Data Privacy Primer: With the New Year Comes New Changes to the California Data Privacy Landscape

The California Privacy Rights Act (CPRA) will take effect on January 1, 2023. The CPRA imposes additional requirements on companies that do business in California, expanding upon its predecessor in privacy: the California Consumer Privacy Act (CCPA).

With the rules and regulations governing consumer data privacy soon subject to change, it is the responsibility of businesses to stay informed and implement those modifications necessary to ensure compliance with the CCPA and CPRA.

Below, we have provided a brief overview of the CCPA and the CPRA, which we hope will answer questions such as:

• Which businesses are affected by the CCPA and the CPRA?

• What requirements are imposed by the CCPA and the CPRA? and

• What is the difference between the requirements imposed by the CCPA and the CPRA?

What is the California Consumer Privacy Act (CCPA)?

The CCPA, which became effective on January 1, 2022, expanded privacy rights for California residents, providing these consumers with greater control over the use and dissemination of their personal information. In turn, California businesses covered by the Act were met with additional restrictions and requirements, forcing these companies to increase their transparency with respect to data usage and transmission, and implement the mechanisms and processes necessary to facilitate consumer management of person information.

What Businesses are Covered by the CCPA?

The CCPA applies to all “for profit” businesses that do business in California and:

• Have a gross revenue of more than $25 million,

• Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices (note that the CPRA increases this limit to 100,000 as of January 1, 2023), or

• Derive 50% or more of their annual revenue from selling the personal information of California residents.

What Notices are Requited by the CCPA?

Businesses must provide a “notice at collection” that explains what types of personal information the business will collect and how that information will be used.

If a business sells consumers’ personal information, the “notice at collection” must also include a “do not sell link” that will allow the user to opt–out and prevent the sale of their data.

What Rights do Consumers Have Under the CCPA?

The CCPA had a significant impact on the data privacy landscape within California, providing consumers with many new privacy rights including:

• The right to know what personal information a business is collecting and how that information will be used before it is collected,

• The right to require a business to delete personal information that it has collected,

• The right to opt–out of the sale of your personal information, and

• The right to not be discriminated against for exercising your rights under the CCPA.

Opt-Out Requests Under the CCPA and Exceptions

Subject to certain exceptions, California consumers have the right to opt–out of the sale of their personal information. Once a consumer has submitted an “opt-out request”, the recipientbusinesses must stop selling that individual’s personal information.

The exceptions that exist to this general rule are found in Civil Code section 1798.145 and include where such information is necessary for:

• Compliance with federal, state, or local laws, or compliance with a court order or subpoena;

• Cooperation with law enforcement investigations;

• Cooperation with government agencies in emergencies; and

• Exercise or defense of a legal claim.

Businesses were also permitted to use personal information subject to an opt-out notice where:

• The information has been stripped of its personal identifiers (i.e. de-identified or aggregate consumer information),

• Each aspect of the commercial conduct through which the personal information was obtained takes place outside of California (i.e. the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information was collected while the consumer was in California), or

• The information in question is not covered by the CCPA.

Expiration of Exemptions for B2B and Employment-Related Data

Previously, information collected by a business from its job applicants, employees, owners, directors, or officers was exempted from the restrictions of CCPA where such information was used by the business within the context of that person’s role within the business. B2B (business-to-business) data was also exempted under the CCPA. These exemptions are set to expire as of January 1, 2023 and, the legislature has taken no action to extend them.

Thus, beginning January 1, 2023, the CCPA’s restrictions and regulations will apply to B2B and employment data.

For businesses that are currently in compliance with the CCPA, you will need to review your current policies and make changes as needed to your privacy disclosures to include employment or B2B data as well as to ensure that you are in compliance with the CPRA’s amendments.

What is the California Privacy Rights Act (CPRA)?

The California Privacy Rights Act (CPRA), also known as Proposition 24 or “CCPA 2.0,” was a ballot initiative approved by the voters on November 3, 2020, that will go into effect on January 1, 2023.

The CPRA makes significant changes to the CCPA.

