This article seeks to elucidate the
objectives, rights, and obligations of individuals and corporations under the
California Privacy Rights Act, 2020 in light of its importance for Indian
businesses operating in Canada.
Rights and obligations under the California Privacy Rights ActRights and obligations laid down by CPRA:
Newly introduced rights:
- Purpose limitation and data minimization
Companies are only allowed to acquire, use, retain, and disclose personal information that is "reasonably required" and "proportionate" to fulfill the purpose for which it was collected.
- New requirements for sensitive personal information
Companies that acquire "sensitive personal information" are now obligated to reveal how they do so, as well as provide customers with the option to limit how it is used and disclosed. Geolocation data, account login information, biometric data, genetic and medical data, the social security number or numbers from government-issued identification cards, as well as the details about race, ethnicity, religion, or sexual orientation are all examples of "sensitive personal information," but they are not the only ones.
- New right to correction
Businesses must give customers the option to update erroneous personal information. This is known as the "New Right to Correction."
- Broader timeframe for the right to access data
Unless doing so would be impractical or require an excessive amount of work, businesses must offer information to customers beyond the CCPA-mandated 12-month window prior to the request.
- Changes to the criteria for deletion
Companies must instruct contractors and service providers to remove private information from their records when they receive credible consumer requests to do so. Businesses must also request the deletion of personal data from third parties with whom they have shared or sold such information unless doing so would be impractical or require excessive effort.
- New "sharing" requirements
Companies that "share" customer information must warn customers of this policy and offer an opt-out mechanism. The term "sharing" refers to the act of giving personal data about a customer to a third party for cross-context behavioral advertising.
- New disclosure requirements
Companies now have to publish the parameters that will be used to establish how long they will keep each type of gathered personal information. The additional consumer rights granted by the CPRA, such as the right to rectification, the right to object to sharing, and the right to restrict the use and disclosure of confidential personal information, must also be disclosed by businesses.
- Placement of downstream contractual restrictions
Before selling, distributing, or disclosing personal information to service providers, contractors, or other parties, businesses must impose particular contractual duties on them.
- New security requirements and widened scope of data breach liability
Businesses must have reasonable security methods and processes that are relevant to the form of the personal data they gather and keep. This is due to new security requirements and wider liability for data breaches. The CPRA further broadens the scope of the private right of action to include data theft using a customer's email address along with a password or security question and answer that would allow access to the customer's account.
- Business-to-Business (B2B) and employee personal information
The CPRA extends consumer rights and safeguards to B2B and employee personal information, which has been mainly excluded from the CCPA.
- Extra requirements to be developed in rulemaking
Following the publication of the CPRA regulations, businesses are now subjected to additional obligations. Primary rulemaking power resides with the recently established California Privacy Protection Agency, and final CPRA rules have been implemented by July 1, 2022. 22 distinct topics are anticipated to be covered by regulations, such as the application of artificial decision-facilitation tools, risk evaluations, and recordkeeping.
- Right to challenge and rectify inaccurate information
People who use their right to access information may ask businesses to update
any information that is inaccurately given. If the company gets a verifiable
consumer request, it is then obligated to make commercially reasonable attempts
to rectify such information, barring some of the exceptions laid down by the
- Right to have personal information collected with minimum data and for
Businesses must use, retain, and share customer information only as much as is
reasonably required and reasonable to fulfil the reasons for which it was
- Right to request and receive notice from companies planning to use an
individual's sensitive private data as well as restrict them from doing so
Anyone can request that businesses stop collecting, selling, or disclosing
sensitive personal information. Businesses are required to provide consumers
with a particular notice if they intend to collect or use any sensitive personal
information. Information of this kind includes information that includes the
social security number, licence number, state ID number, passport number or any
other number of a government-authorised card, login information of financial
accounts, debit cards, or credit cards with the access code, password, or other
credentials, precise geolocation, origin in terms of race or ethnicity, religion
or philosophy, or union membership, email, text, and postal communication
content, DNA information for the purpose of identifying someone, biometric data,
information gathered and processed on a person's sexual orientation or medical
- Right to information access
The California Privacy Rights Act extends the CCPA's right to request access to
personal information a company has collected about a person in the previous 12
months (Section 1798.130(B)) to all information collected, regardless of when it
was collected, unless doing so is impossible or would require an unreasonable
amount of work.
- Right to refuse information sharing with third parties
As per Section 1798.115 of the Act, people have the option to refuse both the
sale and sharing of their personal information with third parties, according to
the California Privacy Rights Act. The CCPA raised this issue since sharing is
not expressly included in the definition of sale.
