California Privacy Agency “Stands Ready” to Enforce – Are You Ready for CPRA?
By now, you’re likely familiar with the terms CCPA and CPRA (the California Consumer Privacy Act and the California Privacy Rights Act, respectively). The CCPA, according to the State of California Department of Justice, “gives consumers more control over the personal information that businesses collect about them.” In enacting the law, the California legislature found that consumers lacked the ability to fully control the use and sale of their personal information and that ability was fundamental to the right to privacy. To avoid the devastating effects of misuse including financial fraud, unauthorized disclosure, identity theft and reputational damage, in 2018, the California legislature enacted the CCPA.
The CPRA clarified certain provisions in the CCPA while creating new consumer rights and adding additional responsibilities for companies that collect personal information on California residents. An enforcement arm was created, and the authorities were prepared to assess compliance. But then, California courts put a wrinkle in the enforcement by pausing the timeframe. In a recent opinion, a state appellate court restored the ability to enforce privacy violations under the law. Are you ready?
So, What Does the CCPA / CPRA Do?
When the CCPA became effective on January 1, 2020, it established an array of new requirements with the clear focus to protect the personal data of California residents. Fundamentally, the CCPA established certain privacy rights for California consumers including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to correct inaccurate information;
- The right to non-discrimination for exercising their CCPA rights.
The CPRA became effective on January 1, 2023 and granted consumers new rights that had not been in the CCPA including:
- The right to correct inaccurate personal information that a business has about them;
- The right to access information about automated decision making;
- The right to opt-out of automated decision-making technology;
- The right to limit the use and disclosure of sensitive personal information collected about them including social security number, financial account information, precise geolocation data, or genetic data;
- An expansion of notification requirements which include disclosing details about the retention periods for the collection of personal information, whether the business shares consumers' personal information and with whom the information is shared and specifying the categories of personal information shared. Businesses are permitted to retain personal information as long as it is “reasonably necessary” for the business/commercial purpose that is defined as the time of collection;
- An expansion of a private right of action; and
- Under specific conditions, businesses are required to conduct cybersecurity audits and risk assessments. Businesses that process personal information that might “present a significant risk to its consumers privacy or security” must perform an annual cybersecurity audit and submit the completed audit to the CPPA (California Privacy Protection Agency). Additionally, businesses must evaluate the privacy risks associated with their processing activities against the benefits provided and submit these findings to the CPRA.
Under both the CCPA and the CPRA, businesses of certain sizes must respond to consumer requests to exercise these rights and provide notices that explain the company’s privacy practices. Organizations that fall under these requirements include companies that meet one or more of the following:
- Have annual gross revenues in excess of $25 million;
- Buy, sell, or receive for the business's commercial purposes the personal information of 50,000 or more consumers, households, or devices;
- Derive 50% or more of their annual revenues from selling consumers' personal information.
These businesses must be able to disclose to a consumer: (1) the categories and/or specific pieces of personal information they have collected about a person, (2) the categories of sources for that personal information, (3) the purposes for which the business uses that information, (4) the categories of third parties with whom the business discloses the information, and (5) the categories of information that the business sells or discloses to third parties.
Enforcement? Wasn’t that paused?
After the California Privacy Protection Agency (the CPPA) missed the deadline to adopt final regulations, the California Chamber of Commerce brought suit seeking to delay the implementation until one year after the regulations were finalized. The California Chamber was successful in obtaining a delay in the lower courts, but lost on appeal as the California Court of Appeals allowed the regulations to go into effect. The California Chamber filed a petition for review to the California Supreme Court on February 20, 2024 although the relief sought by the Chamber would only result in a delay until the end of March 2024, a date that is quickly approaching.
A Call to Action: The CPPA Stands Ready
With the Court of Appeals vacating the lower court’s decision, the world waits to see if the California Supreme Court will take the case. While the precise enforcement deadline is in flux, the requirements of CCPA/CPRA are not. Out of an abundance of caution, impacted businesses should take any final steps to prepare for enforcement once the CPPA is ready to move. Given the Court of Appeals' directive that enforcement commenced July 1, 2023 and the fact that the CPPA’s Deputy Director of Enforcement Michael Macko has been clear in terms of the goals of the enforcement group, covered businesses should not stand idle and await a final ruling. In a press release on the appellate ruling, the Deputy Director stated that that the enforcement team “stands ready to take it from here” and that “now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”
The overall message is clear–be ready. Those most closely watching the likely enforcement strategy expect that regulators will focus on required disclosures to consumers, business practices for handling consumer requests, and rules for consumers under 16 years of age. It is also a good time to begin preparations for upcoming CPRA regulations including risk assessments, cybersecurity audits, and automated decision-making and AI technology. If you would like more information, please reach out to the authors of this Client Alert or your Butzel attorney.
Jennifer Dukarski
734.213.3427
dukarski@butzel.com
Claudia Rast
734.213.3431
rast@butzel.com
Debra Geroux
248.258.2603
geroux@butzel.com
Maya Smith
313.983.7495
smithmaya@butzel.com