As referenced above, the CPRA narrows the reach of its restrictions. Previously, the restrictions and regulations imposed by the CCPA covered businesses that buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices – the CPRA increases the number of California residents who must be effected by such activities to 100,000.

On the contrary, the CPRA expands consumer privacy rights. In addition to the rights granted by the CCPA, the CPRA gives consumers the right to:

• Correct their personal information,

• Limit the sharing of their personal information,

• Opt-out of sharing of personal information (the CCPA allowed consumers to opt-out of selling of personal information), and

• See all personal information without a time limit (the CCPA restricted the right to personal information collected within the past 12 months).

The CPRA amendments include additional protections for “sensitive personal information” including:

• Social security, driver’s license, passport, or state ID numbers,

• Account login information,

• Geolocation data,

• Race, ethnicity, religion, and union membership,

• Contents of consumer’s mail, email, or text communications,

• Genetic information,

• Biometric data that uniquely identify consumers,

• Consumer health information, and

• Information regarding a consumer’s sexual orientation.

The CPRA will require businesses to include links on their websites that allow consumers to choose to “limit the use of [their] sensitive personal information” and direct the business to “not sell or share [their] personal information” which will allow the consumer to opt-out of the selling or sharing of their sensitive personal information.

The CPRA also requires businesses to keep consumers informed with respect to how long the business intends to retain personal information and prohibits businesses from retaining personal information longer than the stated time.

Contractors, service providers, and third parties contracting with businesses covered by the CCPA and CPRA will now be subject to the same privacy requirements as these businesses.

Enforcement of the CCPA and the CPRA

Although the California Attorney General’s Office, city attorneys, and district attorneys still have jurisdiction to enforce the provisions of the CCPA/CPRA, the CPRA also created a new enforcement agency called the California Privacy Protection Agency which is authorized to enforce the CPRA and impose penalties.

CPRA no longer allows for the 30-day notice period granted by the CCPA to businesses in violation of it requirements. Under the CPRA, if a business violates either of these privacy acts, it can immediately be fined:

• $2500 per violation,

• $7500 per violation for consumers under the age of 16, and

• $750 per incident for data breaches or actual damages.

CCPA/ CPRA Checklist for Businesses

Does the CCPA apply to your business?

If it does, and your business is already in compliance with the CCPA, you may need to review your current policies to identify any changes that must be made before January 1, 2023, to ensure compliance with the changing requirements under CPRA, and expiration of those CCPA exemptions described.

If the CCPA did not apply to your business before, but does now, you should take the following steps to ensure compliance:

• Determine what personal information your business collects on consumers and whether your business sells or shares that information,

• Review your general policies and procedures to ensure compliance with the CCPA and CPRA,

• Review and revise your privacy policies to include the new consumer rights and requirements under the CPRA,

• Review and revise your policies regarding retention and use of employment data to ensure compliance with CCPA’s expired exemptions,

• Review and revise your retention policy for consumers’ personal information and include this information in your privacy policy,

• Update your websites to include links to “limit the use of my sensitive personal information” and “do not sell or share my personal information” that will allow the consumer to opt-out of the selling or sharing of their sensitive personal information,

• Establish procedures to promptly comply with opt-out requests, requests for information about a consumer’s personal information, or requests to limit the use of a consumer’s personal information,

• Review and revise all agreements with contractors, service providers, and third parties to ensure that contractors comply with the requirements of the CCPA and CPRA,

• Ensure that your business has insurance to cover potential data breaches, and

• Implement training for employees, HR personnel, officers, directors, or any person responsible for collecting, maintaining, or using consumers’ personal information.

Please feel free to contact Fauver, Large, Archbald & Spray with questions about the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the changes that will go into effect on January 1, 2023, and how they will affect your business.

We also remain available to help you with all your general business, corporate, estate, and tax planning needs.

DISCLAIMER: This publication is one of a series of business, real estate, employment, estate planning, and tax bulletins prepared by the attorneys at Fauver, Large, Archbald & Spray, LLP. This publication is not exhaustive, nor is it legal advice. You should discuss your uniquesituation with us or with your attorney. Our legal representation is only undertaken through a written engagement letter and not by the distribution or use of this publication.