CCPA, CPRA, and CPPA: What You Need to Know
In a widely attended webinar CCPA, CPRA, and CPPA: What You Need to Know, WireWheel Chief Privacy Officer Rick Buck discusses practical insights into the CPRA and how CPRA’s (still evolving) requirements will impact your business from consent management, opt-outs, GPC and PIAs to employee data, Notice requirements and website real estate.
Rulemaking and Regulations
Draft regulations for the CPRA were issued in July of 2022 and public hearings concluded August 25, but there is still some open commentary and debate, and as such, the regulations are not wholly conclusive.
Notably, the CPPA has not yet addressed in full detail the rules on cybersecurity auditing, risk assessments, or issues concerning automated decision-making technologies and uses.
The CPRA amendment to CCPA enhances Californians’ privacy right and created the California Privacy Protection Agency (CPPA) which will be responsible for enforcement; contemplates consent in specific use cases; and requires more transparency in both notices and at point of collection.
Perhaps one of the most impactful provisions of the CPRA on businesses is the requirement to perform “regular” privacy (PIAs) assessments:
The CPRA directs the Agency to issue regulations requiring businesses “whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security” to 1) perform annual cybersecurity audits; and 2) submit to the Agency regular risk assessments regarding their processing of personal information.
—California Privacy Protection Agency (Call for comments, 2021)
As tempting as it may be, framing existing state laws, including California, as “GDPR light” would be a misstatement. But it can be helpful to use GDPR as a basis of comparison when thinking about the CPRA regulatory framework.
For example, borrowing from the GDPR, California has addressed the concepts of data minimization and data appropriateness: collection and data use that is “reasonably necessary and proportionate” for the processing activities for which you are going to use it.
These concepts appear in the regulations as:
- Consent in specific use case requirements
- Notice and what proper notice entails
- PIA requirements for risky data processing activities by your company and your service providers, and that those third parties should be obligated under contract to be compliant with the law.
Who needs to comply?
The CPRA applies to any business that process the personal information of consumers in California, and more.
However, personal information has a pretty broad definition. Although it contains all the usual suspects:
- Home address
- Email address
- Date of birth
- Passport or social security number
- Biometric data
- Geolocation and other location data
- Records of products purchased
- Internet browsing history
- Digital fingerprints, and
- Inferences from other data that can
be used to create preference and characteristics profiles
Moreover, the inclusion of “inferences” significantly complicates the definition of personal data itself.
Personal information is really complicated, because if it can be used in any way to be linked up with other data to re-identify an individual, it is considered personal information
—Rick Buck, WireWheel CPO
The CCPA is enforced by the California Office of the Attorney General while the CPRA will be enforced by the new California Privacy Protection Agency (CPPA) with full investigative, enforcement, and rulemaking authority.
One interesting difference between the CPRA and the CCPA concerns the 30-day cure period. Under the CPRA if you are approached by the agency for a violation, you will have 30 days to remedy that violation to avoid penalty. The CPPA removes this latitude effective January 1, 2025.
Also of particular note is that the exemption for employee/HR data was not extended counter to widespread expectation. Consequently, beginning January 1, employee/HR data will be considered consumer data and fall within the scope of CPRA.
It is anticipated that California will enforce in a vigorous and highly visible manner.
Under the CCPA rights included access, consent, equality, deletion, and portability. Under the CPRA new rights are enumerated including the right to correct; opt-out of automated decision making; access to information about automated decision making; and the right to restrict use of sensitive PI.
Rights Under CCPA
New Rights Under CPRA
- Opt-out of automated decision making
- Access to info about automated decision1
- Making Restrict use of sensitive PI
Consent under CPRA
While GDPR has a very stringent definition of opt-in – it needs to be freely given, specific, informed, and unambiguous – the CPRA provides a looser interpretation. Another difference: the GDPR requires opt-in for all collection of data, while the CPRA only requires opt-in for specific types of data.
The GDPR and CPRA also differ in their treatment of implied consent versus expressed consent: The GDPR does not recognize implied consent. So, for example, in Europe, a pre-checked box would be implied consent.
However, the CPRA is in no way an opt-in the law. But it does contemplate opt-in for specific use cases. Note that users have the ability to opt-out of collection and use of even previously opted-in data (and vica-versa).
*If you are selling or sharing the personal information of minors, you need consent of their parent or guardian.
