Expert Commentary

California Privacy Rights Act: Background, Application and Definitions

The California Privacy Rights Act (CPRA) will become operative January 1, 2023, subject to specified exceptions, which are operative on the effective date of the CPRA. Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by the CPRA will begin, and will only apply to violations occurring on or after, July 1, 2023.


Cyber and Privacy Risk and Insurance
December 2020

Subject to specified exception(s), the CPRA will only apply to personal information collected by a business on or after January 1, 2022 (including a consumer's right to request required information beyond a 12-month period and a business's obligation to provide such information).  

The CPRA establishes in California government the California Privacy Protection Agency (Agency), which is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018, as amended (CCPA). Beginning the later of July 1, 2021, or 6 months after the Agency provides notice to the California attorney general that it is prepared to begin rulemaking under the CPRA, the authority assigned to the California attorney general to adopt CPRA regulations will be exercised by the Agency. Final CPRA regulations must be adopted by July 1, 2022.

The provisions of the CCPA will remain in effect and be enforceable until the same provisions of the CPRA become enforceable. Developments should be monitored carefully.

Application

The CPRA applies to a business, contractor, service provider, and third party.

A business means a legal entity organized or operated for the profit or financial benefit of its owners and has the following characteristics.

  • One of the following
    • As of January 1 of the calendar year, had annual gross revenues in excess of $25 million in the preceding calendar year
    • Alone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumers or households
    • Derives 50 percent or more of its annual revenues from selling or sharing consumers' personal information
  • Collects consumers' personal information or on the behalf of which that information is collected
  • Alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information
  • Does business in California.  

A business also means the following.

Any entity that controls or is controlled by a business, with which the business shares consumers' personal information, and that shares common branding with the business, meaning a shared name, service mark, or trademark, such that the average consumer would understand that two or more entities are commonly owned.  

A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest.  

A person that does business in California, that is not covered by the three definitions of business above and that voluntarily certifies to the Agency that it is in compliance with, and agrees to be bound by, the CPRA.

A contractor means a person to whom the business makes available a consumer's personal information for a business purpose pursuant to a written contract with the business, provided that the contract does the following.

Prohibits the contractor from the following.

  • Selling or sharing the personal information
  • Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted by the CPRA
  • Retaining, using, or disclosing the information outside of the direct business relationship between the contractor and the business
  • Combining the personal information that the contractor receives pursuant to a written contract with the business with personal information that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that the contractor may combine personal information to perform any business purpose, except for providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer, provided that for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from or on behalf of the business with personal information that the service provider or contractor receives from or on behalf of another person or persons, or collects from its own interaction with consumers, and in CPRA regulations

Includes a certification made by a contractor that the contractor understands the foregoing restrictions and will comply with them.

Permits, subject to agreement with the contractor, the business to monitor the contractor's compliance with the contract through measures including without limitation, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every 12 months.

If a contractor engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the contractor engages another person to assist in processing personal information for such business purpose, it shall notify the business of such engagement and the engagement shall be pursuant to a written contract binding the other person to observe all of the above contractor requirements.  

A service provider means a person that does the following.

  • Processes personal information on behalf of a business, and
  • Which receives from or on behalf of the business a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the person from the following.
    • Selling or sharing the personal information
    • Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract for the business, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract with the business, or as otherwise permitted by the CPRA
    • Retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business
    • Combining the personal information that the service provider receives from or on behalf of the business, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that the service provider may combine personal information to perform any business purpose, except for providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer, provided that for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from or on behalf of the business with personal information that the service provider or contractor receives from or on behalf of another person or persons, or collects from its own interaction with consumers, and except as provided for in CPRA regulations. The contract may, subject to agreement with the service provider, permit the business to monitor the service provider's compliance with the contract through measures including without limitation, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every 12 months.

If a service provider engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the service provider engages another person to assist in processing personal information for such business purpose, it shall notify the business of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all of the above service provider requirements.  

Third party means a person that is not any of the following.

  • Business with which the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer's current interaction with the business under the CPRA
  • Service provider to the business
  • Contractor

A business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with such third party, service provider, or contractor that does the following.

  1. Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes
  2. Obligates the third party, service provider, or contractor to comply with applicable obligations under the CPRA and obligate those persons to provide the same level of privacy protection as is required by the CPRA
  3. Grants the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business's obligations under the CPRA
  4. Requires the third party, service provider, or contractor to notify the business (Notification) if it makes a determination that it can no longer meet its obligations under the CPRA
  5. Grants the business the right, upon notice, including regarding Notification, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information

Definitions

Advertising and marketing mean a communication by a business or a person acting on the business's behalf in any medium intended to induce a consumer to obtain goods, services, or employment.

Aggregate consumer information means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device and does not mean one or more individual consumer records that have been deidentified.

Consumer means a California resident.

Cross-context behavioral advertising means the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly branded website, application, or service with which the consumer intentionally interacts.

Deidentified means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, provided that the business that possesses the information takes reasonable measures to ensure that the information cannot be associated with a consumer or household; publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of Cal. Civ. Code section 1798.140(m); and contractually obligates any recipients of the information to comply with all provisions of Cal. Civ. Code section 1798.140(m).

Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, and the CPRA describes various types of personal information, including without limitation, sensitive personal information, and specifies exceptions.

Precise geolocation means any data that is the following.

  • Derived from a device, and
  • Used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations

Sell, selling, sale, or sold means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means a consumer's personal information by the business to a third party for monetary or other valuable consideration, subject to specified exceptions.  

Sensitive personal information means the following, subject to specified exceptions.

  • Personal information that reveals the following.
    • A consumer's Social Security, driver's license, state identification card, or passport number
    • A consumer's account log-in, financial account, debit card, or credit card number together with any required security or access code, password, or credentials allowing access to an account
    • A consumer's precise geolocation
    • A consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership
    • The contents of a consumer's mail, email, and text messages, unless the business is the intended recipient of the communication, and
    • A consumer's genetic data
  • The processing of biometric information for the purpose of uniquely identifying a consumer
  • Personal information collected and analyzed concerning a consumer's health, or
  • Personal information collected and analyzed concerning a consumer's sex life or sexual orientation

"Share," "shared," or "sharing" means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged, subject to specified exceptions.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More