Written by Dotan Hammer and Rozan Khater
In about a month, just as the new year begins, the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act both take effect. Six months later, the Colorado Privacy Act and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring both take effect. The Utah Consumer Privacy Act will then conclude 2023 when it takes effect on December 31.
In recent years, many organizations have dedicated efforts to come into compliance with the California Consumer Privacy Act of 2018 (CCPA) and the regulations that precede the CPRA. Yet for many organizations, the state privacy laws due to take effect in 2023, particularly the CPRA, will warrant significant compliance efforts above and beyond those taken in light of the CCPA.
Scope of Applicability
CPRA. The CPRA introduces key amendments to the thresholds for the law’s applicability to businesses. First and foremost, the CPRA applies to any for-profit organization that does business in California (even if it is incorporated outside California or even outside the U.S.), whose annual gross revenue is more than $25M, and who collects personal information of Californians.
Second, the CPRA applies to any business that annually buys or sells the personal information of 100,000 or more Californians, or annually shares the personal information of 100,000 or more Californians for online behavioral-targeted ads. Third, the CPRA also applies to any business that derives half or more of its annual revenue from this form of selling or sharing personal information.
The CPRA also establishes a contractual “chain of custody” for personal information. Consider a business subject to the CPRA that provides personal information of Californians to another company that ordinarily would not be subject to the CPRA under the rules explained above. In some cases, the business subject to the CPRA must contractually bind the receiving company to comply with the CPRA’s obligations, even if the receiving company is not a service provider.
The CPRA repeals the exemptions previously specified in the CCPA regarding the personal information of workforce members and business-to-business contacts. Personal Information in these scenarios will now be fully subject to the CPRA.
Other State Laws. The laws in Virginia, Colorado, Connecticut, and Utah follow a similar approach in defining which companies are covered by these laws, but the numerical thresholds differ with some further nuances.
An Assortment of Requirements on Notices, Opt-Outs, Data Subject Rights, Service Provider Contracts, and Limitations on Processing
CPRA. A business may only process personal information that is reasonably necessary and proportionate to achieve the declared purposes for which the personal information is processed. A business must obtain the consumer’s explicit, freely given, granular, and withdrawable consent before processing the consumer’s personal information for any other purpose. Moreover, in comparison to the CCPA, the CPRA requires businesses to bolster their contracts with service providers who process the information on their behalf.
The CPRA also expands the types of notices that businesses must give data subjects. Depending on the context, these include a general privacy policy, a notice at the time of collecting information from the data subject, a notice of the right to opt-out of selling personal information or sharing personal information for online behavioral-targeted ads, and a notice of the right to limit the use of sensitive personal information. Businesses are also required to honor standardized opt-out preference signals, such as the Global Privacy Control specification. Notices must follow accessibility standards such as the Web Content Accessibility Guidelines. The CPRA also gives data subjects enhanced rights which now will include the right to correct inaccurate information and a right to receive a copy of their information in a portable format.
Other State Laws. The laws in Virginia, Colorado, Connecticut, and Utah diverge from the CPRA on some key issues. Some of these laws require obtaining data subject consent to the processing of their sensitive personal information, and some require data protection impact assessments which the CPRA has yet to fully adopt.
Enforcement and Private Right of Action
CPRA. The CPRA slightly expands the limited private right of action that the CCPA provided, yet all other enforcement powers vest exclusively with the California Attorney General and the California Privacy Protection Agency. The CPRA increases the fines for some violations and significantly limits the availability of a cure period for businesses to remedy non-compliance once they are notified by the California Privacy Protection Agency. Yet the California Privacy Protection Agency is barred from taking enforcement action on violations occurring before July 1, 2023, regarding the new obligations that the CPRA enacted.
Other State Laws. The laws in Virginia, Colorado, Connecticut, and Utah take a broader approach in allowing companies an opportunity to cure non-compliance before fines can be imposed. These laws also generally restrict a private right of action.
End Notes
These developments likely warrant review, adjustments, and changes in the front-end and back-end privacy practices of companies subject to the CPRA, ahead of the CPRA’s enforcement date of July 1, 2023. We recommend that companies consider taking up a CPRA compliance project in the weeks and months ahead.
