The California Privacy Rights Act (CPRA) will become operative on January 1,
2023, subject to certain exceptions. The background, application, and
definitions were discussed in the December 2020 article. See "California
Privacy Rights Act: Background, Application, and
Definitions." This article reviews the CPRA provisions
relating to consumer rights, enforcement, and security. CPRA exceptions will be
addressed in a subsequent article.
Consumer Rights
Consumer rights under the CPRA are as follows.
Right To Know
A business that collects personal information about consumers needs to
disclose, in response to a verifiable consumer request, the following.
- Categories of personal information the business has collected about the
consumer
- Categories of sources from which the personal information is
collected
- Business or commercial purpose for collecting, selling, or sharing
personal information
- Categories of third parties to which the business discloses personal
information
- Specific pieces of personal information the business has collected about
the consumer
A business that sells or shares a consumer's personal information or
discloses a consumer's personal information for a business purpose needs to
disclose the following in response to a verifiable consumer request.
- Categories of personal information the business has collected about the
consumer
- Categories of personal information the business has sold or shared about
the consumer and categories of third parties to which the personal
information was sold or shared by category or categories of personal
information for each category of third party to which the personal
information was sold or shared
- Categories of personal information the business has disclosed about the
consumer for a business purpose and the categories of persons to which it was
disclosed for a business purpose
Deletion
Subject to specified exceptions, a business must delete the personal
information the business collected about a consumer and notify service
providers or contractors to delete the consumer's personal information from
their records and notify all third parties to which the business has sold or
shared such personal information to delete the consumer's personal
information in response to a verifiable consumer request, unless this proves
impossible or involves disproportionate effort.
Correction
A business that maintains personal information about consumers must use
commercially reasonable efforts to correct the inaccurate personal information
about a consumer, as directed by the consumer, pursuant to Cal. Civ. Code
section 1798.130 and CPRA regulations, in response to a verifiable consumer
request.
Limitation on Sensitive Personal Information Use and Disclosure
A business that collects sensitive personal information (other than
sensitive personal information that is collected or processed without the
purpose of inferring characteristics about a consumer) about a consumer must
limit its use of the consumer's sensitive personal information to that use
which is necessary to perform the services or provide the goods reasonably
expected by an average consumer who requests such goods or services, to perform
certain specified services and as authorized by CPRA regulations and must not
use or disclose the consumer's sensitive personal information for any other
purpose, after the business receives direction from a consumer not to so use or
disclose the consumer's sensitive personal information, unless the consumer
subsequently provides consent for the use or disclosure of the consumer's
sensitive personal information for additional purposes.
Antidiscrimination
A business must not discriminate against a consumer who exercises any of the
consumer's rights under the CPRA. However, a business may offer different
prices, rates, levels, or quality of goods or services to the consumer if the
difference is reasonably related to the value provided to the business by the
consumer's data and may offer financial incentives for the collection of
personal information, the sale or sharing of personal information, or the
retention of personal information on a prior opt-in consent basis and must
notify consumers of the financial incentives pursuant to Cal. Civ. Code section
1798.130.
Opt Out and Website Requirements
A business that sells consumers' personal information to, or shares
consumers' personal information with, third parties needs to provide notice
to consumers thereof that this information may be sold or shared and that
consumers have the right to opt out of the sale or sharing of their personal
information. A business that uses or discloses a consumer's sensitive
personal information for purposes other than those described above regarding
the limitation on sensitive personal information use and disclosure must
provide notice to consumers that this information may be used, or disclosed to
a service provider or contractor, for additional, specified purposes and that
consumers have the right to limit the use or disclosure of their sensitive
personal information.
A business that sells or shares consumers' personal information or uses
or discloses consumers' sensitive personal information for purposes other
than those authorized by Cal. Civ. Code section 1798.121(a) must provide the
following clear and conspicuous link.
"Do Not Sell or Share My Personal
Information" link on its Internet home page that enables a consumer to opt
out of the sale or sharing of the consumer's personal information.
"Limit the Use of My Sensitive Personal
Information" link on its Internet home page that enables a consumer to
limit the use or disclosure of the consumer's sensitive personal
information.
In lieu of the foregoing and at the business's discretion, a business
may utilize a single, clearly labeled link on its Internet home page if such
link easily allows a consumer to opt out of the sale or sharing of the
consumer's personal information and to limit the use or disclosure of the
consumer's sensitive personal information.
Alternatively, the business may allow consumers to opt out of the sale or
sharing of their personal information and to limit the use of their sensitive
personal information through an opt-out preference signal sent with the
consumer's consent by a platform, technology, or mechanism based on
technical specifications in CPRA regulations to the business indicating the
consumer's intent to opt out of the business's sale or sharing of the
consumer's personal information or to limit the use or disclosure of the
consumer's sensitive personal information, or both.
