In this technological age, personal information has become vital to how we conduct business. With the threats of data breaches and leaks looming every day, the protection and security of personal information are now on our lawmakers’ minds. Unlike our European counterpart, the United States does not have an over-arching federal law for data privacy and protection; so it has been left up to the states to create these protections for the consumers and obligations for businesses. At the forefront of this movement has been California, which boasts the largest consumer population in the country and was the first state to create a data privacy and protection law. Other states, such as Virginia, Colorado, Georgia and Connecticut, have passed their own data privacy laws that model California’s. Pennsylvania is currently working on joining this growing list with House Bill 1126. As California continues to be the model for states to enact their own data privacy laws, the state’s amendments to its law foreshadow changes in how businesses handle personal information. So it is imperative that when there are amendments to California’s law, businesses are aware of and know what’s expected of them under these changes to ensure compliance.
On January 1, 2023, the new California Privacy Rights Act (CPRA) went into effect, expanding the protections provided to consumers and the obligations of businesses under the current California Consumer Privacy Act (CCPA). The businesses that fall under the jurisdiction of the two acts are California-based businesses and businesses that do business in California that collect personal information from California consumers and meet the following criteria:
- Exceed $25 million in annual gross revenues in the preceding calendar year;
- Buy, sell, or share the personal information of 100,000 or more consumers or households;
- And/or get 50% or more of its annual revenue from selling or sharing consumers’ personal information.
It is crucial for these businesses to be aware of the additional consumer protections and obligations imposed on them as the CPRA imposes stricter violations for noncompliance.
Consumer Protections
Similar to its European counterpart, the General Data Protection Regulations (GDPR), the CPRA adds expansive rights for the consumers over their personal information, including the following:
- Right to correct inaccurate data held by the business
- Right to opt-out of automated decision-making technology
- Right to access information about automated decision-making
- Right to opt-out of sharing sensitive personal information to third-parties
- Right to opt-out of certain uses and disclosures of sensitive personal information; and
- Right to data portability (requesting the business to transmit personal information to another company
Business Obligations
In addition to complying with these rights and requests of consumers pertaining to their personal information, businesses are now required to perform the following obligations as well:
- Consent to personal information of children. Businesses must obtain implied opt-in consent (specific, freely given, informed and unambiguous) from consumers under 16 years old before selling or sharing their personal information.
- Personal data minimization. Businesses will need to practice minimization of personal data collection and the use just for a needed purpose—no more over-collection of data.
- Contractual provisions. New contractual provision requirements when contracting with service providers, contractors and other third parties.
- Deletion requests. Businesses will need to pass along deletion requests to service providers, contractors and other third parties that businesses have sold or shared information to.
- Website requirements. Businesses’ websites will need to provide links titled “do not sell or share my personal information” and “limit the use of my sensitive personal information.”
Fines for Noncompliance
Violations of the CPRA can put quite a burden on your business’s bottom line. While the maximum fine for non-intentional adult consumers is $2,500 per case, violations for consumers under the age of 16 can be fined up to $7,500 per case. And your period to cure the violation has become stricter as well. The CPRA removes the 30-day cure period for violations, and the newly formed enforcement agency, the California Privacy Protection Agency (CPPA), will provide businesses set periods to cure the violation, taking into account a lack of motivation to violate and voluntary efforts by the business to cure the violation.
Complying With CPRA and the Future of Data Privacy
To comply with the CPRA, your business should keep the following tactics in mind:
- Perform a data inventory to see what type of information your business collects and who you share it with.
- Review the agreements that you currently have with third parties to make sure they have appropriate data privacy provisions
- Update the cookie banner notices and privacy policy on your business’s website.
- Provide new opt-out links on your business’s websites.
- Provide a method to get consumers’ requests, whether through email, phone number, or web link forms.
The easiest way for a business to fully comply with the new CPRA requirements is to contact counsel with knowledge and experience in data privacy to discuss the changes and review their policies and contracts. It is also important for you to be mindful of where you do business and whether a state you do business in has its own data privacy laws. In this growing world of data privacy and security, it is important that your business is up-to-date on the data privacy laws and obligations that are applicable to you. For more information, please contact Chris Ouellette with the firm’s Business Transactions Group.
