Featured Video Play Icon

California Privacy Rights Act Highlights With Lily Li and DPO Advisor

Permalink to video here: https://vimeo.com/484360790

Mike: Hi everyone, if you’ve been following data privacy at all, you’ve probably already heard of California’s new landmark privacy law, the California Consumer Privacy Act, or CCPA as it is widely known.

The CCPA was the biggest data privacy shakeup in United States history. However, on November 3rd, California passed the California Privacy Rights Act or the CPRA, which adds teeth to the CCPA and further strengthens the rights for California consumers.

Here to talk about the upcoming CPRA is Lily Li, who is a Data Privacy Attorney and the founder of Metaverse Law.

Lily, thanks so much for joining us today.

Lily: Hey, thanks for having me.

Mike: Well, let’s jump right in. Can you please explain to everyone what the CPRA is?

Lily: Well, the CPRA is a law that amends the existing law on the books. As you mentioned there is this law called the California Consumer Privacy Act. It was passed by the California Legislature in 2018 and went into affect January 1st of this year.

Now we have CPRA, which is a ballot initiative that passed in the latest election, and it amends CCPA even further to make it more protective of privacy rights. Both of how customers use sensitive data and also about how companies use children’s data. We can definitely go more into the different changes that CPRA made to CCPA but this is a little bit of background on how it started.

Mike: That’s great. What do you feel are some of the key changes that the CPRA brings?

Lily: Well, the CPRA brings in this idea of sensitive personal information or sensitive personal data. And this aligns with a lot of other global privacy laws like GDPR and the new Brazilian Data Protection law.

Previously CCPA treated all types of personal information the same with respect to data subject requests. So people could get copies of their data. People could delete their data and a lot of people still have those rights with respect to companies.

Now, in CPRA there’s a new category of data sensitive personal data, sensitive personal information and these categories of data include things like health care information, now precise geo location, information about people’s genetics or biometric data.

And what’s important about these categories of data is that not only does the law prevent you from sharing this data without providing certain notices. The law also allows consumers to limit how a company uses sensitive data for their own purposes.

So even if you’re collecting Geo location information, not giving it out to third parties, if you’re using it for purposes at the company that aren’t related to why you’re collecting it from the consumer, the consumer can have the right to ask you to limit your use of sensitive data.

A good example of this is precise Geo location data. Uber got in trouble a little awhile ago because it would collect Geo location data from people using its rideshare app—even after people had stopped using the app. And so Uber could track people’s location in their homes or while they were still waiting for the right transit service.

This is a big No-No—especially if you are not disclosing it. But now, customers and consumers have the right to say hey, only use these sensitive pieces of information to provide me the services that I’ve requested. Don’t use it for anything else.

Another big change that the CPRA makes. Some people call it “CIPRA” now like to use the term CIPRA is that it increases the penalties for children’s data.

So previously, you could suffer fines if you were using children’s data in violation of how you disclosed the uses of data and privacy policy or if you refuse to respond to consumer requests regarding children’s data and the finding regime was the same. It was $2500 to $7500 per violation.

The difference between CPRA and CCPA is that under CCPA you could be fined $2500 per violation or $7500 per intentional violation. So you had to intentionally violate the law, and not just accidentally violate it because you didn’t know about the rules.

What “CIPRA” does or CPRA does is that it removes the intentionality requirement when you’re dealing with children’s data. So if you are using children’s data in ways that you haven’t disclosed in your privacy policy or are you are not fulfilling consumer requests regarding children’s data, then you are subject to that higher fine of $7500 per violation without any showing that you did it on purpose.

And there are a lot of other changes in CPRA that affects businesses. One of them is concerning behavioral advertising.

Under CCPA there was a lot of debate about whether or not re marketing, re targeting other types of cookies that track users across websites counted as sales of consumer data. And if something counted as a sale of consumer data under California law, you need to put a lot of disclosures on your website, like I do not sell my personal information.

Some companies were arguing that targeting ads behavioral advertising wasn’t a sale. There was no real exchange of money for personal information.

But CPRA removes that ambiguity. Under CPRA it is very clear that cross contextual behavioral advertising, that is to say, cookies that you set on a device that tracks users across different platforms in order to create a profile for a user to target them, counts as sales of data under CCPA, and so triggers a lot of the same disclosure requirements as if you were selling data in more traditional formats. So that’s another big change due to CPRA.

Mike: What do you think are the most important steps for businesses to take to comply with the CPRA?

Continue Reading California Privacy Rights Act Highlights With Lily Li and DPO Advisor
Offset angled photo of Proposition 24 from the 2020 California Voter's Guide

What Businesses Need to Know if Voters Pass Proposition 24 (California Privacy Rights Act of 2020, “CPRA”)

Hot on the heels of the California Consumer Privacy Act (CCPA), California residents this November will vote on Proposition 24. A majority yes vote on Prop 24 would pass the California Privacy Rights Act (CPRA). The CPRA proposes several amendments to the CCPA, such as granting new rights to consumers, imposing greater penalties on businesses for certain violations, and creating a new state enforcement agency, the California Privacy Protection Agency (CPPA).

1. Right to Restrict Use of Sensitive Data

Under the newly added Section 1798.121, consumers now have the right to direct businesses to limit the use of “sensitive personal information.”