A business must not sell or share the personal information of consumers if
the business has actual knowledge that the consumer is less than 16 years of
age unless the consumer, in the case of consumers at least 13 years of age and
less than 16 years of age, or the consumer's parent or guardian, in the
case of consumers who are less than 13 years of age, has affirmatively
authorized the sale or sharing of the consumer's personal information.
Privacy Policy Requirements
A business must describe in its online privacy policy or in any
California-specific description of consumer privacy rights the following, which
must be updated at least once every 12 months.
- Consumers' rights under the CPRA, including to opt out of the sale or
sharing of the consumer's personal information and to limit the use or
disclosure of the consumer's sensitive personal information and separate
"Do Not Sell or Share My Personal Information" and "Limit the
Use of My Sensitive Personal Information" Web page links, if applicable,
or a single link to both choices, or a statement that the business responds
to and abides by opt-out preference signals sent by a specified platform,
technology, or mechanism
- The methods for submitting consumer requests
- In the preceding 12 months
-
- The categories of personal information that the business has
collected about consumers
- The categories of sources from which the personal information is
collected
- The business or commercial purpose for collecting, selling, or
sharing personal information
- The categories of third parties with which the business discloses
personal information
- That a consumer has the right to request the specific pieces of
personal information the business has collected about that consumer
- Categories of personal information the business has sold or shared
about the consumer (if the business has not sold or shared consumers'
personal information, it shall disclose that fact)
- Categories of personal information the business has disclosed about
the consumer for a business purpose (if the business has not disclosed
consumers' personal information for a business purpose, it shall
disclose that fact)
Notice at Collection
A business that controls the collection of a consumer's personal
information must, at or before the point of collection, inform consumers as to
the following.
- Categories of personal information to be collected and the purposes for
which the categories of personal information are collected or used and
whether such information is sold or shared
- If the business collects sensitive personal information, categories of
sensitive personal information to be collected and the purposes for which the
categories of sensitive personal information are collected or used, and
whether such information is sold or shared
- A business must not collect additional categories of personal information
(including sensitive personal information) or use personal information
(including sensitive personal information) collected for additional purposes
that are incompatible with the disclosed purpose for which the information
was collected without providing the consumer with notice
- Length of time the business intends to retain each category of personal
information (including sensitive personal information), or if that is not
possible, the criteria used to determine such period, provided that a
business must not retain a consumer's personal information or sensitive
personal information for each disclosed purpose for which the personal
information was collected for longer than is reasonably necessary for that
disclosed purpose
A business's collection, use, retention, and sharing of a consumer's
personal information shall be reasonably necessary and proportionate to achieve
the purposes for which the personal information was collected or processed, or
for another disclosed purpose that is compatible with the context in which the
personal information was collected, and not further processed in a manner that
is incompatible with those purposes.
Enforcement
Any business, service provider, contractor, or other person that violates
the CPRA shall be liable for an administrative fine of not more than $2,500 for
each violation or $7,500 for each intentional violation or violations involving
the personal information of consumers that the business, service provider,
contractor, or other person has actual knowledge is under 16 years of age in an
administrative enforcement action brought by the California Privacy Protection
Agency (Agency).
In addition, after satisfying certain procedural requirements, a consumer
can bring a civil action in an amount not less than $100 and not greater than
$750 per consumer per incident or actual damages, whichever is greater,
regarding their nonencrypted and nonredacted personal information (including
email address together with a password or security question and answer that
would permit access to the account) that is subject to unauthorized access and
exfiltration, theft, or disclosure as a result of the business's violation
of the duty to implement and maintain reasonable security procedures and
practices appropriate to the nature of the information to protect the personal
information.
A court or the Agency shall disregard the intermediate steps or transactions
for purposes of effectuating the purposes of the CPRA if a series of steps or
transactions were component parts of a single transaction intended from the
beginning to be taken with the intention of avoiding the reach of the CPRA,
including the disclosure of information by a business to a third party in order
to avoid the definition of sell or share or if steps or transactions were taken
to purposely avoid the definition of sell or share by eliminating any monetary
or other valuable consideration, including by entering into contracts that do
not include an exchange for monetary or other valuable consideration but where
a party is obtaining something of value or use.
Security
A business that collects a consumer's personal information must
implement reasonable security procedures and practices appropriate to the
nature of the personal information to protect the personal information from
unauthorized or illegal access, destruction, use, modification, or disclosure
in accordance with Cal. Civ. Code section 1798.81.5. The implementation and
maintenance of reasonable security procedures and practices pursuant to Cal.
Civ. Code section 1798.81.5 following a breach does not constitute a cure with
respect to that breach.