The California Consumer Privacy Act (CCPA) may seem like old news, especially now that Virginia and Colorado have also passed comprehensive privacy laws, but businesses must continue to pay attention to California if they want to stay on top of their potential compliance obligations. This blog post highlights key updates in California privacy law that will impact businesses in the coming year and how companies can respond to these.
- CCPA enforcement is ongoing.
As early as July 1, 2020, the first day CCPA enforcement began, the Office of the Attorney General (“OAG”) of California commenced sending notices of alleged noncompliance to CCPA. Target industries range broadly and include online marketing, social media, online dating and advertising, consumer electronics, retailers and more. Once notified, companies have thirty days to cure or fix the alleged violation before enforcement further proceeds. Common fixes have included updating privacy policies and modifying service provider contracts with CCPA addendums and adding “Do Not Sell My Personal Information” links.
- Businesses operating loyalty programs are also on notice.
As part of their investigative sweep, on January 28, 2022, the OAG also sent notices to businesses operating loyalty programs in California. Under the CCPA, businesses that offer financial incentives, such as promotions, discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice. Such financial notice must clearly describe the material terms of the financial incentive program to the consumer before they opt-in to the program. Major corporations in the retail, home improvement, travel, and food services industries were sent notices of alleged violation to the financial notice of their loyalty programs.
- CPRA rulemaking is also in full force.
In November of 2020, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA) which establishes many updates to the CCPA. A new agency, the California Privacy Protection Agency (CPPA or “Agency”), governed by a five-member Board, is mandated to implement and enforce the law.
On September 22, 2021 the Agency opened for invitation comments on eight main topics:
- Risks: What kind of processing presents a significant risk to consumers’ privacy or security? These are the businesses that will be subject to cybersecurity audits and risk assessments performed by businesses
- Automated Decision-Making: What activities consist of “automated decision-making” technology?Consumers will be able to opt out of automated-decision making technologies and/or profiling.
- Authority of Agency: What authority and scope should the Agency have to audit? CPRA will give the Agency authority to audit businesses based on such defined scope.
- Consumers’ Rights: The CPRA adds a new right: the right to request correction of inaccurate personal information What should be the scope of new rules for corrections of consumer information?
- Opt-Out Rights: What rules should be established to consumers to limit the use and selling of sensitive information and how should the opt-out preference be defined? Businesses may need to redefine functionality associated with opt-out of the sale of personal information and to create rules to limit the use of sensitive personal information.
- Sensitive Information: CPRA expands data categories to include sensitive personal information. What is the scope of “sensitive personal information” and what would be the sensitive disclosure? Businesses will need to include provisions that address sensitive data.
- 12-months period of consumer information: Upon an access request, CPRA will require businesses to provide the consumer information for a 12-months period. Requests made after January 1, 2022, may require businesses to disclose information beyond the 12-months window. Comments on this topic include what would constitute a “disproportionate effort” for businesses to provide the requested data back to consumers.
- Definitions and categories: The Agency is also asking for comments on the definitions section. Businesses should be on the lookout for changes to definitions such as “personal information,” “precise geolocation,” “specific pieces of formation obtained from the consumer,” “designated methods for submitting requests,” and others.
After the two-months long comment period, the Agency released nearly 900 pages of comments on December 14, 2021. Formal rulemaking will commence once the information gathering is complete. With the CPRA going into effect on January 1, 2023, businesses now have less than a year to complete their compliance program for the CPRA.
- The future of the B2B and employee data exemptions under California law is unclear.
The CPRA extends the business-to-business and employee information exemptions in the CCPA to Jan. 1, 2023 (subject to certain limitations). Businesses that have previously relied on these exemptions for their California data will have to evaluate their potential compliance obligations once these exemptions expire. It is possible that the California legislature attempts to further extend these exemptions (or make them permanent in the law, similar to the privacy laws in Virginia and Colorado), but it is unclear to what extent the CPRA permits them to make this change.
- Meanwhile, California passed the Genetic Information Privacy Act.
On top of the CCPA/CPRA updates, the California legislature passed the Genetic Information Privacy Act (“GIPA”) last year, which went into effect on January 1, 2022. GIPA targets companies with a “direct-to-consumer” model for genetic testing. To qualify as a direct-to-consumer (“DTC”) entity and fall under GIPA, the company must engage in one of the following: (1) sell, market, interpret, or offer consumer-initiated genetic testing products or services directly to consumers; (2) analyze genetic data obtained from a consumer. Interestingly, persons licensed in the healing arts for diagnosis or treatment of a medical condition are exempted; or (3) collect, use, maintain, or disclose genetic data collected or derived from a direct-to-consumer genetic testing product or service.
GIPA governs all data that results from the analysis of a genetic material from a consumer. Genetic material can be deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA or single nucleotide polymorphisms. Genetic material can also be the data extrapolated, derived, or inferred from genetic analysis. Notably, de-identified data is exempt from the scope of the law.
Under GIPA, DTCs must provide notice, consent, and meet certain data security standards. DTCs must clearly provide information regarding their privacy practices and use and maintenance of genetic data, as well as a disclosure that deidentified genetic or phenotypic information may be shared with third parties. For service providers specifically, DTCs must include a contract with them that limits what they can do with genetic data that they process on behalf of the DTCs. DTCs must also obtain express consent from consumers for using, storing, or transferring genetic data to a third party. DTCs must further develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure. Finally, DTCs must provide consumers with access to their genetic data, as well as the option to delete their account and genetic data.
There is no private right of action under GIPA. It can be enforced exclusively by the OAG, a district attorney, county counsel, city attorney, or a city prosecutor. Negligent violations of the law can lead to fines up to $1,000 per violation, and willful violations are enforceable up to $10,000 per violation.