CCPA 2.0: What’s New in the Revised CPRA Proposal

December 10, 2019Alerts

Alastair Mactaggart, the proponent of the "CCPA 2.0" ballot initiative in California, has submitted to the Office of the Attorney General a revised version of the proposed "California Privacy Rights Act" (CPRA) that he hopes to place before voters on the November 2020 general election ballot. 

Key changes include:

Transparency

  • "In the same way that ingredient labels on foods help consumers shop more effectively, disclosure around data management practices will help consumers become more informed counterparties in the data economy, and promote competition."
  • Businesses required to disclose how long they retain data, or their criteria to determine retention time.

Scope

  • Employee and business-to-business communications exemptions to be extended until January 1, 2023.
  • Requirements for information used for political purposes deleted.
  • Revised provisions re: "sensitive information" and the requirement to post a link saying "Limit the use of my Sensitive Information" on websites.
  • Ability to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal sent with the consumer's consent by a platform, technology or mechanism.
  • Right of access changed back to apply to only 12 months with some exceptions, with extended right of access only kicking in for information collected after January 1, 2022.
  • Scope threshold regarding collecting the information of consumers, households or devices changed from 50,000 to 200,000.
  • Trade secrets should not be disclosed as part of a response to a verified consumer request.
  • Requires issuance of regulations to clarify topics including: business purpose, requirements for cybersecurity audit for particularly risky processing; access and opt out rights for automated decision making and profiling; and opt out by technical preferences.
  • Enforcement of new CPRA provisions delayed to January 1, 2023 and only for violations occurring after such date.

AdTech

  • Using personal information to target individuals with ads that follow them as they browse the internet from one website to another is explicitly described as a "sale."
  • Introduces concept of "non personalized ads."
  • Businesses allowed to continue to provide "first party" behaviorally targeted ads, including through service provider or contractor, which are limited to the consumer’s direct relationship with only that business.
  • Service providers and contractors must silo data they learn about the consumer in the course of assisting the business with advertising and marketing from other data they obtain about the consumer from other sources.
  • Providing advertising or marketing services is a business purpose but this does not include "Cross-Context Behavioral Advertising," a newly defined term to describe ads targeted to consumers based on a profile or predictions about the consumer related to the consumer’s activity over time and across multiple businesses or distinctly-branded services, websites or applications.
  • Introduce concept of "dark pattern" defined as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, as further defined by regulation.

Service Providers

  • Service provider or contractor not required to comply with a verifiable consumer request received directly from a consumer or a consumer's authorized agent.
  • Service providers required to downstream deletion requests to own service providers unless it requires disproportionate effort.
  • "Business purpose" includes the service provider or contractor's operational purposes, as defined by regulations adopted pursuant to the law.
  • More prescriptive provisions regarding what agreements with contractors should contain.

More GDPR Terms

  • Revised purpose limitation: collect and retain only what you need to achieve the disclosed purpose or a purpose compatible with it.
  • New definition of consent defined as any freely given, specific, informed and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.

Odia Kagan is a partner at Fox Rothschild LLP and chair of the firm’s California Consumer Privacy Act practice. For assistance with the full range of CCPA compliance issues, contact Odia at [email protected] or 215.444.7313.