In the November 2020 election, California voters approved the California Privacy Rights Act of 2020 (“CPRA”) amending the California Consumer Privacy Act of 2018 (“CCPA”). Businesses are expected to comply with the CPRA by January 1, 2022. Together, the CCPA and CPRA set out standards that California businesses must follow in gathering and maintaining personal information about consumers. This Article provides an overview of those laws, summarizes the key updates that the CPRA made to the CCPA, and provides a checklist of items to help senior care providers comply with both laws.
The CCPA became effective January 1, 2020. It applies to any for-profit business that does business in California and that meets any one of the following requirements:
- Has annual gross revenues that exceed $25 million;
- Collects, buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices each year; or
- Derives 50% or more of its annual revenues from selling personal information.
Senior care providers are most likely to fall under the first category. The CCPA does not generally apply to nonprofit businesses. However, a nonprofit business is required to comply with the CCPA if it controls or is controlled by a business subject to the CCPA and shares common branding with it.
- Right to know what personal information the business collects;
- Right to delete personal information;
- Right to opt out of the sale of personal information; and
- Right to non-discrimination for exercising any CCPA rights.
The CPRA builds upon the CCPA by adding obligations for businesses and expanding the rights to consumers. The California Attorney General is in the process of drafting regulations that will interpret and clarify the CCPA. The date for enforcement of the law is January 1, 2023. Nonetheless, beginning on that date, the Attorney General will measure a business’ compliance with the law since January 1, 2022. Accordingly, businesses need to take the January 1, 2022 date seriously and to use the time before then to prepare for all of the changes required by the CPRA. Those changes are as follows:
- Modifies some applicability thresholds.
- The CPRA retains its annual gross revenue threshold of $25 million, which is what brings most for-profit senior care providers within its scope.
- The CPRA has modified the threshold for businesses that collect, buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices each year. Now, a business must comply only if it collects personal information of 100,000 or more consumers or households each year. Thus, the CPRA removes devices from the mix, and doubles the number of consumers or households whose information must be collected for it to apply.
- The CPRA also retains the threshold for businesses that derive 50% or more of their annual gross revenue from selling personal information.
- Expands consumer rights. The CPRA establishes new rights for consumers above and beyond those in the CCPA:
- Right to correct personal information.
- Right to limit sharing of personal information. The CCPA placed limits on the internal use by a business of personal information, but not did not explicitly apply limits disclosure to the outside for commercial or business purposes, except where the business was selling the information. The CPRA extends this right to any outside disclosure (that the CPRA terms "sharing"), regardless of whether the business is receiving compensation from the recipient.
- Right to opt out of the sharing (as well as selling) of personal information.
- Right to see all personal information, no matter when acquired. The CCPA restricted this right to personal information from the last twelve months.
- Provides special protections for sensitive personal information.
- The CPRA provides special protections for a new subset of personal information called “sensitive personal information” (SPI).
- SPI consists of personal information that reveals a consumer’s:
- Social security, driver’s license, state identification card, or passport number
- Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, or union membership
- Contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication
- Genetic data
- Information regarding the processing of biometric information for the purpose of uniquely identifying a consumer
- Information regarding the processing of personal information collected and analyzed concerning a consumer's health
- Information regarding the processing of personal information collected and analyzed concerning a consumer's sex life or sexual orientation
- The CPRA provides additional limitations on the use and disclosure of SPI, above and beyond the limitations applicable to all personal information.
- The CPRA requires businesses to update their websites with a link to “Limit the Use of My Sensitive Personal Information.” The link must explain the SPI to be collected, the purposes for collecting it, whether the SPI is shared or sold, and the limitations on its use and disclosure.
- The CPRA requires businesses to update their websites to include a link titled “Do Not Sell or Share My Personal Information” to an internet web page that enables the consumer to opt out of the sale or sharing of the consumer’s SPI.
- Resident records containing SPI that are not subject to HIPAA or the California Confidentiality of Medical Information Act (CMIA) will need to comply with the CPRA, including observing all of the rights that residents have as consumers under that law. This is of critical importance for senior care providers that are not subject to HIPAA or CMIA.
- Requires businesses to inform consumers about the length of time the business intends to retain personal information.
- Businesses are prohibited from retaining the information beyond the published length of time.
- Establishes the California Privacy Protection Agency (CPPA) to enforce the CCPA and the CPRA.
- The CPPA is the first agency in the United States dedicated exclusively to privacy enforcement.
- The CPPA is tasked with implementing and enforcing the CPRA and is allowed to issue fines of up to $2,500 per violation and/or fines of up to $7,500 for intentional violations or violations involving minors.
- Continues to exempt employee data from the CCPA and the CPRA until January 1, 2023.
- Clarifies the privacy obligations of contractors, services providers, and third parties.
- Contractors are prohibited from sharing or selling personal information to which they have access in the performance of their duties, and from processing such information, for any other purposes than what is specified in the contract.
- Contractors must allow the business to monitor the contractor’s compliance with the CCPA and the CPRA.
- Contractors, service providers, and third parties are required to comply with the CCPA and CPRA and have the same privacy obligations as the business, including the new CPRA rights (correcting personal information, limiting the use of personal information, etc.).
On July 1, 2020, the California Office of Attorney General began sending notices of alleged noncompliance to businesses to correct their CCPA practices. A list of enforcement examples is available at https://oag.ca.gov/privacy/ccpa/enforcement. Below is a summary of common compliance issues:
- Business was not providing timely responses to CCPA requests to know and delete personal information.
CCPA/CPRA Compliance Checklist
- Update your website to include a “Limit the Use of My Sensitive Personal Information” and establish internal procedures to respond to such requests.
- Revise your Policies and Procedures to comply with the new CPRA requirements.
- Review your agreements with contractors, service providers, and third parties and ensure that the contracts include the appropriate CCPA and CPRA compliance obligations.