The California Privacy Rights Act of 2020 (the “CPRA”), entered into force on January 1, 2023. This law, which significantly amends and expands the California Consumer Privacy Act of 2018 (the “CCPA”), has the rights of individuals at its core. The CPRA modifies the existing individuals’ rights set forth in the CCPA and introduces a number of new rights. This article looks at the specific rights regarding consumers’ personal information that covered businesses must now honor.
First, what is a covered business under the CPRA? Indeed, not every business must comply with the obligations provided for by this law. To protect small and non-profit businesses, the CCPA and CPRA both limit their application to entities that do business in California and meet at least one of the following criteria:
- the company has a gross worldwide revenue of more than 25 million USD;
- the company buys, sells, shares or receives the personal information of 100,000 or more California consumers or households; or
- the company receives over half of its revenue from the sale of personal information of California residents.
Modified rights
At the time of its adoption, the CCPA brought unprecedented rights to consumers in California regarding the protection of their personal information, and was the most extensive State privacy legislation in the U.S. These rights remain under the CPRA, but their scope has now been expanded. The right to know: The CCPA grants consumers a right to know what personal information a business collected, sold, or disclosed about them during the past 12 months. The CPRA expands the consumer’s right to know disclosures to include personal information shared for cross-context behavioral advertising 1 . Furthermore, it may eventually expand the disclosure period beyond the past 12 months, but only for personal information collected on or after January 1, 2022.
The right to delete: The CCPA grants consumers the right to request that a business and its service providers delete their personal information. The CPRA expands the obligation to pass deletion requests on to service providers, contractors, and, unless impossible or involves disproportionate effort, to all third parties to whom the business sold or shared the information.
The right to opt-out: The CCPA grants consumers of at least 16 years of age the right to direct a business to stop selling their personal information. The CPRA expands right to include directing a business to stop sharing the consumer’s personal information for cross-context behavioral advertising.
Freedom from discrimination: the CCPA ensures protection for consumers exercising their CCPA rights against retaliation by the business (for example, a business could not deny goods or services to the consumer for that reason). The CPRA expands this protection against discrimination to include employees, applicants for employment, and independent contractors exercising their rights.
New Rights
The right to correct: The CPRA introduced the right to correct, which grants consumers the right to ask a business to correct inaccurate personal information about them. From January 1, 2023, onwards, a business must inform consumers about their right to request correction of inaccurate personal information and use reasonable efforts to fulfill a consumer’s correction request. We would like to underline here that future regulations will explain how often and under what circumstances a consumer may request a correction of inaccurate personal information.
The right to limit the use of sensitive personal information: the CPRA introduces a new category of data labeled “sensitive personal information”, as well as the new right for consumers to direct a business to limit its use of sensitive personal information to specifically permitted purposes 2 .
Furthermore, even though not a consumer’s right per se, covered businesses have, since January 1, 2023, additional transparency obligations regarding their processing of personal information. More specifically, businesses are now required to provide a separate notice to consumers regarding the collection, use, selling, or sharing of sensitive personal information, in addition of respecting additional privacy policy disclosures provided for by the CPRA. Indeed, the CPRA expands the required privacy policy elements to include, for example, descriptions of the new consumer rights, the intended retention period for each personal data category collected, and whether the business shares personal information for cross-context behavioral advertising purposes.
In conclusion, major changes are under way in the Californian field of data protection, but also in numerous American States. It is crucial to keep abreast with these legal changes and to adapt your business practices accordingly.
At The Law Office of S. Grynwajc, we practice U.S., Canadian and European law and have particular expertise in the field of privacy and data protection law. If you wish to ensure that your organization complies with its legal obligations in that space please do not hesitate to contact us, we would be delighted to assist you
1 Cross-context behavioral advertising is defined by Californian law as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly branded website, application, or service with which the consumer intentionally interacts.”
2 As a reminder, “sensitive personal information” is defined by Californian law as (1) personal information that reveals a consumer’s social security, driver’s license, state identification card, or passport number; a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; a consumer’s precise geolocation; a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication; a consumer’s genetic data; or (2) the processing of biometric information for the purpose of uniquely identifying a consumer; personal information collected and analyzed concerning a consumer’s health; personal information collected and analyzed concerning a consumer’s sex life or sexual orientation. Note that any sensitive personal information that is publicly available is not considered sensitive personal information or personal information under this law.