- Legal right to sue companies that reveal usernames and passwords
When a company exposes a customer's personal information due to a data breach
brought on by a failure to take adequate security precautions, the CCPA provides
customers with the power to sue the company directly. This is broadened by the
California Privacy Rights Act to encompass data breaches if the exposed personal
information includes a login and password.
Creation of a new agency under CPRA
The California Privacy Protection Agency, a new specialised privacy agency, is
established by this new statute under Section 1798.199.10 to manage enforcement.
A five-person board that includes the Governor, the Attorney General, the Senate
Rules Committee, and the Speaker of the Assembly is in charge of running it.
Governor also has the power to choose the chair and one other member. These
individuals chosen for these positions must be knowledgeable about consumer
rights, technology, and privacy, subject to certain restrictions that will help
ensure that the members will remain unbiased and free from external influence.
Board members are only permitted to hold office for a maximum of eight years in
a row and are subject to termination at any moment by the person who appointed
them. Additionally, they are prohibited from working for any person or company
that is presently under investigation or was the target of enforcement action
within the five years before the board member's appointment and for two years
after leaving the agency.
This organisation, which is run by an executive director chosen by the board,
gets a portion of its funding from enforcement actions, with any administrative
penalties levied or settlement money going straight to the Consumer Privacy
Fund. Additionally, it gets $10,000,000 yearly, an amount that gets revised on
an annual basis by the General Fund.
Timeline for CPRA compliance:
- January 2021: California Privacy Rights Act (CPRA) is established as the law and the California Privacy Protection Agency (CPPA) is established. It had been provided that a new agency was to be funded and set up within 90 days of the act's effective date i.e. five days after the Secretary of State officially files the election results.
- July 2021: Process for formulating and adopting CPRA regulations began.
- January 2022: Personal data collection became liable under the CPRA's one-year lookback time frame on January 1, 2022.
- July 2022: The deadline for final CPRA regulations for adoption by the CPPA was July 1, 2022.
- January 2023: The California Attorney General's office continues to enforce the CCPA until January 2023. People have not been able to file lawsuits for the disclosure of usernames and passwords until January 1, 2023, although they were still able to do so during this time if firms reveal their customers' personal information in a data breach.
- July 2023: The enforcement of the CPRA begins under the CCPA.
Enforcement and penalties under the California Privacy Rights Act
The California Privacy Protection Agency is a new state agency that receives all
regulation and enforcement power under the California Privacy Rights Act from
the California attorney general. The agency started using its rulemaking
jurisdiction as early as July 1, 2021, which was six months after giving notice
to the California attorney general that rulemaking would begin. The final
regulations, consisting of 22 distinct types of rules and many subparts, were to
be implemented by July 1, 2022.
The CPRA increases fines for offences involving kids under the age of 16 and
strengthens enforcement by eliminating the CCPA's current mandated 30-day window
for enterprises. Additionally, the legislation broadens the categories of data
breaches that are covered by the data breach private right of action to
incorporate data breaches involving a username, email address, and a password or
security question and answer that would allow access to a digital account.
Beginning on July 1, 2023, and only with regard to infractions that take place
on or after that date, the CPRA may be put into effect. Businesses must maintain
flexibility in order to adapt their compliance practices in light of continuing
Privacy rights for information of minorsPenalties for data breaches involving children
For infractions concerning the personal information of children and minors, the
California Privacy Rights Act imposes harsher administrative and civil sanctions
under Section 1798.155. While the California Privacy Protection Agency or the
Attorney General may pursue fines of up to $2,500 for each infraction or $7,500
for each deliberate infraction of the Act, they may also seek fines of up to
$7,500 for any infraction of the Act involving a consumer under the age of 16.
The amount of statutory penalties that a consumer may demand in a civil action
involving a breach of a minor's privacy rights under the Act has not increased
in line with this.
New obligations regarding educational information for students
The California Privacy Rights Act makes it clear that a business is not required
to comply with a customer's request to erase a student's grades, test results,
or educational scores that the firm maintains on behalf of an educational
institution. Additionally, a company is not compelled to give customers access
to standardised educational exams if doing so could compromise their validity
This explanation helps to allay some of the worries expressed
about how students could abuse their access to exam materials to alter their
grades or acquire an unfair edge over their peers. However, the CCPA and CPRA do
not apply to the degree that such scores, academic results, or evaluations are
regarded as a part of a student's academic record under the Family Educational
Rights and Privacy Act (FERPA).
Benefits of CPRA Compliance
By eliminating gaps in targeted advertising regulation, bolstering enforcement,
and preventing the legislature from weakening the legislation, the CPRA might
help consumers in the short run. Its long-term effects on privacy, however, are
less certain. The ballot measure adds new difficulties and ambiguities that
businesses may potentially take advantage of.
