California voters just approved Proposition 24, the California Privacy Rights Act (CPRA), that was on the ballot November 3. It will not be in full effect until Jan. 1, 2023, but some provisions require actions well before then. For instance, the law establishes a new regulator, the California Privacy Protection Agency, which will be established on Jan. 1, 2021. We had questions, and for answers we turned to Scott Pink, special counsel in O’Melveny & Myers’ Silicon Valley office and a member of its Data Security and Privacy practice group. Pink last fielded our queries in February, when the subject was the CCPA (which remains in effect).
TAG Cyber Law Journal: What will the functions of this new privacy agency be, and will it completely replace the role of the California Attorney General’s Office as the enforcer of consumer privacy laws?
Scott Pink: The California Privacy Protection Agency will be the primary regulator in that it will issue regulations and guidance and have the right to commence investigations and bring administrative actions and file actions in court to enforce the law, including seeking civil penalties and cease-and-desist orders. However, the attorney general will retain the right to bring civil actions for civil penalties, unless the agency has already issued an administrative decision or order against the same person or company. If the attorney general brings a civil action that is not pre-empted by a prior administrative action, the attorney general can request the agency to stay an investigation and administrative action.
TCLJ: What is the enforcement date of the new law? And will the new law apply only to data collected by a business on or after Jan. 1, 2023?
SP: A few of the amendments, such as the extension of the employee exemption and business- to-business exemption to January 1, 2023, take effect immediately, but most of the law does not take effect until January 1, 2023. The CCPA, as currently enacted, and with the limited amendments in the CPRA that take effect immediately, will apply through December 31, 2022.
TCLJ: The private right of action to sue a business was a big part of the California Consumer Protection Act (CCPA). Will the new law change this provision?
SP: The private right of action under the CCPA was limited to security breaches. The new law does not change this.
TCLJ: The CPRA creates a new data category: sensitive personal information. How is that defined?
SP: "Sensitive personal Information" means: (1) personal Information that reveals (a) a consumer's social security, driver's license, state identification card, or passport number; (b) a consumer's account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) a consumer's precise geolocation; (d) a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; (e) the contents of a consumer's mail, email and text messages, unless the business is the intended recipient of the communication; (f) a consumer's genetic data. And it also means (2) (a) the processing of biometric information for the purpose of uniquely identifying a consumer; (b) personal Information collected and analyzed concerning a consumer's health; or (c) personal Information collected and analyzed concerning a consumer's sex life or sexual orientation.
TCLJ: Does the new law address how long data can be retained?
SP: Yes, a business shall not retain a consumer's personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
TCLJ: What rights does the law grant consumers who may wish to modify their personal information that companies retain?
SP: It enacts a new right to correct inaccurate information.
TCLJ: Can the California Legislature amend the ballot initiative that just passed?
SP: Yes, but only if the amendments are consistent with, and further the purpose of, the act-- except that it can further extend the employee and business-to-business exemptions.
TCLJ: In your opinion, what are the most important provisions of the CPRA that distinguish it from the CCPA?
SP: The creation of a data protection agency, the expansion of the opt-out right to “sharing” and cross-contextual advertising, the increased rights to control use of sensitive personal information, and the expansion of the publicly available information exception.
TCLJ: What are you advising your clients to pay particular attention to?
SP: It depends on the particular company and what data it collects. One area of particular focus are new opt-outs of sharing and cross-contextual advertising.
TCLJ: Do you expect this new law will influence other states (like Washington, for instance) that have been considering drafting their own privacy laws?
SP: Yes, the fact that a majority of California voters supported this ballot measure reflects a desire of consumers to have control over and protect their personal information. I believe this will influence other legislatures to consider enacting similar legislation or revising existing bills to include some of the amendments in the CPRA.