The California Privacy Rights Act (CPRA) will become operative January 1, 2023,
subject to specified exceptions, which are operative on the effective date of
the CPRA. Notwithstanding any other law, civil and administrative enforcement
of the provisions of law added or amended by the CPRA will begin, and will only
apply to violations occurring on or after, July 1, 2023.
Subject to specified exception(s), the CPRA will only apply to personal
information collected by a business on or after January 1, 2022 (including a
consumer's right to request required information beyond a 12-month period
and a business's obligation to provide such information).
The CPRA establishes in California government the California Privacy
Protection Agency (Agency), which is vested with full administrative power,
authority, and jurisdiction to implement and enforce the California Consumer
Privacy Act of 2018, as amended (CCPA). Beginning the later of July 1, 2021, or
6 months after the Agency provides notice to the California attorney general
that it is prepared to begin rulemaking under the CPRA, the authority assigned
to the California attorney general to adopt CPRA regulations will be exercised
by the Agency. Final CPRA regulations must be adopted by July 1, 2022.
The provisions of the CCPA will remain in effect and be enforceable until
the same provisions of the CPRA become enforceable. Developments should be
monitored carefully.
Application
The CPRA applies to a business, contractor, service provider, and third
party.
A business means a legal entity organized or operated for the profit or
financial benefit of its owners and has the following characteristics.
- One of the following
-
- As of January 1 of the calendar year, had annual gross revenues in
excess of $25 million in the preceding calendar year
- Alone or in combination, annually buys or sells, or shares the
personal information of 100,000 or more consumers or households
- Derives 50 percent or more of its annual revenues from selling or
sharing consumers' personal information
- Collects consumers' personal information or on the behalf of which
that information is collected
- Alone, or jointly with others, determines the purposes and means of the
processing of consumers' personal information
- Does business in California.
A business also means the following.
Any entity that controls or is controlled by a business, with which the
business shares consumers' personal information, and that shares common
branding with the business, meaning a shared name, service mark, or trademark,
such that the average consumer would understand that two or more entities are
commonly owned.
A joint venture or partnership composed of businesses in which each business
has at least a 40 percent interest.
A person that does business in California, that is not covered by the three
definitions of business above and that voluntarily certifies to the Agency that
it is in compliance with, and agrees to be bound by, the CPRA.
A contractor means a person to whom the business makes available a
consumer's personal information for a business purpose pursuant to a
written contract with the business, provided that the contract does the
following.
Prohibits the contractor from the following.
- Selling or sharing the personal information
- Retaining, using, or disclosing the personal information for any purpose
other than for the business purposes specified in the contract, including
retaining, using, or disclosing the personal information for a commercial
purpose other than the business purposes specified in the contract, or as
otherwise permitted by the CPRA
- Retaining, using, or disclosing the information outside of the direct
business relationship between the contractor and the business
- Combining the personal information that the contractor receives pursuant
to a written contract with the business with personal information that it
receives from or on behalf of another person or persons, or collects from its
own interaction with the consumer, provided that the contractor may combine
personal information to perform any business purpose, except for providing
advertising and marketing services, except for cross-context behavioral
advertising, to the consumer, provided that for the purpose of advertising
and marketing, a service provider or contractor shall not combine the
personal information of opted-out consumers that the service provider or
contractor receives from or on behalf of the business with personal
information that the service provider or contractor receives from or on
behalf of another person or persons, or collects from its own interaction
with consumers, and in CPRA regulations
Includes a certification made by a contractor that the contractor
understands the foregoing restrictions and will comply with them.
Permits, subject to agreement with the contractor, the business to monitor
the contractor's compliance with the contract through measures including
without limitation, ongoing manual reviews and automated scans, and regular
assessments, audits, or other technical and operational testing at least once
every 12 months.
If a contractor engages any other person to assist it in processing personal
information for a business purpose on behalf of the business, or if any other
person engaged by the contractor engages another person to assist in processing
personal information for such business purpose, it shall notify the business of
such engagement and the engagement shall be pursuant to a written contract
binding the other person to observe all of the above contractor requirements.
A service provider means a person that does the following.
- Processes personal information on behalf of a business, and
- Which receives from or on behalf of the business a consumer's
personal information for a business purpose pursuant to a written contract,
provided that the contract prohibits the person from the following.
-
- Selling or sharing the personal information
- Retaining, using, or disclosing the personal information for any
purpose other than for the business purposes specified in the contract
for the business, including retaining, using, or disclosing the personal
information for a commercial purpose other than the business purposes
specified in the contract with the business, or as otherwise permitted by
the CPRA
- Retaining, using, or disclosing the information outside of the direct
business relationship between the service provider and the business
- Combining the personal information that the service provider receives
from or on behalf of the business, with personal information which it
receives from or on behalf of another person or persons, or collects from
its own interaction with the consumer, provided that the service provider
may combine personal information to perform any business purpose, except
for providing advertising and marketing services, except for
cross-context behavioral advertising, to the consumer, provided that for
the purpose of advertising and marketing, a service provider or
contractor shall not combine the personal information of opted-out
consumers that the service provider or contractor receives from or on
behalf of the business with personal information that the service
provider or contractor receives from or on behalf of another person or
persons, or collects from its own interaction with consumers, and except
as provided for in CPRA regulations. The contract may, subject to
agreement with the service provider, permit the business to monitor the
service provider's compliance with the contract through measures
including without limitation, ongoing manual reviews and automated scans,
and regular assessments, audits, or other technical and operational
testing at least once every 12 months.
