California Privacy Rights Act – California’s New Privacy Act on the Move
July 21, 2020
Just a few days before the California Consumer Privacy Act (the “CCPA”) became enforceable on July 1, 2020, a new act, the California Privacy Rights Act (“CPRA”), had gathered enough signatures to be put on the California ballot in November, which, if adopted, will impose even stricter requirements on businesses to protect consumer privacy. Here are some major provisions worth noting:
- Effective time. Suppose the CPRA gets adopted, which is very likely according to a recent poll, it would become operative on January 1, 2023 and a majority of the provisions would apply to personal information collected from January 1, 2022.
- New protections for “sensitive personal information.” The CPRA proposes to adopt a broad definition of “sensitive data”, including government identifiers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, contents of certain types of messages, and genetic, biometric, health and certain personal information. It intends to provide consumers a right to limit the use, sharing, and sale of such information by businesses to authorized purposes only.
- Expanded data breach liability. While the CCPA grants consumers a private right of action for breaches of nonencrypted, nonredacted personal information if the business failed to maintain reasonable security, the CPRA expands to unauthorized access or disclosure of an email address in combination with a password or security question and answer that would permit access to the account.
- Additional audits and risk assessments. For businesses whose data processing presents significant risks to consumers’ privacy or data security, an annual cybersecurity audit and a regular risk assessment would be required.
- Restrictions on automated decision-making technology. Consumers would have access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling.
- Data retention limitations. The CPRA would require a business to inform consumers of the length of time the business intends to retain each category of personal information, and forbid the business to retain such personal information for longer than what is reasonably necessary for the disclosed purpose.