This article seeks to elucidate the objectives, rights, and obligations of individuals and corporations under the California Privacy Rights Act, 2020 in light of its importance for Indian businesses operating in Canada.

Rights and obligations under the California Privacy Rights Act

Rights and obligations laid down by CPRA:

1. Purpose limitation and data minimization
   Companies are only allowed to acquire, use, retain, and disclose personal information that is "reasonably required" and "proportionate" to fulfill the purpose for which it was collected.
    
2. New requirements for sensitive personal information
   Companies that acquire "sensitive personal information" are now obligated to reveal how they do so, as well as provide customers with the option to limit how it is used and disclosed. Geolocation data, account login information, biometric data, genetic and medical data, the social security number or numbers from government-issued identification cards, as well as the details about race, ethnicity, religion, or sexual orientation are all examples of "sensitive personal information," but they are not the only ones.
    
3. New right to correction
   Businesses must give customers the option to update erroneous personal information. This is known as the "New Right to Correction."
    
4. Broader timeframe for the right to access data
   Unless doing so would be impractical or require an excessive amount of work, businesses must offer information to customers beyond the CCPA-mandated 12-month window prior to the request.
    
5. Changes to the criteria for deletion
   Companies must instruct contractors and service providers to remove private information from their records when they receive credible consumer requests to do so. Businesses must also request the deletion of personal data from third parties with whom they have shared or sold such information unless doing so would be impractical or require excessive effort.
    
6. New "sharing" requirements
   Companies that "share" customer information must warn customers of this policy and offer an opt-out mechanism. The term "sharing" refers to the act of giving personal data about a customer to a third party for cross-context behavioral advertising.
    
7. New disclosure requirements
   Companies now have to publish the parameters that will be used to establish how long they will keep each type of gathered personal information. The additional consumer rights granted by the CPRA, such as the right to rectification, the right to object to sharing, and the right to restrict the use and disclosure of confidential personal information, must also be disclosed by businesses.
    
8. Placement of downstream contractual restrictions
   Before selling, distributing, or disclosing personal information to service providers, contractors, or other parties, businesses must impose particular contractual duties on them.
    
9. New security requirements and widened scope of data breach liability
   Businesses must have reasonable security methods and processes that are relevant to the form of the personal data they gather and keep. This is due to new security requirements and wider liability for data breaches. The CPRA further broadens the scope of the private right of action to include data theft using a customer's email address along with a password or security question and answer that would allow access to the customer's account.
    
10. Business-to-Business (B2B) and employee personal information
    The CPRA extends consumer rights and safeguards to B2B and employee personal information, which has been mainly excluded from the CCPA.
     
11. Extra requirements to be developed in rulemaking
    Following the publication of the CPRA regulations, businesses are now subjected to additional obligations. Primary rulemaking power resides with the recently established California Privacy Protection Agency, and final CPRA rules have been implemented by July 1, 2022. 22 distinct topics are anticipated to be covered by regulations, such as the application of artificial decision-facilitation tools, risk evaluations, and recordkeeping.

Newly introduced rights:

1. Right to challenge and rectify inaccurate information
   People who use their right to access information may ask businesses to update any information that is inaccurately given. If the company gets a verifiable consumer request, it is then obligated to make commercially reasonable attempts to rectify such information, barring some of the exceptions laid down by the Act.
    
2. Right to have personal information collected with minimum data and for limited purposes
   Businesses must use, retain, and share customer information only as much as is reasonably required and reasonable to fulfil the reasons for which it was gathered.
    
3. Right to request and receive notice from companies planning to use an individual's sensitive private data as well as restrict them from doing so
   Anyone can request that businesses stop collecting, selling, or disclosing sensitive personal information. Businesses are required to provide consumers with a particular notice if they intend to collect or use any sensitive personal information. Information of this kind includes information that includes the social security number, licence number, state ID number, passport number or any other number of a government-authorised card, login information of financial accounts, debit cards, or credit cards with the access code, password, or other credentials, precise geolocation, origin in terms of race or ethnicity, religion or philosophy, or union membership, email, text, and postal communication content, DNA information for the purpose of identifying someone, biometric data, information gathered and processed on a person's sexual orientation or medical history.

Expanded rights:

1. Right to information access
   The California Privacy Rights Act extends the CCPA's right to request access to personal information a company has collected about a person in the previous 12 months (Section 1798.130(B)) to all information collected, regardless of when it was collected, unless doing so is impossible or would require an unreasonable amount of work.
    
2. Right to refuse information sharing with third parties
   As per Section 1798.115 of the Act, people have the option to refuse both the sale and sharing of their personal information with third parties, according to the California Privacy Rights Act. The CCPA raised this issue since sharing is not expressly included in the definition of sale.
    
