The CPRA, a ballot initiative that amends the California Consumer Privacy Act (CCPA) and includes additional privacy protections for consumers, passed in November 2020. The majority of the CPRA’s provisions will enter into force on January 1, 2023, with a lookback period of 12 months (i.e. the personal data collected in 2022 will be subject to the law in 2023).
Who is subject to the CPRA?
As of January 1, 2023, businesses that are for-profit and do business in California will be covered by the CPRA to the extent the company (1) had $25M in annual gross revenues as of January 1 in the preceding calendar year, or (2) buys, sells or shares the personal information of 100,000 California consumers or households, or (3) derives 50% or more of its revenues from selling or sharing personal information. “Sharing” is a defined term under the CPRA and means the sharing of personal information for cross-context behavioral advertising purposes.
Sunset of the CCPA’s Exception of Employee Data and B2B Data
When the CPRA comes into effect on January 1, 2023, the temporary and partial exceptions for employment and business-to-business personal information under the CCPA will expire.
The employment exception applied to personal information collected by a covered business about its job applicants, employees, controlling owners, directors, officers, medical staff members and independent contractors, and their beneficiaries and dependents, (collectively “Employee Information”). Under the CCPA’s exception for Employment Information, the business was only required to provide the employee with a shortened privacy notice and the CCPA provided the employee with a private right of action in the event of a data breach where the business failed to use reasonable security measures. Note that Employee Information can be defined broadly to include things like biometric data, network monitoring, video surveillance, photographs, and document metadata.
The business-to-business exception applied to personal information collected and used by the business about a consumer where the consumer is an employee of a third-party entity doing business with the business (it also applies to that third-party entity’s controlling owners, directors, officers, and contractors of the third-party entity) (“B2B Information”). Under the CCPA’s exception for B2B Information, businesses were only required to provide the consumer with an opportunity to opt-out of a sale (as defined under the CCPA) of their B2B Information.
Now, business will need to comply with the CPRA in its entirety in relation to both Employee Information and B2B Information, which includes:
- Providing consumers with privacy notices that meet the requirements of the CPRA;
- Providing consumer rights, such as the right to know, right to deletion, the right to correction, the right to opt-out of the sale of their information, and the right to limit the use of sensitive personal information.
Recent Enforcement Actions
California v. Sephora, Inc. - the well-known beauty supply company was hit with a $1.2 million penalty and a two-year monitoring period, among other penalties, after the CA Attorney General found that it: (1) failed to disclose that it sells data; (2) engaged in the unlawful sale of personal information, including by exchanging data with third parties for analytics information; (3) failed to post a “Do Not Sell My Personal Information” link on its website and homepage; and (4) failed to respond to or process consumer opt-outs.
Other enforcement actions have surrounded businesses’ (1) inadequate privacy policies, including one privacy policy whose hyperlinks did not direct consumers to the relevant section and (2) failures to properly handle consumer requests.
Take Action: If you believe your company is subject to the CPRA (see Section 1 above), you need to ensure that your company’s data privacy practices are compliant with the CPRA.
