Management, compliance & auditing

5 changes the CPRA makes to the CCPA that you need to know

On election day 2020, Californians did more than vote for a president. They also passed the California Privacy Rights Act (CPRA), which clarified the California Consumer Privacy Act (CCPA). 

Although most reports focus on the establishment of a new agency, the CPRA incorporates significant additions and deletions that aim to force businesses to be more proactive and bring third-party business partners into the mix. Taking a deeper look into the nuances gives insight into the changing face of privacy law in the United States. 

Section 1978.100 General Duties of Businesses that Collect Personal Information

The changes to this section shift the focus from consumer rights to business obligations. Originally, this section began with: 

A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.

The CPRA removes this section entirely, focusing on and amending the original subpart (b), which now states: 

A business that controls the collection of a consumer’s personal information shall… 

First, by removing the subpart discussing a consumer’s right and focusing on businesses’ responsibilities, this change indicates a strong move away from consumers needing to be proactive in asserting their rights. Additionally, the move away from “business that collects” to “business that controls the collection of” ensures that the businesses and their third-party providers are the responsible parties. 

Along with this change, the CPRA also incorporates seven new required general duties, including: 

• Businesses need to inform consumers about the data categories and whether information will be sold or shared.
• Once businesses inform the consumer, they cannot collect additional categories of information in ways incompatible with the original disclosure’s purpose. 
• Third-parties controlling the collection of personal information must provide the same disclosures on their website.
• Businesses sharing with or selling information to third parties must establish contractual agreements that force the third party to meet CPRA requirements and ensure that the third party meets the contractual obligations. 
• Businesses that collect personal information shall implement reasonable security procedures and practices. 

Two important changes in this section are new requirements for proving governance over third parties and implementing security procedures and practices. The CCPA mentions security only as a cause of private action against a business that experiences a data security incident. The CPRA takes this a step further and requires security as a general business duty. 

1798.105 Consumers’ Right to Delete Personal Information

The CCPA gave consumers the right to request that organizations delete their personal information but gave little direction for how this should be done. The CPRA clarifies service provider and contractor responsibilities, stating: 

A service provider or contractor shall cooperate with the business in responding to a verifiable consumer request, and at the direction of the business, shall delete, or enable the business to delete, and shall notify any of its own service providers or contractors to delete, personal Information about the consumer collected, used, processed, or retained by the service provider or the contractor. The service provider or contractor shall notify any service providers, contractors or third parties who may have accessed such personal information from or through the service provider or contractor, unless the information was accessed at the direction of the business, to delete the consumer's personal information, unless this proves impossible or involves disproportionate effort. A service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor to the extent that the service provider or contractor has collected, used, processed, or retained the consumer's personal Information in Its role as a service provider or contractor to the business.

The CPRA sets forth a clear waterfall of responsibilities. Service providers and contractors need to respond only to the businesses with whom they contract, not direct consumer requests. However, these service providers and contractors need to work with their third parties to delete information shared under contracts. 

The short explanation here is that a consumer request must be moved throughout the entire supply chain. Businesses need to contact their third parties who then need to work with their contractors, continuing down the supply stream. 

1798.121 Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information

Section 121 is a new provision not included in the CCPA, establishing new consumer rights. Consumers can now direct businesses collecting information to use that data only for performing necessary services or providing goods. If the business chooses to disclose the information for any other purposes, it must notify the consumer. 

Once a customer has requested the limitation, businesses must get affirmative direction from the consumer before using data. Finally, this section forces businesses to send third parties instructions about limiting data use and contracts need to incorporate this requirement. 

1798.130 Notice, Disclosure, Correction, and Deletion Requirements

The CPRA makes several updates to the previous CCPA requirements around who is responsible for disclosing, correcting, and deleting information as well as what information needs to be disclosed, corrected, and deleted. 

Service provider and contractor responsibilities

First, this section shifts the burden of responsibility from third-party service providers to the businesses that own the consumer relationship. In section 130(3)(A), it specifically notes: 

A service provider or contractor shall not be required to comply with a verifiable consumer request received directly from a consumer or a consumer’s authorized agent … to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor. A service provider or contractor shall provide assistance to a business with which it has a contractual relationship with respect to the business’s response to a verifiable request.

This section clarifies service provider and contractor responsibilities focusing on the contractual obligations between third parties and businesses. By specifying these responsibilities, it limits the burden placed on third parties who no longer need to respond directly to consumer requests, placing the onus on the businesses who want to collect the data. 

In short, the burden now falls back on the businesses that collect the consumer information, requiring them to engage the service providers and contractors. 

Specific pieces of information

Under the initial CCPA, businesses needed to provide consumers, upon request, the categories of personal information that they collected. The CPRA creates additional requirements under 130(3)(B)(iii) which states that businesses need to: 

Provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer.

Although the section later places “specific pieces of information” in quotes, the definitions section gives no additional clarification. Based on the language and the rest of the updates, this section seems to indicate that businesses must give consumers everything that they collected within each category. This could include, for example, giving the consumer the email address, name or other records associated with the consumer. 

Definitions

Finally, CPRA adds several new definitions that businesses need to consider when collecting consumer information. 

Consent

The CCPA discussed consent but did not give clarification over the term’s definition. The CPRA builds on traditional “opt-out” language used, such as clicking on a button saying, “I give consent.” The new definition creates several important hurdles, particularly for marketing teams. 

“Consent" means any freely given, specific, informed and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose. 

Acceptance of a general or broad terms of use or similar document that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.

This definition establishes several new requirements that businesses, and specifically their marketing teams, need to take into account. 

First, the definition clearly explains that “general or broad terms” do not constitute acceptance, which means that the traditional “by clicking this box I accept all terms and conditions” solutions may fall flat under the regulation. 

Second, many marketing departments use heatmaps to detect consumer intent across their websites. These track user activities via “hovering over, muting, pausing, or closing” content. In other words, these types of tracking methodologies may now place consumer websites outside of CPRA compliance. 

Finally, the CPRA defines “dark patterns” as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by the regulation.” These “dark patterns” appear to be a catch-all phrase for any marketing ploys that try to leverage users’ psychological nature against them, such as email request boxes with buttons that say, “No thanks, I don’t want a discount today.” Under the CPRA, these would be considered non-compliant tactics. 

Security and integrity 

Unlike the CCPA, which focused solely on unauthorized access from a privacy perspective, CPRA clearly moves the regulation towards creating a hybrid cybersecurity and privacy mandate. Under the definitions section, the regulation defines “security and integrity” as: 

…the ability: (1) of a network or an information system to detect security Incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information; (2) to detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions, and to help prosecute those responsible for such actions; and (3) a business to ensure the physical safety of natural persons.

As organizations look to the future of privacy law, this addition may be the most important for the long term. By requiring businesses to detect “security incidents, resist malicious, deceptive, fraudulent, or illegal actions”, the law moves beyond traditional privacy and incorporates the types of activities that fall under cybersecurity. 

Additionally, it places a new burden of documentation on businesses as they need to “help prosecute” those responsible for illegal activities. In other words, the CPRA might be looking to focus on organizations’ forensic capabilities as a way to track down malicious actors. In that event, organizations will need to shore up their data security event documentation capabilities. 

What does the CPRA mean for affected businesses?

For smaller consumer businesses, CPRA might create onerous burdens. Smaller B2C companies might find documenting security more burdensome than larger organizations, specifically small online retailers. 

However, for companies looking to the future of privacy and cybersecurity legislation, the proverbial handwriting might be on the parchment. In an increasingly digitized world, the two areas become more intertwined than ever. As such, privacy mandates and cybersecurity mandates appear to be inching closer and closer together.