New Year New Privacy Considerations: Privacy Considerations for Businesses under the CPRA
December 23, 2020
In 2021 businesses should focus efforts on data privacy. California has been most active, passing the California Privacy Rights Act (“CPRA”), which goes into effect on January 1, 2023. Earlier this year, we analyzed the CPRA which will expand and modify the current California Consumer Privacy Act (“CCPA”). Companies doing business in California should first evaluate whether they are “covered entities,” and if they are, they should utilize the two year ramp up period to begin assessing necessary changes to ensure compliance under the pending law. In doing so, a company must evaluate the changes the CPRA made to CCPA compliance. A few key differences are:
- Who is a Covered Entity;
- What Sensitive Personal Information is; and
- Data Subjects Rights;
A Covered Entity
A Covered Entity is a business that is dealing in the PI of California Consumers and meets a threshold requirement set forth by the applicable consumer privacy law. Under the CCPA a business is considered a Covered Entity if they:
- have $25+ million in annual revenue;
- buy or sell, OR receive or share for business’s commercial purpose, PI of 50,000+ consumers, households or devices; or
- derive at least 50% of annual revenue from selling consumer PI.
CPRA changes the definition, making a Covered Entity a business that:
- has $25+ million in annual revenue;
- buys, sells or shares PI of 100,000+ consumers or households; or
- derives at least 50% of annual revenue from selling or sharing consumer PI.
While this change seems semantic, it will cause many businesses to change status, becoming a Covered Entity or falling outside a Covered Entity. Businesses need to analyze this change carefully to ascertain their status as a Covered Entity.
Sensitive Personal Information
Under the CCPA, the definition of Personal Information (“PI”) is set forth broadly to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household. The CPRA creates a new category of Sensitive Personal Information, “Sensitive PI” The CPRA defines “Sensitive PI” to include government identifiers (such as Social Security numbers and driver’s licenses); financial account and login information (such as credit or debit card number together with login credentials); precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications (mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information. A Covered Entity who is controlling, processing, or collecting Sensitive PI is subject to specific regulations under the CPRA and it is vital that they assess their procedures around Sensitive PI.
Data Subjects Rights
The CCPA grants California Consumers rights such as the Right to Know, Right to Delete, Right to Opt Out of Third-Party Sales, and Right to Nondiscrimination. The CPRA strengthens the rights granted to California Consumers. Consumers will now have rights such as the Right to Limit Use and Disclosure of Sensitive PI, Right to Correction, Right to Access Information About Automated Decision Making, Right to Opt Out of Automated Decision Making Technology, and the Right to Restrict Sensitive PI. In addition, the CPRA sets forth audit obligations that will require mandatory risk assessments and cybersecurity audits for high-risk activities. The risk assessments must be submitted to the newly established California Privacy Protection Agency (“CPPA”), which will enforce the CPRA.
The CPRA expands the private right of action under the CCPA, authorizing consumer lawsuits arising from data breaches involving additional categories of personal information. Specifically, the CPRA adds email address in combination with a password or security question and answer that would permit access to the consumer's account to the list of data types that can be actionable under the law in the event of a breach.
Businesses have focused on compliance under the CCPA for the last years and continue to work through compliance issues. The CPRA adds further privacy considerations heading into the new year. With a look back period beginning on January 1, 2022, companies will have roughly a year to strategize and execute on their compliance efforts, keeping in mind that the CCPA remains effective and in place until January 1, 2023 when the CPRA goes into effect. If any business needs further guidance about the CPRA, the CCPA, or other consumer privacy laws, the experienced attorneys in our Pittsburgh office are available by phone and email to assist, even while we as a firm comply with the current COVID-19 restrictions. Please feel free to reach out with any questions or concerns.