Section by Section Summary of the CPRA

Cybersecurity
Written By Tom Kemp

As another example of the great content found in the California Privacy Rights Act (CPRA) Resource Center that I contributed to, below is a reproduced article from the CPRA Resource Center that provides a section-by-section summary of the CPRA. Check out the full CPRA Resource Center for more great content on the CPRA, including the full text of the CPRA with over 175 annotations as well as a comparison of the text of the CPRA compared to the CCPA.

 
 

Section 1: Title: The California Privacy Rights Act of 2020

Section 2: Findings and Declarations

Preamble emphasizes California Constitution’s right to privacy.  Intent of law is to prevent the Legislature from weakening privacy protections while allowing the Legislature to strengthen them over time.  Discussion of state interest in protecting consumers, who are realistically unable to manage all their privacy settings to protect themselves, when many businesses are actively trying to make this difficult.

Section 3: Purpose and Intent

  1. Consumer Rights

  2. Responsibilities of Businesses

  3. Implementation of the Law

Section 3 is the heart of the law in terms of protecting it from being weakened in the future.  Section A establishes that consumers have a right to control and protect their personal information, and that their authorized agents should be able to help them to do so.  Section B references philosophical limitations on business’ collection and use of consumer information.  Section C establishes the “one-way ratchet” which allows the Legislature to strengthen privacy over time and prohibits the Legislature from passing any amendments to CPRA which weaken consumer privacy in California.

Section 4: General Duties of Businesses that Collect Personal Information

First principles of privacy: purpose limitation, storage limitation, data minimization, requirements for a chain of custody when personal information is sold or shared, requirement for reasonable security.

Section 5: Consumers’ Right to Delete Personal Information

Consumers have a right to delete their information (except in limited circumstances where businesses need to keep the information to complete a transaction, ensure security, exercise free speech etc.).

Section 6: Consumers’ Right to Correct Inaccurate Personal Information

Consumers have a right to correct their inaccurate information held by businesses.

Section 7: Consumers’ Right to Know What Personal Information is Being Collected. Right to Access Personal Information

Consumers have a right to see what personal information businesses have collected about them, where it came from, why the business is selling it, where it is being disclosed.

Section 8:  Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom

Consumers have a right to know what personal information of theirs is being sold or shared, and with whom.  3rd parties may not resell or re-share personal information unless the consumer has received notice and has the right to opt out. 

Section 9: Consumers’ Right to Opt Out of Sale or Sharing of Personal Information

Consumers have the right to opt out of the sale of their information, also to opt out of its sharing for advertising.  Guardians of children under 13, and consumers from 13 to 16, must opt in to the sale of their information.

Section 10: Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information

Consumers can drastically limit the use and disclosure of their sensitive personal information, including race, religion, sexual orientation, health, precise geolocation, etc.  The only exception is when a business delivers a product to a consumer which the consumer him/herself requested, and when the information would be used in a way reasonably expected by an average consumer.

Section 11: Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights

Businesses may change service levels, offer financial incentives, or charge an opted-out consumer more, but there are strict limitations on such difference in service levels: the change or price difference must be reasonably related to the value provided to the business by the consumer’s data.  Prevents businesses from imposing extreme financial or operational hurdles on a consumer who wants to prohibit the sale of their information. 

Section 12: Notice, Disclosure, Correction, and Deletion Requirements

Specific details/provisions with respect to these rights.

Section 13: Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information

Businesses that sell or share information must provide a “Do Not Sell or Share my Personal Information” button.  All businesses must respond to a Do Not Sell (aka “opt out”) signal (whose specifications will be developed by the new California Privacy Protection Agency).  If a business responds to the opt out signal by agreeing not to charge the consumer, not to limit the functionality of the website, and not to degrade their service in response to the signal being received, then (and only then) the business can avoid posting a Do Not Sell button.  In other words, a business may avoid the requirement to post a “Do Not Sell” button (i.e., this is the carrot), if the business agrees not to avail itself of the steps set forth in Section 1798.125 allowing it to change the service experience for an opted out consumer (and this is the stick).

Section 14: Definitions

Defined terms.

Section 15: Exemptions

Exemptions from the law.

Section 16: Personal Information Security Breaches

Permits private right of action in the event of negligent data breach, i.e. if a business has not redacted or encrypted consumers’ personal information and suffers a data breach.

Section 17: Administrative Enforcement

Provides for penalties of $2,500 per violation and up to $7,500 per intentional violation.  Allows for enforcement of the law by the California Privacy Protection Agency, by the Attorney General, and by any District Attorney in any county in California, as well as the City Attorneys in the 4 largest cities in the state (by repealing language in CCPA that gave the Attorney General exclusive authority).

Section 18: Consumer Privacy Fund

Funds from fines go first to offset costs of enforcement, then 91% to a “lockbox” fund managed by the State Treasurer, whose interest is available to the state’s general fund.  9% of proceeds shall be made available for grants in California to nonprofits associated with privacy/data breaches.

Section 19: Conflicting Provisions

The law applies to all businesses doing business in California, not simply businesses that collect information electronically, or over the Internet.  This law should be harmonized with other consumer privacy laws, and whichever offers consumers the most protection, should control.

Section 20: Preemption

This state law preempts local laws.

Section 21: Regulations

California Privacy Protection Agency is given rule-making authority “as necessary to further the purposes of this title.”  Specific directions include:

  • Regulations must ensure that consumers have the ability to exercise their choices “without undue burden.”  Prevents businesses from “engaging in deceptive or harassing conduct, including in retaliation against consumers for exercising their rights.”

  • Annual cybersecurity audit and regular risk assessments

  • Regulations to give consumers opportunity to object to automated decision-making including profiling

  • Defining scope of opt-out signal

  • Defining specification to indicate a consumer is a child.

Section 22: Anti-Avoidance

Avoidance actions taken in series to try to avoid the scope of this act shall be disregarded for the purpose of enforcing the Act.

Section 23: Waiver

No contract may waive or limit a consumer’s rights under this title.

Section 24: Establishment of California Privacy Protection Agency

New state agency is established with guaranteed minimum funding of (2021-22) $10 million per year indexed to CPI.  Will allow for hiring ~ 50 privacy professionals, (25% more than the FTC has for the entire country). 

  • 5-person board appointed by Governor, Attorney General, Senate Rules Committee, and Assembly Speaker

  • Rule-making authority beginning in 2021, enforcement authority beginning in 2023

  • Agency enforces via Administrative Procedure Act-governed hearings

Section 25: Amendment

No amendments are permitted unless they further the purpose and intent of the act (section 3).  I.E., a one-way ratchet: the law can be amended to become more privacy protective, but not less.

Section 26: Severability

The Act is severable.

Section 27: Conflicting Initiatives

N/A, no other privacy-related measure was placed on the ballot in 2020.

Section 28: Standing

Other agencies can defend the constitutionality of the law in court.

Section 29: Construction

The act shall be construed liberally.

Section 30: Savings Clause

The act is not intended to preempt federal law or the California Constitution.

Section 31: Effective and Operative Dates

  • March 16 deadline for naming 5 California Privacy Protection Agency board members

  • Agency begins rule-making later of 7/1/21, or 6 months after agency provides notice to the AG that it is prepared to begin rulemaking.

  • 7/1/22 Final CPRA Regs adopted.

  • 1/1/23 CPRA goes into effect

  • 7/1/23 civil and administrative enforcement of CPRA begins.

Tom Kemp
Previous

Enhancing and Aligning the California Data Broker Registry Law with the CPRA
Next

CPRA Timeline