California Advances Consumer Privacy Laws
PREDICTIONS FOR 2021: PART 2
WHY THIS MATTERS
Proposition 24, the California Privacy Rights Act (CPRA), closes a loophole in earlier California privacy law.
The loophole in the California Consumer Protection Act (CCPA) allows major tech companies to continue to target ads with user data, even when users opt out.
The solution allows consumers to ask companies not to "share" their data, giving them more control over targeting advertising.
The California Privacy Rights Act (CPRA) will create a new state agency to enforce the law, currently carried out by the California Department of Justice.
While the CPRA will not become law until January 1, 2023, its regulations will apply to all information collected from January 1, 2022, onwards.
Data Privacy Laws Supported by Voters in Three States
On November 3, 2020, California, Michigan, and Massachusetts passed new data privacy initiatives.
Here, we will review Proposition 24 – the CPRA – in California.
In a future article, we will address the Massachusetts initiative regarding telematics systems in cars and Proposition 2 in Michigan, requiring search warrants for electronic data and communications.
Quick Look at the CPRA
According to Venture Beat, the California Privacy Rights Act (CPRA) passed with a 56% mandate on the November 3, 2020 ballot.
The ballot measure, Proposition 24, closes a loophole in the California Consumer Protection Act (CCPA) (effective January 1, 2020), which allowed major tech companies to continue to target ads with user data, even when users chose to opt-out.
Consumers will have the option (and the burden) to ask companies not to share their data (assuming they know about it), intended to give them more control over targeting advertising.
The ongoing yin and yang between consumer privacy and businesses' customer data needs will continue – at least until the CPRA becomes legally enforceable in 2023.
Once the CPRA becomes effective, California residents will have a right to know where, when, and why businesses use their personally identifiable data.
As with the CCPA, details of the CPRA may be amended before the enforcement date in 2023. In the interim, legal counsel and compliance managers will need to reassess their data privacy regimen in time for January 1, 2022 (aka the look-back date).
Deeper Dive Into the CPRA
The National Law Review reported that the new CPRA modifies and expands the California Consumer Privacy Act (CCPA), which came into force on January 1, 2020. The CPRA will supersede the CCPA effective January 1, 2023. Until that time, the CCPA remains in effect.
Businesses Subject to the New Law
The CPRA changes the thresholds for businesses to be subject to the new law. To be a covered business under CPRA, one of the following criteria must be present:
- The business derives at least 50% of annual revenue from sharing or selling California consumers' personal information.
This provision changes the threshold under the CCPA by including the "sharing" of personal information, expanding businesses that come under the scope of the CPRA, and impacting businesses in the ad tech sector.
- The business has a gross revenue of over $25 million.
This provision is the same as under the CCPA.
- The business buys, sells, or shares the PI of more than 100,000 California consumers/ households.
This provision changes the threshold from 50,000 under the CCPA to 100,000 under the CPRA. The heightened threshold means that more small businesses will be outside the scope of the CPRA.
Key Changes to CCPA by CPRA
The CPRA is an extensive and detailed piece of legislation making changes to the CCPA -- ranging from minor revisions and clarification to expanding its coverage, creating a new enforcement agency, introducing new concepts, and enhancing individuals' rights to bring private causes of action.
The main changes to CCPA from CPRA are:
- The CCPA provides for fines for non-compliance of $2,500 per violation (or $7,500 per intentional violation).
- The CPRA keeps administrative penalties of up to $2,500 per violation (or $7,500 per intentional violation) and increases the potential fine to $7,500 for violations involving minors (if actual knowledge of a consumer younger than 16).
- Expansion of private right of action for security breaches impacting personal information.
The CCPA provides for a narrow private right of action after data breaches when the personal information is non-encrypted and non-redacted (in accordance with California's Data Breach Notification Law), providing for either statutory damages ranging from $100 to $750 per consumer per incident, or actual damages (which are much more difficult to prove).
The CPRA expands the private right of action for consumers to bring claims against a business for the unauthorized access or disclosure of an email address and password or security question that would permit access to an account, along with access to a consumer's non-encrypted and non-redacted personal information.
- Limitation of the 30-Day Cure Period.
Under the CPRA, businesses no longer have a 30-day window to cure alleged non-compliance before being subject to administrative enforcement (making compliance even more essential).
However, the CPPA will retain discretion to allow a business to cure alleged violations.
Additionally, the CPRA provides for a cure period that will halt statutory damages with respect to private actions (not administrative actions) if the violation is remedied.
- Creation of Privacy Protection Agency.
The CPRA creates the California Privacy Protection Agency (CPPA), which will replace the Attorney General's office, which is currently enforcing the CCPA.
The new agency will take up the Attorney General's rulemaking authority on the later of July 1, 2021, or six months after it notifies the Attorney General that it is prepared to begin rulemaking.
The new agency has been given an initial budget of $10 million to fund its investigation and enforcement activities.
- Limits on "Sharing" Personal Information.
The CPRA expands the CCPA's limitations on the "sharing" of personal information to include "cross-context behavioral advertising," whether for monetary or other valuable consideration. The emphasis is further regulation on the use of personal information for behavioral/targeted advertising purposes.
- Creation of "sensitive personal information" Subcategory of Personal Information.
