In the Spirit of Thanksgiving: CCPA 2.0 With a Large Helping of Added Rights

November 8, 2019Articles New Jersey Law Journal

Recall the California Consumer Privacy Act (CCPA) hastily passed to beat the privacy ballot initiative that received more than 600,000 signatures from Californians? The ballot was withdrawn at the last moment as a compromise for a California privacy bill, with noticeably less teeth, but still very much privacy-focused.

As companies prepare for the CCPA, Alastair Mactaggart, who successfully submitted the earlier initiative that resulted in the present day CCPA, warns of a new ballot initiative on the horizon— the California Privacy Rights and Enforcement Act of 2020 (CPREA). The CPREA, dubbed “CCPA 2.0,” could be the most critical amendment expanding consumer rights and demonstrating that the CCPA was only a humble beginning of privacy initiatives to come.

The CPREA includes many notable changes to the CCPA, including:

  • Right to correct. The CPREA gives consumers the right to require a business to correct inaccurate personal information upon a verifiable request. Businesses must correct inaccurate information within 45 days and would need to amend their Privacy Policy and notices to reflect this new right.
  • Right to request personal information beyond a 12-month period. A consumer may request that a business delete personal information or disclose to the consumer the categories of information a business collects and shares beyond CCPA’s 12-month period, unless the request involves a disproportionate amount of information or is unduly burdensome. This right, however, shall only apply to personal information collected after the effective date of the CPREA and would not require a business to maintain personal information for any length of time.
  • The definition of “business” is amended. The CPREA would define a business as one annually buying or selling personal information of 100,000 consumers or households, unlike the CCPA’s current requirement of 500,000 or more consumers, devices or households.
  • “Sensitive Personal Information.” The newly defined term, Sensitive Personal Information, includes a consumer’s Social Security Number, driver’s license, passport number, log in information, financial information, geolocation, and personal information revealing one’s race, health and biometric information. The CPREA mandates an opt-in requirement prior to selling a consumer’s Sensitive Personal Information.
  • Greater control over third parties. The CPREA would require a business to include in its contracts with third parties, service providers and contractors: (1) that personal information sold or disclosed be for a limited and specified purpose; (2) the third party, service provider, and contractor provide at least the same level of privacy protection required under the CCPA; and (3) permits the business to take reasonable steps to remediate unauthorized use of personal information.
  • Third-party obligations of notice at or before the point of collection.Third parties that do not have a direct relationship with consumers but control the collection of personal information of a consumer must, at or before the point of collection, provide notice of categories of personal information collected and the purposes for which it is used, and whether such information is sold, in a clear and conspicuous manner.
  • Financial incentive must be directly related to the value provided to the business. Under the financial incentive, the value a business offers a consumer who decides not to exercise his or her rights under the CCPA must be directly related to the value provided to the business by the consumer’s data, instead of only reasonably related to the value provided to the consumer, as currently read in the CCPA.
  • Disclosure of profiling. The CPREA requires a business to inform consumers whether the business uses consumers’ personal information for profiling, and if so, whether it is reasonably expected to have a significant adverse effect on consumers with respect to: (1) financial lending and loans; (2) insurance; (3) health care services; (4) housing; (5) education admissions; or (6) denial of employment.

If the decision could reasonably expect to lead to an adverse effect, the business must provide meaningful information about the logic involved in using the personal information for profiling. The CPREA defines “adverse” to mean a denial, cancellation, increase in charge, reduction in benefit, or other adverse or unfavorable change. Profiling specifically includes using automated processing.

  • “Advertising and marketing.” A business that uses sensitive personal information for advertising and marketing must disclose its practice to consumers. Under the CPREA, a consumer would have the right to direct a business not to sell his or her sensitive personal information for advertising and marketing. Service providers and third parties must similarly silo the opted-out information from other information used for advertising and marketing. The CPREA defines advertising and marketing as a communication by a business, or one acting on behalf of the business, to induce a consumer to buy, rent, lease, use or exchange products, goods, property, information, services or employment.
  • Employee data is permanently excluded. The CPREA would permanently extend AB 25, which excludes from the CCPA information collected about a person by a business while the person is acting as an applicant, employee, owner or contractor, to the extent the information was collected and used solely in the employment context. It would also permanently exclude emergency contact information and information collected and maintained for the business to administer benefits.
  • Increased restrictions and higher fines concerning children. The CPREA restricts the collection of information from consumers who are 13 to 15 years of age and the guardians of consumers under 13 years of age without consent, rather than the CCPA’s current restriction on the sale of information.  The CPREA triples damages for violations to the provisions concerning minor consumers.
  • Data minimization. The CPREA mandates data minimization in that a business must only collect as much data as is required to accomplish the purpose for which it was collected, used and shared.
  • The California Privacy Protection Agency. As it currently stands, the attorney general has enforcement over the CCPA. The CPREA would create the California Privacy Protection Agency, empowered to enforce the CCPA and have rule-making responsibility but may not supplant the Attorney General’s authority. In addition, businesses will have to comply with certain reporting requirements to the Agency.

The California Privacy Protection Agency is similar to the European Union’s Data Protection Authority charged to handle complaints, investigate, and employ corrective measures concerning violations to the General Data Protection Regulation.

How should businesses prepare for CCPA 2.0?
Err on the side of knowledge. The CPREA was proposed for the 2020 ballot and is a year away. Many would agree the CCPA has weakened from its original inception. All leads point to Mactaggart refusing to compromise with the CPREA, as he did with his earlier ballot initiative, which he ultimately bartered for the present day CCPA. Given Mactaggart’s ability to obtain the necessary signatures and the recent public yearning for greater control and more access over their personal information, companies should be aware of the CPREA’s scope now, and think critically how these changes would a ect the business organization, in case the CPREA is here to stay.

Reprinted with permission from the November 8, 2019 issue of the New Jersey Law Journal. (c) 2019 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.