On November 3, 2020, California voters approved California Proposition 24, also known as the California Privacy Rights Act of 2020, or CPRA. The CPRA expands protections afforded to personal information, building off of the California Consumer Privacy Act (CCPA), which took effect in January of this year. While some of the CPRA changes will take effect immediately, most will not become enforceable until July 1, 2023, and apply only to personal information collected after January 1, 2022.
Key Changes to CA Privacy Law
At 54 pages long, the CPRA makes numerous changes to the CCPA, ranging from minor revisions to the introduction of new concepts and the creation of several new consumer rights. Some of the most impactful changes are discussed below. A series of future client alerts will explore the nuances of these changes in greater detail.
Sensitive Personal Data
The CPRA establishes new rules for a category of “sensitive personal information,” which includes, for example, genetic data and religious or philosophical beliefs, and is defined as personal information that reveals:
- a consumer’s social security, driver’s license, state identification card, or passport number;
- a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- a consumer’s precise geolocation;
- a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;
- the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; and
- a consumer’s genetic data; and
- the processing of biometric information for the purpose of uniquely identifying a consumer;
- personal information collected and analyzed concerning a consumer’s health; or
- personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
This definition is among the most impactful changes in the CPRA, given the breadth of data that it sweeps in, along with the creation of new disclosure and opt-out rights associated with “sensitive personal information.” These changes will likely require covered businesses to dive into their data, map it, and ensure they are compliant.
In addition, the CPRA creates a right for consumers to “limit use and disclosure of sensitive personal information.” Similar to existing CCPA opt-out rights, beginning in 2023, consumers may direct businesses that collect sensitive personal information to limit its use to that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer” or to perform a small subset of specifically identified exempt services. Significantly, exemptions to the opt-out will include short-term, transient advertising, and “performing services on behalf of the business,” but not general advertising and marketing, nor long-term profiling or behavioral marketing technologies.
Continue Reading CCPA 2.0? California Adopts Sweeping New Data Privacy Protections