personal information collected from employees and as part of business-to-business transactions.  These exceptions will now be extended until January 1, 2023, and will be the subject of lobbying and legislation to set out a more comprehensive policy for employee data.

CCPA Legislative Amendments Provide Additional Clarity for Health Information

In September, Governor Newsom signed AB 713 into law, amending the CCPA to expand exemptions for personal health information, effective immediately.  In particular, the amendment aligned the CCPA treatment of de-identified personal health information with HIPAA, providing that information that has been de-identified in accordance with HIPAA standards and is derived from patient information collected by an entity covered by HIPAA, CMIA, or the Federal Common Rule, is exempt from the CCPA.  In doing so, AB 713 resolves the potential disconnect between the treatment of data that is sufficiently de-identified under HIPAA but would not meet the exemption standard under the CCPA, harmonizing compliance obligations for health companies.  The amendment also adds exemptions for HIPAA business associates and for research carried out under appropriate industry standards and federal regulations that better align with HIPAA definitions.

AB 713 creates new obligations as well.  The amendment requires that businesses that sell or disclose de-identified patient information add a new consumer disclosure describing the de-identification method used and further prohibits the re-identification of such information.  Additional obligations include disclosure requirements for contracts for the sale or license of de-identified patient information, which must include new provisions disclosing that fact, and prohibiting re-identification and re-disclosure to a third party without parallel contract provisions in place.  This particular obligation goes into effect on January 1, 2021.

How We Can Help Your Company

Rogers Joseph O’Donnell specializes in working with corporate and business clients on compliance with complex laws and regulations that impact their business. RJO’s Cybersecurity and Privacy Group is comprised of experienced attorneys from each of its other practice areas, allowing us to understand and tailor our work to our clients’ business needs. For compliance advice or defense of claims, contact any of the Practice Group Chairs or the authors of this article at www.rjo.com.