As defined in CPRA, sensitive personal information appears to combine the conventional definition of “personally identifiable information” from state breach notification laws with the definition of “special category data” under the GDPR. Accordingly, sensitive personal information is data that may include a Social Security Number, driver’s license number, account log-in/debit/credit card information in combination with password or PIN. It may also include a consumer’s precise geolocation, the contents of their e-mails or texts to others, and racial, religious, biometric, or health data.

If directed to do so, businesses must limit the use of sensitive personal information to only those purposes that are necessary to provide a consumer’s requested services or goods.

To facilitate consumer exercise of this right, businesses may be required to add another link, “Limit the Use of my Sensitive Personal Information,” to their websites, in addition to any existing “Do Not Sell My Personal Information” link.

2. Right to Opt-Out of Cross-Context Behavioral Advertising

The CPRA requires a right of opt-out for “cross-context behavioral advertising” regardless of whether it constitutes a “sale” of personal information or not.

Currently, the CCPA is ambiguous as to whether cross-context behavioral advertising—that is, the collection of a consumer’s activities across different websites or even different devices for the purposes of personalized and targeted advertising—constitutes a sale of personal information. Some affiliates, such as Google, have categorized themselves as a service provider providing marketing and advertising services to the business in order to fall out of the definition of sale. Some other affiliates have put forth the position that they never “sold” personal information, because they only allow advertisers to target broad categories of demographics without identifying a specific individual to the advertiser.

The CPRA is quite clear that such activity requires an opt-out regardless whether it is a sale of information or not. Should CPRA come into effect, businesses should expect to present consumers with three opt-out choices in total (subject to further clarification from the Attorney General):

  1. A global opt-out from sale and sharing of personal information
  2. A choice to “Limit the Use of My Sensitive Personal Information”
  3. A choice for “Do Not Sell/Do Not Share/Do Not Share my Personal Information for Cross-Context Behavioral Advertising”

3. Employee and Business-to-Business (B2B) Data

Both employee and B2B data are currently exempted from general CCPA coverage, although these exemptions are set to expire January 1, 2021. Under the CPRA, these exemptions would be extended until January 1, 2023.

However, this does not mean that businesses do not have any obligations with respect to employee data under CCPA (and under CPRA). For data belonging to job applicants, employees, and independent contractors, businesses must disclose the categories of personal information that were collected and what purposes the information was collected for, typically within a separate employee privacy notice. CPRA also extends anti-discrimination rights to employees who exercise their rights and then face retaliatory action from their employer.

4. Children’s Data

Children’s privacy and data collection is a particularly sensitive area of regulation. Tik Tok is commonly scrutinized due to its predominantly younger userbase, and settled with the FTC for $5.7 million in 2019 over allegations that it collected children’s data without parental consent.

Under CPRA, fines may be tripled for violations involving children’s information. Currently, businesses are fined $2,500 for each violation and $7,500 for intentional violations under CCPA. Per the amended Section 1798.155 in CPRA, businesses would be fined $2,500 for each violation and $7,500 for intentional and children’s data violations. Given that violations can potentially involve hundreds of thousands of records for medium sized enterprises and in the millions for large companies, the fines can be staggering when multiplied.

5. Removal of Notice-and-Cure

Previously, under CCPA, businesses were allowed a thirty (30) day period to cure violations following notice by the California Attorney General’s office. CPRA has quietly removed this notice-and-cure provision through its changes to Section 1798.155. The notice-and-cure is often criticized as a “get-out-of-jail-free” card that prevents any real enforcement of CCPA outside of a consumer’s private right of action. If CPRA passes, the removal of this provision means that businesses will need to be more vigilant about getting privacy compliance and privacy implementation correct on the first try.

6. CPPA: New State Enforcement Agency

CPRA will allocate $10 million per year to a new state agency, the CPPA, to investigate and enforce against violations of consumer privacy laws, similar to European data protection authorities. Some portion of this cost will be offset by the proceeds of enforcement actions.

Currently, the California Office of the Attorney General (OAG) enforces the CCPA as part of the office’s functions for protecting consumer rights and prosecuting consumer crimes, amid a host of other duties.

The CPPA being an agency dedicated solely to privacy regulation would relieve much of the strain of enforcement previously on the OAG. If CPRA passes, expect to see more enforcement actions.

Likelihood of Prop 24 Passing

Prop 24 is divided in its support among reputable consumer and civil rights organizations, which can make it harder to gauge how likely Prop 24 will pass. Democratic Presidential candidate Andrew Yang as well as the NAACP has come out in support of Prop 24. However, the ACLU has opposed Prop 24 in official election materials. Other organizations remain neutral, such as the Electronic Frontier Foundation, which has come out as neither endorsing nor opposing Prop 24.

According to recent polling conducted by Redfield & Wilton Strategies, 60% of respondents indicated that they would vote ‘Yes’ on Prop 24, with 17% opposing and 23% undecided. Even if Prop 24 fails to pass, businesses should not breathe a sigh of relief and assume that the trendlines are moving toward deregulation. In fact, the greatest opposition to CPRA is centered on the fact that the law is not protective enough of consumer privacy and has too many loopholes that cater to big tech companies collecting large amounts of data. The pattern is moving toward greater privacy regulation, and CPRA is an experiment in seeing how far the boundary can be pushed.