CONTACT US 0131 226 8200

Latest Blogs

CPRA v CCPA

It is true that news around the U.S. Election in general is a lot to take in right now. But for businesses, one thing they should note is that California voters approved the California Privacy Rights Act.

Known in the industry as CCPA 2.0, it is intended to become effective on 1 January 2023 and designed to strengthen the existing landscape of California privacy law.

The good news is, some of the updates to the CPRA should help clarify the ambiguities that are rife in the CCPA. Some of the highlights of the changes are as follows:

New Definitions

The CPRA modifies and adds several definitions, including that of a covered business. It increases the threshold of businesses who are caught by the data privacy law from those businesses who process 50,000 consumers or households up to 100,000 consumers or households. It also expands the law to cover businesses that earn at least half their annual revenue from selling or sharing personal information. This has the impact of covering some businesses involved in behavioral advertising. Indeed, the CPRA has made it clear that it intends to explicitly regulate digital marketing, with the right for individuals to opt-out of some behavioral advertising practices. In other words, consumers could now opt out of sales of personal information (as per the CCPA), as well as being able limit the business’s ability to share personal information for purposes of targeted advertising based on the consumer’s personal information obtained for their activity across various business or websites.

Sensitive Personal Information

Businesses will need to update their privacy policies to include a newly defined category of personal information: sensitive data. Those who are regulated under the GDPR may find this familiar. The definitions are slightly different, but the data includes similar things (such as union membership, genetic data, sexual orientation and health data). It also includes government identifiers, precise geolocation data, and even text messages. This data is more regulated, with individuals having the right to limit the use of their sensitive personal information, with a special link to accommodate such request.

Individual Rights

Notably, the CPRA has introduced a number of new rights for individuals to make it more closely resemble the rights of data subjects under the GDPR, including the right to correct data, right to opt out of ‘profiling’ technologies, and data minimization of sensitive data for secondary purposes. When companies do use profiling technologies, then consumers have the right to be clearly notified of the technology. Consumers must also be put on notice about each business’s data retention policy. All of these rights and obligations must be outlined clearly within a business’s privacy policy.

Enforcement

There is also a new enforcement mechanism through the California Privacy Protection Agency (CPPA), instead of the current enforcer (the Office of the Attorney General). The CPPA would have investigative power and would be in charge of bringing enforcement actions. Unfortunately for service providers, there are also additional obligations requiring them to assist covered businesses with their own CPRA compliance.  The law is focused on protecting children under the age of 16, with penalties for violations being tripled under the CPRA.

Businesses do have time to get their house in order, as the law does not become enforceable until 1 July 2023. However, the bill itself will apply to personal information that is collected by companies as of 1 January 2022 (due to the 12-month ‘look back’ access rights of consumers under the law’). Until that time, the CCPA will remain in full force and effect (despite its flaws).

If you have questions about the CCPA, CPRA, or any other data privacy issues, get in touch with Danielle Prado, our US-qualified team member, at Danielle.prado@mbmcommercial.co.uk.  

Snack & Chat Podcast - Episode 5
SICCAR Receives Investment of £1.3m

Contact us today