What CPRA regulations say about Opt-Out
Right now, under CCPA, in addition to saying do not sell or share my personal information, the new regulations require a link to ‘opt out of sensitive information’ be presented. And much like the ‘do not sell or share’ my personal information link, it needs to be conspicuous. And it needs to point to a web page that gives complete information on how consumers can better make their choices.
Opt-out signals must have a frictionless option. And one example of a frictionless option is the use and acceptance of global privacy controls (GPC).
Regulation goes on to say, ‘look, we understand that we’re asking you to put both a do not sell or share my personal information button and an opt out of sensitive information button there.
We understand that there are real estate issues on your web pages. To make that easier, you can combine the links. And the link must say “Your Privacy Choices” or “Your California Privacy Choices” to effectuate both the do not sell and an the opt out of sensitive information.
—Rick Buck, WireWheel CPO
The link must also direct consumers to a website with detailed information on how they can very easily understand what that’s all about.
If my organization has implemented GDPR for EU operations, then the right to opt-out and restricted should already be accounted for within the processing, right?
Where GDPR has fully comprehensive opt-out rights, in that specific instance, if you are fully complying with your subject access rights under GDPR, you’re likely to be fully compliant under GDPR. But I would be very reluctant to tell you that complying with GDPR means that you are complying with CPRA.
Don’t rest on your GDPR compliance in any other jurisdictions where you need to be compliant.
—Rick Buck, WireWheel CPO
CPRA states your privacy notice needs to tell California consumers how they can request their rights. If you sell, then there must be an information link.
You need to list the categories of PI collected or sold in the past twelve months. You need to disclose the types and uses of sensitive PI, their sources, categories, and the purpose for each. Furthermore, your policy needs to have an effective date and be updated annually.
You must also provide notice concerning PI being used for purposes beyond the use originally disclosed or for purposes not authorized under CPRA.
The privacy notice needs to provide information on all new CPRA rights – including explanation of how opt-out signals are processed – and do so in easy to comprehend language.
Companies should really take a hard look – with the privacy, marketing, and legal teams – at what they’re doing with data. Is that data considered sensitive? (Remembering that sensitive data is defined differently across the states.) Are your data processing activities considered sensitive? If so, are those data processing activities considered the sale of data?
—Rick Buck, WireWheel CPO
If you can definitively say with a very high degree of confidence that you are not selling or sharing data and not processing sensitive data, then you should very clearly disclose that.
CPRA on Notice at Collection
As noted, the categories and purpose of the PI and whether it’s sold or shared must be disclosed under the CPRA and the regulation goes on to be a bit more specific, stating that if data is shared or sold then notice is required at or before collection. Importantly you must also disclose how long each category of data is retained.
Furthermore, if you allow third parties to collect consumer data, you must list all those third parties who must also disclose on their homepage.
Privacy Impact Assessments under CPRA
What we know now is that PIAs are required for any data processing processing that creates significant privacy or security risk to a consumer such as:
- Sensitive data
- Marketing to minors
- Targeted advertising, and
- Selling/sharing PI
PIAs will now also be required for third parties. Not only are you accountable for complying with the law. But any of your vendors that process data on your behalf – even if they don’t monetize the data – are also responsible for upholding CPRA compliance and need to cooperate with you in this regard.
Consequently, you not only need appropriate contractual language, you also need to perform proper third-party due diligence.
Perhaps most importantly, under the CPRA, service providers and contractors are prohibited from combining any PI they receive from businesses with PI from other sources, or their own. They can’t aggregate that data or monetize it.
Again, I would not say that CPRA is GDPR light, but I like that the CPRA and other States who have passed privacy laws are least starting to align with the way Europeans are thinking about data.
- The requirement that PIAs are done for high-risk processing and include third parties
- The concept of data minimization (only using data that is reasonably necessary and proportionate)
- Use case limitations
- How long data should be kept, and that
- Consent and security are important to the privacy story now
But remember, being GDPR compliant doesn’t mean you’re CPRA compliant. But it does mean you’re generally pointed in the right direction. And that’s a good thing.
1 Automated decision-making is when humans are eliminated from the decision-making process. AI and machine learning (ML) technologies and techniques are used to for example, to model pricing and/or content that consumers might get in an ad. On the employee side, it might be used to segregate candidates applying for a job or those employees who qualify for promotions. See Privacy Law Impacts to AI and High-Risk Processing for additional insights.