California was the first State in the U.S. that enacted a consumer privacy statute called the California Consumer Privacy Act (“CCPA”). Via a successful ballot initiative, the CCPA was amended by the California Privacy Rights Act (“CPRA”) to enhance and expand the rights and protections that were provided by the CCPA. This article offers a summary of the new rights and protections provided by the CPRA. The CPRA became effective at the beginning of 2023. Note that both the CCPA and the CPRA are mainly enforced by a California agency called the California Privacy Protection Agency.
CCPA now covers employees and business-to-business personal data
The original CCPA did not cover the personal data and information of employees or business-to-business personal information/data. The CPRA changed that. Now, the CCPA’s data collection, notice, consent, and protection protocols apply to employee data and business-to-business data.
New category of personal information: “sensitive personal information”
Under the original CCPA, the consumer data to be protected was data that allowed a person to be specifically identified such as social security numbers, names, addresses, biometric data, etc. The CPRA created a new category called “sensitive personal information” (“SPI”) which overlaps to a degree with the other categories called “personal identification information.” SPI is entitled to a higher level of protection. SPI includes:
- Racial origin
- Ethnicity
- Religious, political and philosophical beliefs
- Sexual orientation and identify
- History of one’s sex life
- Contents of mail, email and text messages
- Medical history and status
- Financial history and status
- Precise geolocation
- Genetics
- Biometrics
- Social security number
- And more
Several new consumer rights
The CPRA created several new rights for consumers. Under the earlier CCPA, consumers were given certain rights such as the right to know what information was collected, whether the information was sold, to whom it was sold, etc. The CPRA adds to these rights and protections. For example, consumers, employees, and those in B2B relationships have a right to limit the use of SPI to only that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.” This right includes a right to limit how long a company collecting, buying, processing, sharing, or using the SPI can keep the data. To facilitate the exercise of these rights, the CPRA mandates the prominent placement of a hyperlink called “Limit the Use of My Sensitive Personal Information.”
The CPRA also extends the previous opt-out rights to include SHARING of personal information and/or SPI. Under the original CCPA, consumers could only opt out of the SALE of their data. In reality, this is a new right to opt out of targeted advertising. “Sharing data” is defined as transferring or making available data for the purposes of “cross-context behavioral advertising.” Another new right is the right to correct all data including SPI. Finally, the CPRA creates the right to opt out of “automated decision-making technology.”
These and other changes made by the CPRA are well within the current trends that can be seen in more recent consumer privacy laws being enacted in other states. The trend with respect to targeted advertising is particularly noticeable.
Contact The Consumer Privacy Compliance and Internet Law Attorneys At Revision Legal
For more information, contact the experienced Consumer Privacy Compliance and Internet Law Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.