3. Legal right to sue companies that reveal usernames and passwords
   When a company exposes a customer's personal information due to a data breach brought on by a failure to take adequate security precautions, the CCPA provides customers with the power to sue the company directly. This is broadened by the California Privacy Rights Act to encompass data breaches if the exposed personal information includes a login and password.

Creation of a new agency under CPRA

The California Privacy Protection Agency, a new specialised privacy agency, is established by this new statute under Section 1798.199.10 to manage enforcement. A five-person board that includes the Governor, the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly is in charge of running it.

The Governor also has the power to choose the chair and one other member. These individuals chosen for these positions must be knowledgeable about consumer rights, technology, and privacy, subject to certain restrictions that will help ensure that the members will remain unbiased and free from external influence.

Board members are only permitted to hold office for a maximum of eight years in a row and are subject to termination at any moment by the person who appointed them. Additionally, they are prohibited from working for any person or company that is presently under investigation or was the target of enforcement action within the five years before the board member's appointment and for two years after leaving the agency.

This organisation, which is run by an executive director chosen by the board, gets a portion of its funding from enforcement actions, with any administrative penalties levied or settlement money going straight to the Consumer Privacy Fund. Additionally, it gets $10,000,000 yearly, an amount that gets revised on an annual basis by the General Fund.

Timeline for CPRA compliance:

• January 2021: California Privacy Rights Act (CPRA) is established as the law and the California Privacy Protection Agency (CPPA) is established. It had been provided that a new agency was to be funded and set up within 90 days of the act's effective date i.e. five days after the Secretary of State officially files the election results.
• July 2021: Process for formulating and adopting CPRA regulations began.
• January 2022: Personal data collection became liable under the CPRA's one-year lookback time frame on January 1, 2022.
• July 2022: The deadline for final CPRA regulations for adoption by the CPPA was July 1, 2022.
• January 2023: The California Attorney General's office continues to enforce the CCPA until January 2023. People have not been able to file lawsuits for the disclosure of usernames and passwords until January 1, 2023, although they were still able to do so during this time if firms reveal their customers' personal information in a data breach.
• July 2023: The enforcement of the CPRA begins under the CCPA.

Enforcement and penalties under the California Privacy Rights Act

The California Privacy Protection Agency is a new state agency that receives all regulation and enforcement power under the California Privacy Rights Act from the California attorney general. The agency started using its rulemaking jurisdiction as early as July 1, 2021, which was six months after giving notice to the California attorney general that rulemaking would begin. The final regulations, consisting of 22 distinct types of rules and many subparts, were to be implemented by July 1, 2022.

The CPRA increases fines for offences involving kids under the age of 16 and strengthens enforcement by eliminating the CCPA's current mandated 30-day window for enterprises. Additionally, the legislation broadens the categories of data breaches that are covered by the data breach private right of action to incorporate data breaches involving a username, email address, and a password or security question and answer that would allow access to a digital account.

Beginning on July 1, 2023, and only with regard to infractions that take place on or after that date, the CPRA may be put into effect. Businesses must maintain flexibility in order to adapt their compliance practices in light of continuing regulatory action.

Privacy rights for information of minors

Penalties for data breaches involving children
For infractions concerning the personal information of children and minors, the California Privacy Rights Act imposes harsher administrative and civil sanctions under Section 1798.155. While the California Privacy Protection Agency or the Attorney General may pursue fines of up to $2,500 for each infraction or $7,500 for each deliberate infraction of the Act, they may also seek fines of up to $7,500 for any infraction of the Act involving a consumer under the age of 16. The amount of statutory penalties that a consumer may demand in a civil action involving a breach of a minor's privacy rights under the Act has not increased in line with this.

New obligations regarding educational information for students
The California Privacy Rights Act makes it clear that a business is not required to comply with a customer's request to erase a student's grades, test results, or educational scores that the firm maintains on behalf of an educational institution. Additionally, a company is not compelled to give customers access to standardised educational exams if doing so could compromise their validity and dependability.

This explanation helps to allay some of the worries expressed about how students could abuse their access to exam materials to alter their grades or acquire an unfair edge over their peers. However, the CCPA and CPRA do not apply to the degree that such scores, academic results, or evaluations are regarded as a part of a student's academic record under the Family Educational Rights and Privacy Act (FERPA).

Benefits of CPRA Compliance

By eliminating gaps in targeted advertising regulation, bolstering enforcement, and preventing the legislature from weakening the legislation, the CPRA might help consumers in the short run. Its long-term effects on privacy, however, are less certain. The ballot measure adds new difficulties and ambiguities that businesses may potentially take advantage of.

Even worse, there's a chance that the CPRA may put a cap on reform and thwart fresh initiatives to create a stronger privacy paradigm. Additionally, it passes up chances to significantly enhance the California Consumer Privacy Act and guarantee privacy by default for everyone, not just those who can pay for it.

