Legal Alert: California Privacy Rights Act revises California Consumer Privacy Act for 2023

By Kyle B. Straughan and Michael M. Feinberg

If you are a business owner without a storefront or office based in California, assuming this 2023 Act does not apply to you could result in regulatory inquiries and monetary penalties. In today’s national and global market, it is rare for all commercial activity to occur entirely outside of the most populous state in the country.

On July 1, 2020, enforcement of California’s privacy law, the California Consumer Privacy Act (“CCPA”) commenced. The CCPA put in place new rules governing how businesses handle the personal information of California residents, including, but not limited to, requiring that businesses: (1) post a conspicuous privacy notice describing their data collection and use practices; (2) respect California residents’ requests to opt-out of having their data sold; and (3) comply with certain requests from California residents regarding their data, such as informing California residents what data about them the business collects and deleting such data if no exception applies.

However, the citizens of California recently voted to enact the California Privacy Rights Act (“CPRA”) to modify the CCPA. Currently, the CPRA is slated to take effect on January 1, 2023, with enforcement beginning on July 1, 2023. With California representing almost 12% of the United States’ population and the CCPA/CPRA having wide reaching scope, many companies will find themselves subject to its requirements, even if they possess only limited connections to the state of California.

There are six significant changes to consider with the CPRA; some relaxing the law’s requirements while others strengthen them:

1. Reach of the Statute. The CPRA revises the CCPA’s scope. The revised law will apply to any for-profit entity (1) that collects or sells the personal information of California residents or (2) does business in California and, if they meet (1) or (2): (a) has a gross annual revenue in excess of $25 million; (b) alone or in combination buys, sells, or shares the personal information of 100,000 or more California consumers (increased from 50,000); or (c) derives 50% or more of its annual revenue from selling or sharing California consumer’s personal information (“or sharing” language added). Companies that believe they might fall under the (b) prong, should carefully calculate how many California consumers they collect data from to see if they are exempt. Companies that share large amounts of data without an explicit sale should consider whether they fall under the (c) prong.

2. Sensitive Personal Information. The CPRA adds specificity to the definition of “Sensitive Personal Information” (or “SPI”) which now includes a consumer’s: social security number (or similar state ID number); log-in account credentials; precise geolocation; race or ethnicity, religious or philosophical beliefs, or union membership; correspondence contents; and genetic or biometric information. Entities subject to the CPRA should strongly consider reviewing the information they gather to determine if any falls under the expanded SPI definition, and should note that they are required to specifically disclose when they gather SPI.

3. Restrictions on Sensitive Personal Information. Along with the updated definition of SPI, the CPRA (1) allows consumers to direct businesses to use SPI only for the purpose necessary to provide the consumer with the goods or services requested from the business; (2) requires businesses to inform consumers of how long the business intends to retain the SPI; and (3) requires a business’s service providers to cooperate and assist businesses with responding to consumer requests. Businesses with SPI should review and update contracts with service provides to ensure compliance with the new requirements, review data retention policies related to SPI, and develop opt-out mechanisms to comply with the CPRA’s requirements.

4. Public Information. While the definition of SPI has increased obligations, the CPRA also redefines “Public Information” to be information that the business (1) reasonably believes is lawfully available to the general public, (2) is from widely distributed media, or (3) is made available to the business by a third party who is not restricted from sharing the information. Public Information is not considered personal information, and thus any data a business derives from public sources, or lawfully believes is available to the general public, is not subject to the obligations of the CCPA, such as the right to disclosure or deletion.

5. Employee Data Moratorium. The CPRA extended the CCPA’s existing moratorium on enforcement of the CCPA with regards to employee information to January 1, 2023. Unfortunately, this still leaves a gray area for employee data’s ultimate fate under the CCPA and CPRA, and the California legislature has not yet acted to resolve this issue.

6. California Privacy Protection Agency. The CPRA establishes the California Privacy Protection Agency, which will be empowered to enforce the CCPA and CPRA. The agency will have subpoena and audit powers, and will be further able to levy administrative fines of up to $2,500 per violation or up to $7,500 for intentional violations or violations involving minors.

Going forward, companies doing business in California, that handle sensitive personal information, will need to ensure that their existing consumer request mechanisms are capable of handling requests related to sensitive personal information. In addition, while the employee data moratorium has been extended, it is not a permanent solution and companies should prepare for it to go into effect if more permanent legislation is not enacted.

For questions or more information about this Client Alert, please contact your KTC attorney directly, 206-223-1313.