If a service provider engages any other person to assist it in processing
personal information for a business purpose on behalf of the business, or if
any other person engaged by the service provider engages another person to
assist in processing personal information for such business purpose, it shall
notify the business of such engagement, and the engagement shall be pursuant to
a written contract binding the other person to observe all of the above service
provider requirements.
Third party means a person that is not any of the following.
- Business with which the consumer intentionally interacts and that
collects personal information from the consumer as part of the consumer's
current interaction with the business under the CPRA
- Service provider to the business
- Contractor
A business that collects a consumer's personal information and that
sells that personal information to, or shares it with, a third party or that
discloses it to a service provider or contractor for a business purpose shall
enter into an agreement with such third party, service provider, or contractor
that does the following.
- Specifies that the personal information is sold or disclosed by the
business only for limited and specified purposes
- Obligates the third party, service provider, or contractor to comply with
applicable obligations under the CPRA and obligate those persons to provide
the same level of privacy protection as is required by the CPRA
- Grants the business rights to take reasonable and appropriate steps to
help to ensure that the third party, service provider, or contractor uses the
personal information transferred in a manner consistent with the
business's obligations under the CPRA
- Requires the third party, service provider, or contractor to notify the
business (Notification) if it makes a determination that it can no longer
meet its obligations under the CPRA
- Grants the business the right, upon notice, including regarding
Notification, to take reasonable and appropriate steps to stop and remediate
unauthorized use of personal information
Definitions
Advertising and marketing mean a communication by a business or a person
acting on the business's behalf in any medium intended to induce a consumer
to obtain goods, services, or employment.
Aggregate consumer information means information that relates to a group or
category of consumers, from which individual consumer identities have been
removed, that is not linked or reasonably linkable to any consumer or
household, including via a device and does not mean one or more individual
consumer records that have been deidentified.
Consumer means a California resident.
Cross-context behavioral advertising means the targeting of advertising to a
consumer based on the consumer's personal information obtained from the
consumer's activity across businesses, distinctly branded websites,
applications, or services, other than the business, distinctly branded website,
application, or service with which the consumer intentionally interacts.
Deidentified means information that cannot reasonably be used to infer
information about, or otherwise be linked to, a particular consumer, provided
that the business that possesses the information takes reasonable measures to
ensure that the information cannot be associated with a consumer or household;
publicly commits to maintain and use the information in deidentified form and
not to attempt to reidentify the information, except that the business may
attempt to reidentify the information solely for the purpose of determining
whether its deidentification processes satisfy the requirements of Cal. Civ.
Code section 1798.140(m); and contractually obligates any recipients of the
information to comply with all provisions of Cal. Civ. Code section
1798.140(m).
Personal information means information that identifies, relates to,
describes, is reasonably capable of being associated with, or could reasonably
be linked, directly or indirectly, with a particular consumer or household, and
the CPRA describes various types of personal information, including without
limitation, sensitive personal information, and specifies exceptions.
Precise geolocation means any data that is the following.
- Derived from a device, and
- Used or intended to be used to locate a consumer within a geographic area
that is equal to or less than the area of a circle with a radius of 1,850
feet, except as prescribed by regulations
Sell, selling, sale, or sold means selling, renting, releasing, disclosing,
disseminating, making available, transferring, or otherwise communicating
orally, in writing, or by electronic or other means a consumer's personal
information by the business to a third party for monetary or other valuable
consideration, subject to specified exceptions.
Sensitive personal information means the following, subject to specified
exceptions.
- Personal information that reveals the following.
-
- A consumer's Social Security, driver's license, state
identification card, or passport number
- A consumer's account log-in, financial account, debit card, or
credit card number together with any required security or access code,
password, or credentials allowing access to an account
- A consumer's precise geolocation
- A consumer's racial or ethnic origin, religious or philosophical
beliefs, or union membership
- The contents of a consumer's mail, email, and text messages,
unless the business is the intended recipient of the communication,
and
- A consumer's genetic data
- The processing of biometric information for the purpose of uniquely
identifying a consumer
- Personal information collected and analyzed concerning a consumer's
health, or
- Personal information collected and analyzed concerning a consumer's
sex life or sexual orientation
"Share," "shared," or "sharing" means sharing,
renting, releasing, disclosing, disseminating, making available, transferring,
or otherwise communicating orally, in writing, or by electronic or other means,
a consumer's personal information by the business to a third party for
cross-context behavioral advertising, whether or not for monetary or other
valuable consideration, including transactions between a business and a third
party for cross-context behavioral advertising for the benefit of a business in
which no money is exchanged, subject to specified exceptions.