The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020, to regulate the data collection and usage of individual personal information and data breaches in the state. In November 2020, the California Privacy Rights Act (CPRA) was voted into law. The CPRA enhances the protections provided to California residents under the CCPA. It consequently increases the obligations and liabilities of businesses concerning data privacy, data security, and breaches. For example, the CPRA establishes a new category of data subject to regulation, changes what businesses would be subject to the CCPA, eliminates cure periods, and increases penalties for non-compliance. Most of the CPRA’s provisions will become effective on January 1, 2023, but applies to data collected starting on January 1, 2022, giving businesses a limited amount of time to come into compliance with the CPRA’s provisions.
The CCPA, and notable changes to it by the CPRA, are explained in the Q&A below:
California residents may ask businesses to disclose what personal information they have about the individual and what they do with that information, delete the individual’s personal information, and not sell the individual’s personal information.
Individuals also have the right to be notified, before or at the point businesses collect the individual’s personal information, of the types of personal information they are collecting and what they may do with that information.
Generally, businesses cannot discriminate against an individual resident for exercising their rights under the CCPA. Businesses cannot make an individual resident waive these rights, and any contract provision that says an individual waives these rights is unenforceable.
The CCPA only grants rights to individuals (not corporations or other business entities) residing in California, even if the person is temporarily outside the state.
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
The CPRA increases and decreases the number of businesses to whom the Act applies. It now applies to for-profit businesses that do business in California and meet any of the following:
Personal information is data that identifies, relates to, or could reasonably be linked with a resident’s household. For example, it could include a person’s name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about an individual’s preferences and characteristics.
Similar to the Global Data Privacy Regulation (GDPR) enacted by the European Union, the CPRA introduces a new category of data called “Sensitive Personal Information,” which includes government identifying information (driver’s license, social security numbers); race, religion, ethnicity, sexual orientation, sex life; exact geolocation; biometric and health data; content of nonpublic communications (text messages, email, mail); financial account information (debit/credit card information along with login credentials). These datasets are subject to new disclosure and purpose use limitations. Consumers have new rights to prevent businesses from disclosing this sensitive personal data and to opt-in or opt-out of such data use.
Personal information does not include publicly available information from federal, state, or local government records, such as professional licenses and public real estate/property records.
The CCPA granted California residents certain rights below. The CPRA expanded those consumer rights:
The CPRA grants consumers several new rights, in addition to those above:
Businesses cannot be sued for most CCPA violations. A business can be sued under the CCPA if there is a data breach, and even then, only under limited circumstances. An individual could sue a business if the individual’s nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’ failure to maintain reasonable security procedures and practices to protect it.
If this happens, an individual, or many individuals, can sue a business for the amount of monetary damages the individuals actually suffered from the breach or “statutory damages” of up to $750 per incident. If individuals want to sue the business for statutory damages, they must give the business written notice of which CCPA sections it violated and give the business 30 days to give the individuals a written statement that it has cured the violations in the notice and that no further violations will occur.
Individuals cannot sue for statutory damages for a CCPA violation if the business is able to cure the violation and provides the individuals with a written statement that it has done so unless the business continues to violate the CCPA contrary to its statement.
The CPRA has eliminated the 30-day cure period that businesses can currently avail of under the CCPA after being notified by the Attorney General’s Office of a reported violation. The CPRA also increases the maximum penalties to $7,500 where the violations involve minors.
For all other violations of the CCPA, only the Attorney General can file an action against businesses. The Attorney General does not represent individual California consumers. Using consumer complaints and other information, the Attorney General may identify patterns of misconduct that may lead to investigations and actions on behalf of the collective legal interests of the people of California.
California residents also have the ability to file a consumer complaint with the Office of the Attorney General if they believe a business has violated the CCPA. The individuals will need to provide the Attorney General’s office with details on how the business violated the CCPA, when, and how the violations occurred.
A business can be sued for a data breach under the CCPA only if certain conditions are met. The type of personal information that must have been stolen is the individual’s first name (or first initial) and last name in combination with any of the following:
This personal information must have been stolen in nonencrypted and nonredacted form.
The CPRA requires businesses to implement and comply with data minimization and retention policies and protocols. The CPRA permits the Attorney General’s Office to prepare regulations to penalize businesses that do not implement adequate data minimization and retention protocols, even where is no data breach. The CPRA also requires businesses to undertake cyber audits.
The California Department of Justice website is one of the sources used for this alert and serves as a great resource.
Monisha Coelho represents clients – from startups to multinational corporations – in commercial and corporate matters and litigation before state and federal courts. Monisha is a data security and privacy attorney advising companies on CCPA and CPRA compliance, enforcement, risk mitigation, and litigation. She is licensed to practice law in India and advises clients on cross-border US-India business transactions, litigation, and data privacy matters.
DISCLAIMER: The information contained herein is intended for informational purposes only and should not be construed as professional counsel or legal advice. Seek legal counsel for advice with respect to any legal matter. The information in this document may not reflect the most current developments as the subject matter is extremely fluid and may change daily. The content and interpretation of the issues addressed herein are subject to change.