CONTACT

California’s CCPA 2.0 Passed: Here’s What It Means

News

As you may be aware, California voters recently passed ballot Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”).

The new CPRA regulation, also commonly known as “CCPA 2.0”, goes into effect on January 1, 2023 and extends privacy protections to California Consumers above and beyond the current CCPA framework, the new CA privacy law that just went into effect earlier this year.

Many of the new protections offered by both CCPA and CCPA 2.0 continue to be inspired by GDPR, an EU law on data protection and privacy that has become a model for further privacy laws adopted across the globe.

The original CCPA framework, which went into effect on January 1, 2020, empowers consumers to find out what personal information is collected about them, how it is used, who it is shared or sold to, and to make informed choices about how their data is managed (including the ability to opt out, delete, or request to know what personal information business is collecting about them).

The Good and The Bad

But wait…we already have CCPA to provide California consumers with privacy protections, so why exactly do we need CCPA 2.0?

Advocates of the new CPRA regs emphasize that CCPA doesn’t go far enough, citing loopholes which allow certain businesses to get around the new restrictions. They believe the new CCPA 2.0 provisions plugs those gaps and could become a model for the rest of the country.

As an example, CCPA provides users with the right to opt out of the “sale” of their data. But some tech companies argue that certain transfers of user information which raise privacy concerns don’t actually amount to ‘sales’ per say, as there’s no exchange of money (such as with cross-context behavior advertising). The new provisions fill this crack by expanding the CCPA’s obligations formerly limited to the ‘sale’ of data to include a newly defined concept of data ‘sharing’.

Aside from new rights to prevent businesses from sharing their information, the new provisions would provide consumers the ability to correct inaccurate personal information, and limit businesses’ use of “sensitive personal information,” including precise geolocation, race, ethnicity, and health information. It also establishes a new California Privacy Protection Agency to oversee compliance and enforcement of the new rules.

On the flip side, critics of CPRA voice concerns that the new rules may encourage what some call “pay for privacy” where businesses may charge users more if they opt out of sharing of their information. This model may disproportionally affect lower income consumers and households, who should not have to compromise their privacy needs.

Another ongoing concern is the hodge-podge of privacy laws that are bound to follow across all 50 states in the absence of any single federal privacy law. This de-centralized approach to privacy rule-making may not only confuse and overwhelm consumers, but will also add further strains to businesses, many of which just spent the last couple years updating privacy programs and processes to comply with CCPA.

Having only been live for months, critics are also concerned that we need more time to figure out exactly what is and isn’t working with CCPA, before rolling out an entirely new CCPA 2.0 privacy framework.

That said, regardless of where you stand on this topic, CPRA is here to stay so let’s take a look at what it means for consumers and businesses.

What does CCPA 2.0 mean for Consumers?

The CPRA introduces a number of new consumer rights, above and beyond the current CCPA regulations. Here are some areas of note among the new provisions:

  • Expanded Do Not Sell Requirements – Expands the existing ‘Do Not Sell’ consumer right to include the right to opt out of selling OR sharing of their personal information to third parties.
  • Added Protections for Sensitive Personal Information – Establishes a new category of ‘sensitive personal information’ that ranges from government identifiers (such as social security number, driver’s license and passport numbers), to race and ethnicity, consumer health information, and biometric/precise geolocation data. This provision also enables consumers to limit a Business’s use or disclosure of this information.
  • Data Minimization – Limits a business’ collection and use of a consumer’s personal information to be reasonable and proportional to achieve the purpose for which the personal information was collected.
  • Right to Correct – Among some modifications to the right to know, deletion, and do-not-sell rights, CRPA provides consumers a new right to correct inaccurate personal information that a business holds about them.
  • Right to Data Portability – Provides consumers with a new right to take their personal information with them to another business.
  • Expands the Existing Notice at Collection to include:
    • Disclosures of whether Personal Information collected is shared or sold,
    • Separate disclosures for “sensitive personal information” collected, its purpose for collection and use, and whether such information is sold or shared; and
    • Disclosures of the length of time a Company retains each category of Personal Information, the criteria used to determine such period, and prohibits retention of such data for a longer period than what’s required for its disclosed purpose
  • Expands Right to Know Requests – Expands the scope of a consumer Request to Know request from the previous 12 month lookback period to include all personal information collected about a consumer from January 1, 2022 and beyond.
  • Added Protections for Minors – Expands requirements for data collection for minors, and triples related fines for violations involving children.

Which businesses must comply with CPRA?

CCPA 2.0 includes slight changes about which entities qualify as a ‘covered business’ under the new regulations. Any companies which collect consumer’s personal information and do business in California are subject to CPRA, if they satisfy one or more of the below criteria:

  • Annual gross revenues over $25M
  • Buys/sells or shares the personal info of 100,000 or more consumers or households
  • Derives 50% or more of its annual revenues from selling or sharing consumers personal information

What must Covered Businesses do to comply?

Companies will likely need to implement new processes, procedures and policies and train their employees to accommodate the new consumer rights and provisions described above. Additionally, the regulation may require Businesses to take further actions to address these additional requirements:

  • Annual Audits and Risk Assessments – Requires High Risk Data Processors to perform annual cyber security audits and risk assessments and submit a risk assessment to the California Privacy Protection Agency on a regular basis.
  • Service Providers Obligations – Obligates the third party, service provider, or a newly defined ‘contractor’ to provide the same level of protection and comply with CPRA requirements. Contracts will need to be reviewed and updated to include the necessary CPRA provisions for service providers.

Timing

So now that the ballot initiative has passed, when will this all happen? Here’s what Throtle expects so far with respect to CPRA timelines:

  • Mid Dec 2020 – Ballot initiative takes effect including creation of ‘Consumer Privacy Fund’ and establishment of ‘California Privacy Protection Agency’
  • Jul 1, 2021 – Rulemaking activity to begin
  • Jan 1, 2022 – Any data collected by a business after this date will be subject to CPRA once it goes into effect (the lookback period)
  • Jul 1, 2022 – Final regulations to be adopted
  • Jan 1, 2023 – CPRA goes into effect

Throtle Compliance

At Throtle we strongly support consumer privacy rights and transparency and are committed to implementing the necessary enhancements to achieve full compliance of CPRA before it goes into effect on January 1, 2023. We will continue to actively monitor CPRA for the latest developments and expect to have further updates once the rulemaking activity is underway.

Should you have any questions about Throtle’s role in CCPA or CPRA compliance, please contact us at hello@throtle.io. You may also view our Privacy Policy here for further details on Throtle’s privacy practices.

Please note that this blog post should not be taken as legal advice and we strongly encourage you to consult with your respective legal counsel for guidance on CPRA compliance.


Privacy Settings
Youtube
Vimeo
Google Maps
Spotify
Sound Cloud
SIGN UP NOW