Even worse, there's a chance that
the CPRA may put a cap on reform and thwart fresh initiatives to create a
stronger privacy paradigm. Additionally, it passes up chances to significantly
enhance the California Consumer Privacy Act and guarantee privacy by default for
everyone, not just those who can pay for it.
- Closing the gaps in targeted advertising
Since the CCPA's definition of "sale" and the service provider exemption have
been exploited to get around the opt-out, the ballot initiative would benefit
consumers by providing them more control over the data exchanged to offer
tailored advertising. Another issue is the service provider exemption in the
current CCPA, which has been construed by some to mean that hundreds of
unidentified organisations may be regarded as "service providers" by a publisher
for delivering targeted advertisements. With enhanced controls on information
sharing, including information provided for cross-context targeted advertising,
the CPRA helps to solve this. Cross-context targeted advertising is no longer
covered by the service provider exemption since it is made clear that it is not
a legitimate business objective.
- More stringent enforcement
Companies often disregard rules that aren't effectively enforced, so the CPRA
may really help if enforcement were to be significantly strengthened. The CCPA's
enforcement measures are considered too lax, and the Office of the Attorney
General of California has said that it only has the funds necessary to pursue a
small number of privacy complaints annually. The "right to cure" phrase in the
Attorney General's enforcement section would be removed by the CPRA, which would
solve one of the greatest issues with the current CCPA.
This clause is a free
pass that would weaken the Attorney General's already limited enforcement
powers. The right to cure is particularly incorrect under privacy law because it
is unclear how the corporation might correct the infringement once data has been
disclosed inappropriately. The CCPA would also be implemented and enforced by a
new body that would be solely responsible for doing so, which might give the
proposal some power and authority.
- Motion to avoid tabling weakened amendments
If voters accept the CPRA, the industry shouldn't be able to further undermine
the CCPA. Legislative changes to the CPRA must be compatible with and serve the
initiative's goals, which include better protecting consumers' rights,
especially the constitutional right to privacy. This may have a really
favourable effect. The CPRA might act as a crucial barrier against attempts to
weaken safeguards, allowing privacy activists and users to spend more of their
limited resources on ensuring that the CCPA is implemented correctly.
Criticism of CPRA:
- Ambiguity in drafting
The ballot measure adds certain unfavourable provisions to the new privacy law
as well. For instance, the initiative's unclear wording makes it more
challenging to assess the CPRA and its potential effects. The possibility exists
that the industry, which has the resources to develop and defend anti-privacy
interpretations of the CCPA, might use the initiative in ways that harm
consumers, as they have done with the CCPA, because of the vague and conflicting
language in it.
- Excessive onus on customers
The CCPA places too much onus on users to search for and assert their privacy
rights. It, therefore, leaves a large bulk of compliance with the provisions of
this Act to the prudence of Californian citizens.
- Ambiguous universal opt-out
For consumers to exercise their right to stop the sale or sharing of their
personal information, the ballot proposal establishes a perplexing procedure.
One of CR's main immediate goals is to establish a worldwide opt-out that
businesses must abide by so that customers can take a single, easy action to
safeguard their privacy. This would save customers from having to contact every
firm individually to halt the sale of their information.
Customers who want to
properly preserve their privacy must shoulder a tremendous burden to opt out
given that there are a huge number of brokers listed on the California Attorney
General's data broker register alone, not to mention the hundreds of additional
businesses with whom consumers have dealt. Even worse, some businesses are
making it difficult for customers to opt-out by requiring them to download
additional apps or go through other hurdles.
In contrast to the CCPA regulations, the ballot proposal may thereby limit
consumer options and make it even more challenging for them to opt-out.
Consumers shouldn't have to actively choose not to have their information sold
to data brokers. This process should happen automatically. Opt-out systems
should, at the very least, be straightforward and accessible to all users, and
the ballot initiative's wording is, at best, confusing.
- Potential cap on privacy-enhancing reforms
Although the initiative sets a ceiling on weakening amendments, it contains
ambiguous language that could be used to invalidate laws that would materially
strengthen the CCPA. For instance, as was already mentioned, the proposal states
that the legislature may only pass laws that are consistent with the
initiative's stated purposes. However, not all of the initiative's goals are
obviously in favour of privacy, and some of them may be construed as being
intended to enforce a certain (and poor) kind of privacy protection.
Written By: Tejaswini Kaushal,
a student at Dr. Ram Manohar Lohiya National Law University, Lucknow.