1. Closing the gaps in targeted advertising
   Since the CCPA's definition of "sale" and the service provider exemption have been exploited to get around the opt-out, the ballot initiative would benefit consumers by providing them more control over the data exchanged to offer tailored advertising. Another issue is the service provider exemption in the current CCPA, which has been construed by some to mean that hundreds of unidentified organisations may be regarded as "service providers" by a publisher for delivering targeted advertisements. With enhanced controls on information sharing, including information provided for cross-context targeted advertising, the CPRA helps to solve this. Cross-context targeted advertising is no longer covered by the service provider exemption since it is made clear that it is not a legitimate business objective.
   
    
2. More stringent enforcement
   Companies often disregard rules that aren't effectively enforced, so the CPRA may really help if enforcement were to be significantly strengthened. The CCPA's enforcement measures are considered too lax, and the Office of the Attorney General of California has said that it only has the funds necessary to pursue a small number of privacy complaints annually. The "right to cure" phrase in the Attorney General's enforcement section would be removed by the CPRA, which would solve one of the greatest issues with the current CCPA.
   
   This clause is a free pass that would weaken the Attorney General's already limited enforcement powers. The right to cure is particularly incorrect under privacy law because it is unclear how the corporation might correct the infringement once data has been disclosed inappropriately. The CCPA would also be implemented and enforced by a new body that would be solely responsible for doing so, which might give the proposal some power and authority.
    
3. Motion to avoid tabling weakened amendments
   If voters accept the CPRA, the industry shouldn't be able to further undermine the CCPA. Legislative changes to the CPRA must be compatible with and serve the initiative's goals, which include better protecting consumers' rights, especially the constitutional right to privacy. This may have a really favourable effect. The CPRA might act as a crucial barrier against attempts to weaken safeguards, allowing privacy activists and users to spend more of their limited resources on ensuring that the CCPA is implemented correctly.

Criticism of CPRA:

1. Ambiguity in drafting
   The ballot measure adds certain unfavourable provisions to the new privacy law as well. For instance, the initiative's unclear wording makes it more challenging to assess the CPRA and its potential effects. The possibility exists that the industry, which has the resources to develop and defend anti-privacy interpretations of the CCPA, might use the initiative in ways that harm consumers, as they have done with the CCPA, because of the vague and conflicting language in it.
    
2. Excessive onus on customers
   The CCPA places too much onus on users to search for and assert their privacy rights. It, therefore, leaves a large bulk of compliance with the provisions of this Act to the prudence of Californian citizens.
    
3. Ambiguous universal opt-out
   For consumers to exercise their right to stop the sale or sharing of their personal information, the ballot proposal establishes a perplexing procedure. One of CR's main immediate goals is to establish a worldwide opt-out that businesses must abide by so that customers can take a single, easy action to safeguard their privacy. This would save customers from having to contact every firm individually to halt the sale of their information.
   
   Customers who want to properly preserve their privacy must shoulder a tremendous burden to opt out given that there are a huge number of brokers listed on the California Attorney General's data broker register alone, not to mention the hundreds of additional businesses with whom consumers have dealt. Even worse, some businesses are making it difficult for customers to opt-out by requiring them to download additional apps or go through other hurdles.
   
   In contrast to the CCPA regulations, the ballot proposal may thereby limit consumer options and make it even more challenging for them to opt-out. Consumers shouldn't have to actively choose not to have their information sold to data brokers. This process should happen automatically. Opt-out systems should, at the very least, be straightforward and accessible to all users, and the ballot initiative's wording is, at best, confusing.
    
4. Potential cap on privacy-enhancing reforms
   Although the initiative sets a ceiling on weakening amendments, it contains ambiguous language that could be used to invalidate laws that would materially strengthen the CCPA. For instance, as was already mentioned, the proposal states that the legislature may only pass laws that are consistent with the initiative's stated purposes. However, not all of the initiative's goals are obviously in favour of privacy, and some of them may be construed as being intended to enforce a certain (and poor) kind of privacy protection.

References:

• https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf
• https://ccpa-info.com/california-consumer-privacy-act-full-text/
• https://www.itgovernanceusa.com/california-consumer-privacy
• https://www.mondaq.com/unitedstates/privacy-protection/1192382/from-ccpa-to-cpra-what-are-the-key-takeaways
• https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california-consumer-privacy-act-ccpa/
• https://www.itgovernanceusa.com/california-consumer-privacy
• https://www.mwe.com/insights/california-privacy-rights-act-takes-effectsort-of/

Written By: Tejaswini Kaushal, a student at Dr. Ram Manohar Lohiya National Law University, Lucknow.