New Consumer Rights under the California Privacy Rights Act 2020
On November 3, 2020, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA).
Under the California Consumer Privacy Act, still in effect until 2023, California consumers have a right to request that businesses disclose what personal information they have about consumers and what they do with that information, to delete their personal information, and not to sell their personal information. Consumers also have a right to be notified of the types of personal information that businesses are collecting about them and what they may do with that information. Furthermore, businesses cannot discriminate against consumers for exercising their rights under the law.
The CPRA will modify the existing rights under the CCPA and grants new rights to the consumers. Most significantly, the CPRA will permit consumers to prevent businesses from “sharing” personal information for cross-context behavioral advertising; correct inaccurate personal information; limit businesses’ use of “sensitive personal information”; and obtain access and opt-out rights with respect to businesses’ use of automated decision-making, including profiling.
Right to Prevent Businesses from Sharing Personal Information for Cross-Context Advertising
The CCPA allows consumers to opt out of the sale of their personal information. Under the CCPA, a “sale” is defined to include “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Even though this definition is very broad, the extent of its application to ad tech has been unclear. For example, some businesses take a position that enabling third-party cookies – which allow for cross-site tracking and behavioral advertising – to collect consumers’ personal information on their website visitors does not constitute a “sale” within the scope of the CCPA.
The CPRA seeks to address this issue by allowing consumers to opt out of “sharing” of their personal information which it defines as its “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration . . .” “Cross-context behavioral advertising,” in turn, is defined as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly branded website, application, or service with which the consumer intentionally interacts.” Thus, businesses subject to the CPRA will have to offer consumers the right to opt-out from any third-party ad tech cookie collection which takes place on their website or app.
Right to Correct Inaccurate Information
The CPRA allows consumers to request businesses that maintain inaccurate personal information about them to correct such information. Businesses that receive a verified request to correct inaccurate personal information will be required to use commercially reasonable efforts to comply with the request. These requirements will be subject to future regulations governing, among other things, requests for correction of health information, exceptions for request to which response is impossible and would involve disproportionate effort, requests to correct accurate information, and resolution of concerns regarding accuracy.
Right to Limit Business’s Use of “Sensitive Personal Information”
The CPRA introduces a new category of “sensitive personal information” and imposes new obligations on companies processing that data.
“Sensitive personal information” is defined as personal information that reveals (a) consumer’s Social Security or other state identification number; (b) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) consumer’s geolocation; (d) consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (e) the contents of a consumer’s mail, email, or text messages, unless the business is the intended recipient of the communication; and (f) consumer’s genetic data. In addition, “sensitive personal information” includes a processing of biometric information for purposes of identifying a consumer; personal information collected and analyzed concerning a consumer’s health, and personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
Notably, with the exception of political opinions, “sensitive personal information” under the CPRA includes and expands upon the “special categories of personal data” listed in the GDPR. Under the GDPR, however, the processing of special categories is prohibited by default and the burden is on controllers to show that processing is permitted by virtue of one of the enumerated exceptions, including express consent. In contrast, under the CPRA, the burden falls on the consumers to limit the processing to certain activities.
With respect to sensitive personal information, businesses would be required to disclose the categories of information collected by them, the purposes for which information is collected, and whether such information is sold or shared for cross-context advertising. Furthermore, businesses would be prohibited from collecting or using sensitive personal information for additional purposes incompatible with the disclosed purposes without notifying the consumers.
Consumers, in turn, will have a right to limit use and disclosure of sensitive personal information to certain enumerated “business purposes,” such as helping to ensure data security and integrity, non-personalized advertising, performing services on behalf of the business, or undertaking activities to verify and maintain or enhance the service or device owned or controlled by the business. Service providers and contractors will similarly be required to limit the use of sensitive personal information to the “business purposes” which they help perform for the businesses.
The CPRA further prescribes several methods by which businesses would be required to enable consumers to limit the use and disclosure of sensitive personal information:
- by providing a link on their homepage titled “Limit the Use of My Sensitive Personal Information,”
- by utilizing a single link which would easily allow consumers to limit the use of their sensitive personal information and to opt-out of the sale and sharing of their personal information; or
- by complying with the automatic opt-out preference signal.
Access and Opt-Out Rights with Respect to Businesses’ Use of Automated Decision-Making
The CPRA obligates the Attorney General (and later the California Privacy Protection Agency) to develop regulations governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling. “Profiling” is defined as any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. In response to access requests, businesses would be required to provide meaningful information about the logic involved in the automatic decision-making process, as well as a description of the likely outcome of the process regarding the consumer.
The California Privacy Rights Act 2020 introduces new consumer rights on par with the rights provided by the European Union’s General Data Protection Regulation. With the approval of the CPRA, covered businesses need to promptly start reviewing their privacy and data management systems, programs, and practices to assess their compatibility with the Act’s legal requirements and to map out a path to compliance with the new consumer rights. Furthermore, even though businesses will have more than two years to prepare for their new obligations under the CPRA, they still have to comply with the existing CCPA requirements in the interim period.
Access Clarip’s Privacy Whitepapers Today
For assistance with Consumer Deletion Requests, call Clarip today at 1-888-252-5653 or contact us.
– Clarip Blog
– What Your Company Needs to Know About Regulations of Biometric Data
– Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
– Responding to Personal Data Deletion Requests Under the California Consumer Privacy Act
– Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
– Verifiable Data Subject Requests under the GDPR and the CCPA
– Other Resources