California Ballot Initiative Expands Data Privacy Obligations
Though it may not have been the biggest news of the election so far, California voters approved Proposition 24 on Tuesday, November 3, 2020. Proposition 24 adopts the California Privacy Rights Act of 2020 (CPRA), which modifies and expands privacy protections under the California Consumer Privacy Act (CCPA). Businesses which previously determined that their operations complied with CCPA may need to revisit their analyses based on the changes imposed by CPRA.
Restrictions on Data Users
- One of the major changes CRPA implements is the concept of “sharing” data. Under CCPA, businesses were required to allow consumers to opt out of the “sale” of their data. Although very broadly defined, a “sale” required that the company receive some consideration or value for the transfer of data. Under CRPA, however, the opt-out requirement applies to any selling or sharing of data. [Emphasis added] Sharing data includes the transmission of collected data to service providers of the company.
- Additionally, the opt-out requirement (for both selling and sharing data) is expanded to include a consumer’s right to opt out of “cross context advertising.” Cross context advertising is any marketing to a consumer which is (i) based on the consumer’s prior activity and (ii) across multiple businesses, services, or brands. This additional restriction is likely to have a significant impact on companies that engage in targeted advertising.
Restrictions on Service Providers
CCPA contained requirements for data sharing with service providers. CPRA expands the requirements, as well as adding a parallel definition for “contractors” also subject to the requirements. Under CPRA, data users must enter into substantive contracts with service providers and contractors ensuring that those entities will comply with the requirements of CPRA. Direct requirements applicable to service providers and contractors include:
- Data siloing: Contractors and service providers must segregate collected data by source (e.g., they cannot combine data obtained from multiple clients).
- Cross context advertising: Contractors and service providers are not permitted to engage in cross context advertising, as defined above.
- Subcontractors: Where data is further shared with a downstream vendor, the contract requirement described above also applies to the contractor or service provider.
In addition to the restrictions on data use, CPRA also gives consumers additional affirmative rights with respect to the use and disclosure of data pertaining to them. Under CPRA:
- Automated decisions: Consumers have an opt-out right with respect to mechanical or automated decision making based upon collected data, for example, the use of location data to provide appropriate advertising. In addition to being given the right to opt out of such use, consumers are permitted to obtain information regarding the manner in which such decisions are made.
- Sensitive personal information: Consumers have the (limited) right to request additional restrictions on the use and disclosure of data about them which is considered “sensitive,” including health and economic data, as well as precise locations.
- Right to correct: Consumers have the right to correct erroneous data collected or maintained about them.
- Data portability: Consumers can request that their data be transmitted in a standard, non-proprietary format.
CPRA makes a number of other modifications and refinements to the rules already in effect for CCPA, including the establishment of an entirely new regulatory agency to enforce compliance. The additional requirements of CPRA are scheduled to go into effect as of January 1, 2023.