New California Privacy Laws: Get Ready (Again)

On Nov. 3, 2020, California voters approved Proposition 24, also known as the California Privacy Rights Act (CPRA). CPRA amends the California Consumer Privacy Act (CCPA) to become the new standard for which companies need to comply. The group behind CPRA—Californians for Consumer Privacy (CCP)—is the same group that ushered in CCPA.

Now, those businesses that have been scrambling to comply with CCPA, which only took effect in 2020, need to adapt to new regulations in the CPRA, which take effect in 2023 but will apply to data collected starting in 2022. Before digging into the highlights of the new law, here are a few takeaways to keep in mind.

CPRA May Be Harder to Change and Easier to Enforce

Because the new law was passed by voters via a ballot initiative, CPRA will be much harder to change moving forward versus traditional legislation.

As CPRA outlines in its text: "The provisions of this Act may be amended after its approval by the voters by a statute that Is passed by a vote of a majority of the members of each house of the Legislature and signed by the Governor, provided that such amendments are consistent with and further the purpose and intent of this Act … ." (emphasis added)

This article from law firm Manatt, Phelps, and Phillips puts this into context well, stating that "if Sacramento lawmakers ever passed a CPRA amendment that is even arguably privacy restrictive, privacy advocates and other Californians may sue to attempt to repeal that amendment."

That article highlights the other ways that the law could be modified, and that includes another ballot initiative or if a federal court or government "invalidates the law via a pre-emptive federal privacy law or a ruling of unconstitutionality."

With the new law comes a new enforcement agency, too. CPRA effectively transfers enforcement authority from the California attorney general to a new agency that will oversee CPRA: the California Privacy Protection Agency. This is the first of its kind, and the new agency will be charged with the investigation, rulemaking, and enforcement of CPRA.

Whereas the California attorney general has referenced "limited resources" while discussing enforcement in the past, the California Privacy Protection Agency will be self-funded by the fines they issue for non-compliance. This may lead to more stringent enforcement and more significant fines in the future.

Expanding the Private Right of Action

When the CCPA passed in 2018, it became one of the few privacy laws to allow consumers to bring a lawsuit against a company for violating their privacy rights, granting those consumers damages under the statute between $100 and $750 per affected individual.

As we've seen in other laws with statutory damages such as the Illinois Biometric Information Privacy Act, these statutory damages allow affected consumers to establish standing in a class-action lawsuit, even without other demonstrable injury or harm being asserted.

But the private right of action under CCPA was limited to data breaches of specific information, the risk of facing costly litigation to many companies was lessened. However, the new CPRA expands on CCPA's private right of action for personal information security breaches to include "email address in combination with a password or security question and answer that would permit access to the account."

In other words, if your business stores this type of data and a data breach exposes it, you are held responsible under CPRA for your California consumers. This broadens the scope of businesses that may face class actions after a data breach significantly.

Highlights of CPRA for Businesses

CPRA introduces many other changes as well, and here are a few worth noting:

Establishes Sensitive Personal Information Category

CPRA introduces a new category of personal information that's enforceable under the law called "sensitive personal information." For businesses, this expands on their potential liability.

In addition to the personal information that was already protected under law in CPPA, sensitive personal information (PI) in CPRA includes:

• A consumer's social security, driver's license, state identification card, or passport number
• A consumer's account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
• A consumer's precise geolocation
• A consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership
• The contents of a consumer's mail, email, and text messages, unless the business is the intended recipient of the communication
• A consumer's genetic data
• The processing of biometric information for the purpose of uniquely identifying a consumer
• PI collected and analyzed concerning a consumer's health
• PI collected and analyzed concerning a consumer's sex life or sexual orientation

Limits Sharing of Personal Information

Under CCPA, consumers had the right to opt-out of the sale of their personal information. And businesses had to figure out what the "sale" of information meant. Ambiguity would arise, for example, around data used in targeted online advertising.

CPRA expands on this and adds "sharing" to the "selling" of information. CPRA states that sharing does include information for cross-context behavioral advertising, as defined as:

… the targeting of advertising to a consumer based on the consumer's personal Information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally Interacts.

Under the new CPRA rules, businesses are eligible to be regulated if their gross revenues exceed $25 million and they buy, sell or share the PI of 100,000 or more consumers or households, or derive 50% of annual revenue from selling or sharing consumer PI.

Eliminates the 30-day Cure Period for Violations

When it comes to enforcement actions, CPRA deleted CCPA's original 30-day cure period where businesses were subject to enforcement fines only if they failed to cure the alleged violation within 30 days of being notified of noncompliance.

CPRA instead outlines that any violation is subject to a penalty, and also clarifies how the cure period applies to a data breach, noting that "implementation and maintenance of reasonable security... following a breach does not constitute a cure with respect to that breach."

Next Steps

Many businesses are just getting used to CCPA requirements, and now have a new set of rules to understand and comply with as they head into 2023 when CPRA will go into effect.

As always, cyber insurance will be an important risk transfer strategy for businesses that are enforceable under this law. A well-brokered cyber policy can cover fines, penalties, or statutory damages connected with CPRA. We've seen a number of private right of action cases filed under CCPA so far, and our expectation is that these will end up being costly to settle. We're not alone in this thinking, as the prospect of greater litigation under CCPA and eventually, CPRA is part of what's driving premium increases throughout the cyber insurance market.

For more detail on CPRA, see CPRA documentation.