California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

Evolving Privacy Laws Enhance Consumers’ Rights

Passed in 2018, the state of California signed into law the California Consumer Privacy Act (CCPA) that went into enforcement beginning on July 1, 2020. This Act protects the privacy rights of California residents residing in the state other than a temporary or transitory purpose and those who resided in the state but are outside of the state for a temporary or transitional purpose. Based on this Act, companies must protect five consumer rights including the right to:

• •  Knowledge of collection and usage
• •  Knowledge of disclosure or sale
• •  Delete
• •  Non-discrimination
• •  Opt-out

Companies doing business with California residents, including making sales to visitors on their website, must comply with these laws. Additionally, third parties that collect, process, use, or purchase consumers’ personal data from companies doing business with California residents must also follow the CCPA. These companies or third parties do not need to have a physical presence in California. They also must also satisfy at least one of these requirements:

• •  At least $25 million annual gross revenue
• • Receives, buys, sells, or shares, alone or in combination, personal information on at least 50,000 California residents, households, or devices for commercial purposes
• • Earns more 50 percent of its annual revenue from the sale of personal information

The CCPA does not apply to certain entities such as government agencies, non-profit companies, or certain small companies who do not satisfy the requirements. Companies will need to provide the following information on their websites, online privacy policies, or other relevant company policies. This information must be updated every 12 months.

• • Description of consumer rights outlined in CCPA
• • Description of one or more methods on how consumers can request information regarding their personal information
• • A list of categories of consumer’s personal information they have sold in the last 12 months
• • A list of the categories of consumer’s personal information they have disclosed in the last 12 months
• • A statement affirming they have not sold consumer’s personal information in the last 12 months
•  

• Additionally, if a consumer requests information, the company must disclose the requested information. Consumers can request data collected up to 12 months prior to the date of their request, and the company typically has 45 days from the request to provide the requested information.

  
  

  If a business or entity is in violation of CCPA, they will receive a notification and will have 30 days to correct the violation. If the company does not take steps to achieve compliance, the company can be fined $2,500 per violation. If the violation is deemed willful, the company can be fined $7,500 per violation. Additionally, any consumer affected by a data breach are entitled to damages ranging from $100 to $750 per person.

  
  

  The California Privacy Rights Act (CPRA) will come into effect in 2023 and will enhance California’s current data privacy laws. This Act does not replace the CCPA but is an addition to the existing laws. The CPRA adds four additional consumer rights to the data privacy rights granted by the CCPA. These rights are the right to:

  • • Correction
  • • Restrict sensitive personal information
  • • Opt-out of Automated Decision-making Technology
  • • Access information about Automated Decision-making

   

• In addition, it expands or modifies five existing consumer rights. In general, consumer consent takes on a larger role under the CPRA. However, information that is publicly available is not considered under CPRA including unrestricted information a consumer distributes on social media. The CPRA also grants employees; full-time, contractors, and applicants; the same rights as regular consumers.

  
  

  All company thresholds established in the CCPA have also been modified in the CPRA. The changes are bolded below:

  • • Exceeds $25 million annual gross revenues of the preceding calendar year
  • • Receives, buys, or sells personal information of 100,000 or more consumers or households 
  • • Earns more than 50 percent of its annual revenue from the sharing or sale of consumers’ personal information

   

• Commonly controlled entities and joint ventures will be required to comply with CPRA.

  
  

  One of the most important changes is that companies must inform consumers “at or before the point of collection” as to:

  • • If personal information is sold or shared
  • • Information about the collection, processing, and disclosure of “sensitive personal information”
  • • “The length of time the company intends to retain each category of personal information” or “the criteria used to determine such period”
  •  

• In addition, how companies use consumer information with third parties will be further restricted under CPRA.

  
  

  If a company or entity fails to adequately protect consumers’ data from unauthorized access such as breaches and theft, it will be easier for consumers to sue. Additionally, the CPRA eliminates the 30-day corrective time companies were afforded under CCPA. Violations involving minors under the age of 16 will now be fined $7,500 per violation. The newly created California Privacy Protection Agency (CPPA) will oversee and have broad jurisdiction of personal data protection.

  
  

  Privacy laws are constantly evolving. It is important to be compliant with the CCPA and make sure you adhere to CPRA before it takes effect. If you have questions about your data privacy practice and want to see if you are compliant with the CCPA and CPRA, contact us at Whitcomb, Selinsky, P.C. Our expert legal team of data/cybersecurity/privacy specialists will review your current procedures and suggest additional processes as needed.

  
  

  If you have received a CCPA violation notice, we will examine your violation, advise on corrective actions to resolve your violation and work with the necessary officials if needed to ensure the violation is rectified. It is our job to know the laws so you can get back to business.