The CPRA adds a new category of "sensitive personal information."
Sensitive personal information includes, among other categories, precise location, race, religion, sexual orientation, social security information, specified health information.
The CPRA creates additional limitations on the use of sensitive personal information.
- Limitation on Retention Period.
The CPRA sets limits on collecting and retaining personal information, requiring a business to retain only that which is reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.
Further, the CPRA requires businesses to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information, or the criteria used to determine that period.
- Extension of Exemption for Employee and Business-to-Business Data.
The current exemptions under the CCPA for handling employee or business-to-business data were set to expire on January 1, 2021.
The CPRA immediately extends the CCPA's existing partial exemptions for information relating to businesses' employees and job applicants, as well as information collected from consumers in a "business to business" context, until at least January 1, 2023.
- Opt-Out Rights for Automated Processing Limitations
The CPRA creates new rules governing opt-out rights connected with the use of "profiling" or "automated decision-making technology."
The rule includes consumer/employee profiling tied to work performance, economic circumstances, health, location, and other factors.
The consumer also has a right to access "meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer."
Opt-Out links required:
- The CCPA requires a "Do not sell my information" link.
- The CPRA requires a "Do not sell or share my personal information" link.
- The CPRA requires a "Limit the use of my Sensitive Personal Information" link.
- The CPPA is required to develop regulations addressing access and opt-out rights relating to profiling technology.
- Right to Correct Inaccurate Data.
The CPRA adds the right to correct consumer data to the existing rights of notice and deletion.
- New Requirements and Obligations for Service Providers, Contractors, and Third Parties.
The CPRA places new contractual and direct obligations on service providers, contractors, and third parties.
Specifically, it requires:
- Businesses that send personal information to third parties to enter into an agreement binding the recipient to the same level of privacy protection as provided by the CPRA,
- Granting the business rights to take reasonable and appropriate steps to remediate unauthorized use, and
- Requiring the recipient to notify the business if it can no longer comply.
- Effective Date
The CCPA remains in effect until January 1, 2023, at which time the CPRA (and its regulations) will take over.
While the CPRA will not become law until January 1, 2023, its regulations will apply (aka look back) to all information collected from January 1, 2022, onwards.
Since California legislation often drives further legislation across the US, we anticipate more data privacy laws at the state level and eventually at the federal level. Businesses should prepare for this more stringent trend in consumer data protection laws.
Businesses will need to comply by adopting stronger cybersecurity protocols, which is a challenge during the continued trend to remote work.
A thorough review of your commercial insurance portfolio may reveal a deficiency in cyber coverage – thus lacking cyber risk assessments, incident response support, coverage for regulatory fines or penalties, and defense costs.
Stand-Alone Cyber Insurance
An investment in Stand-Alone Cyber Insurance is an investment in your survival after a cyber or privacy loss.
For example, some carriers offer cyber insurance coverage for:
- Data Security Breaches
First-party costs you suffer after a data breach include forensic investigations, notification to all those impacted, data recovery or restoration, public relations to maintain your brand, and third-party costs
Third-party costs include attorney's fees, court costs, and damages from a liability claim or lawsuit.
- Regulatory Fines & Penalties
Fines or penalties imposed by a government agency, insurable under applicable law, and paid to a government entity or a consumer redress fund.
- Double Extortion Ransomware Attacks
A combination of a ransomware attack, data exfiltration, and data disclosure)
- Ransom payment demands during a ransomware attack:
Ransom payments (often in cryptocurrency) agreed with the prior written approval of the insurance company.
Ransom negotiations by security experts with the hackers (regarding the ransom demand).
- Business interruption during a cyber event:
Lost net profits and extra expenses (including payroll) during a shutdown of your computer network or operations due to a ransomware attack (after a brief waiting period and during a restoration period).
- Data recovery or restoration:
Recovering or restoring lost programs, software, or data due to damage, disruption, theft, or misuse of your data during a cyber event.
- Incident response during a cyber incident:
Incident response planning.
Incident response team pre-selected from a panel of experts).
Cyber incident response costs incurred.
- Employee cyber risk awareness training:
Employee training focused on reducing the likelihood of human error by employees being tricked or manipulated into taking action that leads to a ransomware attack, data breach, or funds transfer fraud.
Investing in cybersecurity alone is not sufficient when it comes to privacy violations. The essential next step is investing in specific Stand-Alone Cyber Insurance to avoid catastrophic financial harm to your business.
- Businesses subject to the CCPA will need to work with their legal counsel to amend their privacy practices and procedures to prepare for the CPRA changes.
- Businesses that are subject to the CCPA and future CPRA should invest in a dedicated Stand-Alone Cyber Insurance policy that provides coverage for potential regulatory fines and penalties and supports your business before, during, and after a cyber event.
- Cyber Armada Insurance is here 24/7 to help you during the renewal season and beyond.
Reach out to Cyber Armada Insurance to assist you with your Stand-Alone Cyber Insurance needs. We understand the evolving cyber risks and the importance of your investment in appropriate cyber insurance.
Contact Cyber Armada today to explore how your company can solve potential financial losses from a cyberattack. Contact us at 888.727.6232.
Please watch for our next article on privacy laws outside of California and our White Paper covering the impact of data privacy laws on your business.