California voters on Election Day passed the California Privacy Rights Act (CPRA), an update and partial overhaul to the California Consumer Privacy Act (CCPA), the landmark 2018 privacy law. The new CPRA strengthens existing privacy protections, particularly for certain categories of sensitive personal information, and creates an independent enforcement agency. However, privacy advocates like the ACLU of Northern California and the Electronic Frontier Foundation came out against or refused to support the measure, arguing that it lacks teeth and reinforces an “opt-out” rather than “opt-in” default for consumer consent.
The CPRA potentially strengthens data protections for Californian consumers by creating a category of “sensitive personal information” and providing these consumers with the means to limit the use of this information by businesses. Sensitive personal information includes, among other categories: social security, driver’s license, and credit and debit card numbers; precise geolocation data; racial and ethnic information; contents of consumer’s email and text messages; genetic data; information about a consumer’s sex life or sexual orientation; and biometric information. However, the CPRA puts the onus on the consumer to affirmatively request that a business limit its use of this information to only what is “necessary” to accomplish the business purpose of collecting the data (a long-standing privacy principles known as “data minimization”). The CPRA leaves it to the business to determine what is necessary, creating potentially wide leeway in denying consumer requests.
The CPRA also leaves in place, and in some cases expands, the opt-out defaults of the existing CCPA regime. “Opt-out” defaults require the consumer to affirmatively request that their data not be collected, sold, shared, etc., while “opt-in” defaults require businesses to get the consumer’s consent before selling and sharing their data. Privacy advocates argue that it is too burdensome for consumers to opt-out of data collection on every website they visit or app they use, while proponents of the CPRA argue that an opt-in framework is unworkable. The CPRA may potentially expand the opt-out framework by reducing the requirements for businesses to adhere to “global” opt-out signals sent by consumers, and, in general, require consumers to take the necessary steps to control their data.
The CCPA’s so-called “pay-for-privacy” is partially expanded by the CPRA. Under pay-for-privacy, consumers either allow businesses to share and sell their data or pay a higher fee for the business’s service. The CPRA does not limit these schemes, and now allows businesses to run loyalty or discount programs where, for instance, consumers who do not allow access to their data will be restricted from a certain discount on the business’s service.
On the enforcement front, the CPRA creates an independent agency, the California Privacy Protection Agency, tasked with enforcing its provisions and penalties—including a newly tripled penalty for violations of the privacy protections covering children—and with promulgating regulations to carry out the purposes of the act. This is a break from the current model of tasking Attorney General Offices—that are often stretched thin—with privacy law enforcement. The Privacy Protection Agency will begin enforcement of the CCPA in 2021, but will not begin enforcement of the CPRA until 2023, and will only apply to violations involving data collected in 2022 or later. Finally, the CPRA creates no new private right of action for California consumers.
Overall, the CPRA is a mixed bag of some increased privacy protections for consumers and an entrenchment of the opt-out defaults and pay-for-privacy schemes present in the CCPA.