CCPA 2.0: What's New in the Revised CPRA Proposal

A revised version of the CCPA 2.0 ballot initiative, renamed "California Privacy Rights Act" (CPRA) was filed. Key changes include:

Transparency:

• "In the same way that Ingredient labels on foods help consumers shop more effectively, disclosure around data management practices will help consumers become more informed counterparties in the data economy, and promote competition".
• Disclosure required for how long a business retains data or criteria to determine retention time.

Scope:

• Employee and business-to-business communications exemptions to be extended until January 1, 2023.
• Requirements for information used for political purposes - deleted.
• Revised provisions re "sensitive information" and requirement to post a link for "Limit the use of my Sensitive Information" on the website.
• Ability opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal sent with the consumer's consent by a platform, technology, or mechanism.
• Right of access changed back to apply to only 12 months with some exceptions with extended right of access only kicking in for information collected after 1/1/22.
• Scope threshold regarding collecting the information of consumers, households or devices changed from 50,000 to 200,000.
• Trade secrets should not be disclosed as part of a response to a verified consumer request.
• Requirements to issue regulations to clarify topics including: business purpose, requirements for cybersecurity audit for particularly risky processing; access and opt out rights for automated decision making and profiling; opt out by technical preferences.
• Enforcement for new CPRA provisions delayed to 1/1/23 and only for violations occurring after such date.

AdTech:

• Using personal information to target individuals with ads that follow them as they browse the internet from one website to another is explicitly described as a "sale".
• Introduce concept of "non personalized ads"
• Businesses allowed to continue to provide ‘first party’ behaviorally targeted ads, including through service provider or contractor, which are limited to the consumer’s direct relationship with only that business.
• Service Providers and and contractors must silo data they learn about the consumer from assisting the business with advertising and marketing from other data they obtain about the consumer from other sources.
• Providing advertising or marketing services is a business purpose but this does not include "Cross-Context Behavioral Advertising": newly defined term to describe ads targeted to consumers based on a profile or predictions about the consumer related to the consumer’s activity over time and across multiple businesses or distinctly-branded services, websites, or applications.
• Introduce topic of "dark pattern" defined as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.

Service Providers:

• Service provider or contractor not required to comply with a verifiable consumer request received directly from a consumer or a consumer's authorized agent.
• Service providers required to downstream deletion requests to own service providers unless it requires disproportionate effort.
• "Business Purpose" includes the service provider or contractor's or contractor's operational purposes, as defined by regulations adopted pursuant to the law.
• More prescriptive provisions regarding what agreements with contractors should contain

More GDPR Terms:

• Revised purpose limitation: collect and retain only what you need to achieve the disclosed purpose or purpose compatible with it.
• New definition of consent defined as any freely given, specific, informed and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.