California Privacy Rights Act: New Criteria for Which Businesses Must Comply with the Law

On November 3, 2020, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA).  The CPRA, which will become operative on January 1, 2023, will incorporate and significantly amend the California Consumer Privacy Act and expand privacy rights of California consumers as well as compliance obligations of covered businesses and their processors on par with the European Union’s GDPR. Furthermore, the CPRA will effectively set the floor for the privacy law in California as the Act, per its provisions, could only be amended consistent with and to further its purpose and intent to “protect consumers’ rights, including the constitutional right of privacy.”

The CPRA also introduces new criteria for which businesses must comply with the law. The CCPA, a currently operative law, applies to businesses that are doing business in California and either (i) have gross annual revenue of $25 million or more; (ii) annually buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more California consumers, households, or devices, or (iii) get 50% or more of their annual revenue from selling consumers’ personal information.

The CPRA changes the second applicability threshold to businesses that annually buy, sell, or share the personal information of 100,000 or more consumers or households.  This change is significant not only because it doubles the threshold number of consumers and households but also because it no longer counts personal information received by businesses or personal information that businesses buy, receive, sell, or share from the devices.

Under the CCPA, having 50,000 Californians visit a business’s website alone would likely satisfy the Act threshold requirement, as visitors’ IP addresses and interactions with the website count as personal information.  Furthermore, the CCPA defines “device” to include any physical object that is capable of connecting to internet, directly or indirectly, or to another device.  When businesses collect personal information associated with a vast array of devices falling within that definition, they also count toward the CCPA threshold.  As a result, the CCPA – which was intended to apply to larger enterprises – has swept in within its scope smaller online businesses with only limited resources to comply with the law.

Notably, the original CCPA ballot initiative contained higher thresholds and was intended to apply to companies that have an annual review of over $50 million or annually sell the personal information of 100,000 or more consumers.  The legislature, however, eventually reduced the applicability threshold.  The CPRA seeks to restore the balance by targeting larger companies with the amended applicability requirements.

The CPRA also adds a new “business” category for California companies which do not otherwise fall within the scope of the CPRA but voluntarily certify to the future California Privacy Protection Agency that they are in compliance with and agree to be bound by the Act.  This self-certification option could allow smaller businesses to utilize their privacy compliance as a competitive differentiator in the marketplace.

Until the operative provisions of the CPRA come into effect on January 1, 2023, the CCPA applicability requirements remain.  Accordingly, smaller businesses that fall within the current scope of the law would technically be obligated to comply with its requirements for the next two years.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653