California Consumer Privacy Rights Act (“CCPA”) 2023 as Amended by the California Privacy Rights Act (“CPRA”)

Introduction:

On November 3, 2020, Californians voted in favor of Proposition 24, which introduced amendments to the California Consumer Privacy Act (CCPA). These amendments are collectively known as the California Privacy Rights Act (CPRA) and went into effect on January 1, 2023. The CPRA expands and modifies the CCPA while establishing the California Privacy Protection Agency (CPPA) as the new administrator of the law. This blog post aims to provide an overview of the CCPA 2023 as amended by the CPRA.

A. Summary:

 The CPRA amendment, which builds upon the existing CCPA framework, brings several significant changes. It expands the definition of a "business" by raising the threshold of consumers or households to 100,000 and includes "sharing" in addition to "selling" consumer information for reaching that threshold. Significantly, the CCPA (as amended by CRPA) no longer makes a distinction between “sharing” and “selling” consumer information. It is the same, and sharing personal information without permission may result in liability under the CCPA.

The private right of action under the CCPA is expanded to include breaches of email addresses and passwords or security question answers that would allow access to a consumer's account. In other words, if you are a California resident, your email address cannot be taken, sold, or shared to a third party without your permission. Email addresses are deemed personal information worthy of protection, which makes a lot of sense given the value of the email addresses to businesses hoping to use information to make a sale or to sell the information itself.

 The CPRA introduces new provisions, such as the inclusion of "sensitive personal information," an extended look-back period for consumer information requests, expanded consumer rights, and non-discrimination protections.

 B. Pleading Questions:

For lawyers, the question arises: how do you plead a CCPA claim under the CPRA amendment? When filing a complaint under the CCPA 2023, it is still appropriate to plead the CCPA itself, as the CPRA amendment is integrated into the CCPA framework. While it may be prudent to include a footnote acknowledging the CPRA amendment, it is not necessary. However, it is essential to update the definition of a "business" in complaints to reflect the new threshold of 100,000 consumers or households, and to recognize that both "selling" and "sharing" of consumer information count towards that threshold.

 C. Main Points for Private Right of Action:

The CCPA is likely to be the model for comprehensive cybersecurity measures under federal law if Congress ever takes this kind of action. Below is a list of things to keep in mind when pleading a claim under the CCPA as amended by the CPRA.

1.  Pleading the CCPA: Complaints should continue to plead the CCPA, but the definition of a "business" must be updated to include the new threshold of 100,000 consumers or households, and "sharing" should be considered alongside "selling" for reaching that threshold.
2. Expanded Private Right of Action: The CPRA expands the private right of action to include breaches of email addresses in combination with passwords or security question answers, eliminating the need to tie such breaches to a specific category of "personal information" to trigger the notice provision and protections of the CCPA.
3. Introduction of "Sensitive Personal Information": The CPRA adds "sensitive personal information" to the existing category of "personal information." This includes biometric information for unique identification, personal health information, and personal information related to a consumer's sex life or sexual orientation.
4. Extended Look-Back Period: The CPRA allows consumers to request information beyond the usual 12-month period, if it is not impossible or disproportionately burdensome for businesses to provide. This expands the scope of consumer information requests.
5. Expanded Consumer Rights: The CPRA grants consumers the right to correct inaccurate information, opt out of sharing their personal information, and limit the use of their information. It also introduces non-discrimination protections to safeguard employees, job applicants, and independent contractors who exercise their rights under the CCPA.

D. Main Points "Fleshed Out":

Below are a few things to keep in mind: 

1. Use of CCPA after January 1, 2023: The CCPA is still used even after the CPRA amendment.
2. The CPRA modified and expanded the CCPA without creating a separate law. Therefore, when referring to the law, it remains the CCPA.
3. Impact on the Definition of a "Business": The definition of a "business" 

The CPRA amendment to the CCPA introduces several changes that impact how businesses are defined and regulated under the privacy law. These changes broaden the scope and obligations for businesses in handling consumer data. Let's delve into the key modifications brought about by the CPRA.

a. Redefinition of "Business":

Under the original CCPA, a business was defined as an entity that met one or more of the following criteria: (A) had an annual gross revenue over $25 million, (B) possessed personal information of 50,000 or more consumers, households, or devices, or (C) derived 50% or more of its annual revenue from selling consumers' personal information.

The CPRA amends the definition of a "business" by increasing the threshold for the number of consumers or households from 50,000 to 100,000. This means that a business must now meet the requirement of buying, selling, or sharing the personal information of 100,000 or more consumers or households to be subject to the CPRA.

Moreover, the CPRA expands the definition of "business" to explicitly include the sharing of consumer information, treating sharing in the same way as selling. This change expands the reach of the CCPA, ensuring that businesses engaged in sharing consumer data on a large scale are also subject to the law's provisions.

b. Strengthened Private Right of Action:

The CPRA amendment enhances the private right of action provision under the CCPA. Previously, to trigger the notice provision and protections of the CCPA, a breach had to involve a category of "personal information." However, under the CPRA, a breach of an email address in combination with a password or security question and answer that would permit access to the consumer's account is sufficient to trigger the CCPA's provisions. This expansion removes the requirement of a breach involving personal information, thereby broadening the circumstances in which consumers can enforce their rights under the law.

c. Addition of "Sensitive Personal Information":

The CPRA introduces a new category called "sensitive personal information" under the CCPA. This includes all the elements of the previous definition of personal information but adds specific types of data, such as the processing of biometric information for unique identification, personal information related to a consumer's health, and personal information related to a consumer's sex life or sexual orientation. The inclusion of sensitive personal information highlights the heightened privacy concerns associated with these types of data and imposes additional obligations on businesses in handling and protecting them.

d. Extended Look-Back Period:

The CPRA expands the "look-back period" for consumer data requests beyond the previous 12-month period under the CCPA. Consumers now have the right to request information that goes beyond the 12-month period, if providing such information is not impossible or disproportionately burdensome for the business. This change enables consumers to access a broader range of historical data held by businesses, enhancing transparency and empowering individuals to exercise their privacy rights.

Conclusion:

The CPRA's amendments to the CCPA significantly impact how businesses are defined and regulated under the privacy law. With changes to the threshold for businesses, the strengthened private right of action, the introduction of sensitive personal information, and the extended look-back period, the CPRA broadens the scope and obligations for businesses in protecting consumer privacy. These changes reflect the evolving landscape of privacy rights and emphasize the need for businesses to adapt their practices to comply with the new requirements imposed by the CPRA.