Expert Commentary

California Privacy Rights Act: Consumer Rights, Enforcement, Security

The California Privacy Rights Act (CPRA) will become operative on January 1, 2023, subject to certain exceptions. The background, application, and definitions were discussed in the December 2020 article. See "California Privacy Rights Act: Background, Application, and Definitions." This article reviews the CPRA provisions relating to consumer rights, enforcement, and security. CPRA exceptions will be addressed in a subsequent article.


Cyber and Privacy Risk and Insurance
December 2020

Consumer Rights

Consumer rights under the CPRA are as follows.

Right To Know

A business that collects personal information about consumers needs to disclose, in response to a verifiable consumer request, the following.

  • Categories of personal information the business has collected about the consumer
  • Categories of sources from which the personal information is collected
  • Business or commercial purpose for collecting, selling, or sharing personal information
  • Categories of third parties to which the business discloses personal information
  • Specific pieces of personal information the business has collected about the consumer  

A business that sells or shares a consumer's personal information or discloses a consumer's personal information for a business purpose needs to disclose the following in response to a verifiable consumer request.

  • Categories of personal information the business has collected about the consumer
  • Categories of personal information the business has sold or shared about the consumer and categories of third parties to which the personal information was sold or shared by category or categories of personal information for each category of third party to which the personal information was sold or shared
  • Categories of personal information the business has disclosed about the consumer for a business purpose and the categories of persons to which it was disclosed for a business purpose

Deletion

Subject to specified exceptions, a business must delete the personal information the business collected about a consumer and notify service providers or contractors to delete the consumer's personal information from their records and notify all third parties to which the business has sold or shared such personal information to delete the consumer's personal information in response to a verifiable consumer request, unless this proves impossible or involves disproportionate effort.

Correction

A business that maintains personal information about consumers must use commercially reasonable efforts to correct the inaccurate personal information about a consumer, as directed by the consumer, pursuant to Cal. Civ. Code section 1798.130 and CPRA regulations, in response to a verifiable consumer request.

Limitation on Sensitive Personal Information Use and Disclosure

A business that collects sensitive personal information (other than sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer) about a consumer must limit its use of the consumer's sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services, to perform certain specified services and as authorized by CPRA regulations and must not use or disclose the consumer's sensitive personal information for any other purpose, after the business receives direction from a consumer not to so use or disclose the consumer's sensitive personal information, unless the consumer subsequently provides consent for the use or disclosure of the consumer's sensitive personal information for additional purposes. 

Antidiscrimination

A business must not discriminate against a consumer who exercises any of the consumer's rights under the CPRA. However, a business may offer different prices, rates, levels, or quality of goods or services to the consumer if the difference is reasonably related to the value provided to the business by the consumer's data and may offer financial incentives for the collection of personal information, the sale or sharing of personal information, or the retention of personal information on a prior opt-in consent basis and must notify consumers of the financial incentives pursuant to Cal. Civ. Code section 1798.130.

Opt Out and Website Requirements

A business that sells consumers' personal information to, or shares consumers' personal information with, third parties needs to provide notice to consumers thereof that this information may be sold or shared and that consumers have the right to opt out of the sale or sharing of their personal information. A business that uses or discloses a consumer's sensitive personal information for purposes other than those described above regarding the limitation on sensitive personal information use and disclosure must provide notice to consumers that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.

A business that sells or shares consumers' personal information or uses or discloses consumers' sensitive personal information for purposes other than those authorized by Cal. Civ. Code section 1798.121(a) must provide the following clear and conspicuous link.

"Do Not Sell or Share My Personal Information" link on its Internet home page that enables a consumer to opt out of the sale or sharing of the consumer's personal information.

"Limit the Use of My Sensitive Personal Information" link on its Internet home page that enables a consumer to limit the use or disclosure of the consumer's sensitive personal information.

In lieu of the foregoing and at the business's discretion, a business may utilize a single, clearly labeled link on its Internet home page if such link easily allows a consumer to opt out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information.

Alternatively, the business may allow consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal sent with the consumer's consent by a platform, technology, or mechanism based on technical specifications in CPRA regulations to the business indicating the consumer's intent to opt out of the business's sale or sharing of the consumer's personal information or to limit the use or disclosure of the consumer's sensitive personal information, or both.

A business must not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer's personal information.

Privacy Policy Requirements

A business must describe in its online privacy policy or in any California-specific description of consumer privacy rights the following, which must be updated at least once every 12 months.  

  • Consumers' rights under the CPRA, including to opt out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information and separate "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" Web page links, if applicable, or a single link to both choices, or a statement that the business responds to and abides by opt-out preference signals sent by a specified platform, technology, or mechanism
  • The methods for submitting consumer requests
  • In the preceding 12 months
    • The categories of personal information that the business has collected about consumers
    • The categories of sources from which the personal information is collected
    • The business or commercial purpose for collecting, selling, or sharing personal information
    • The categories of third parties with which the business discloses personal information
    • That a consumer has the right to request the specific pieces of personal information the business has collected about that consumer
    • Categories of personal information the business has sold or shared about the consumer (if the business has not sold or shared consumers' personal information, it shall disclose that fact)
    • Categories of personal information the business has disclosed about the consumer for a business purpose (if the business has not disclosed consumers' personal information for a business purpose, it shall disclose that fact)

Notice at Collection

A business that controls the collection of a consumer's personal information must, at or before the point of collection, inform consumers as to the following.

  • Categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether such information is sold or shared
  • If the business collects sensitive personal information, categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether such information is sold or shared
  • A business must not collect additional categories of personal information (including sensitive personal information) or use personal information (including sensitive personal information) collected for additional purposes that are incompatible with the disclosed purpose for which the information was collected without providing the consumer with notice
  • Length of time the business intends to retain each category of personal information (including sensitive personal information), or if that is not possible, the criteria used to determine such period, provided that a business must not retain a consumer's personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose

A business's collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.  

Enforcement

Any business, service provider, contractor, or other person that violates the CPRA shall be liable for an administrative fine of not more than $2,500 for each violation or $7,500 for each intentional violation or violations involving the personal information of consumers that the business, service provider, contractor, or other person has actual knowledge is under 16 years of age in an administrative enforcement action brought by the California Privacy Protection Agency (Agency).

In addition, after satisfying certain procedural requirements, a consumer can bring a civil action in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, regarding their nonencrypted and nonredacted personal information (including email address together with a password or security question and answer that would permit access to the account) that is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

A court or the Agency shall disregard the intermediate steps or transactions for purposes of effectuating the purposes of the CPRA if a series of steps or transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding the reach of the CPRA, including the disclosure of information by a business to a third party in order to avoid the definition of sell or share or if steps or transactions were taken to purposely avoid the definition of sell or share by eliminating any monetary or other valuable consideration, including by entering into contracts that do not include an exchange for monetary or other valuable consideration but where a party is obtaining something of value or use.

Security

A business that collects a consumer's personal information must implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code section 1798.81.5. The implementation and maintenance of reasonable security procedures and practices pursuant to Cal. Civ. Code section 1798.81.5 following a breach does not constitute a cure with respect to that breach.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More