The California Privacy Rights Act (CPRA) seeks the attention of many organizations as they focus on their privacy compliance obligations. The current comprehensive state privacy law, the California Consumer Privacy Act (CCPA) will be replaced by the CPRA in January 2023. Remaining measures depend largely on the substance of the much-anticipated CPRA rulemaking expected from the California Privacy Protection Agency (CPPA). A scramble is expected given the CPPA was not able to finalize regulations by July 1st of this year to allow for a six-month window before the law takes effect.
This article will focus on the ‘sharing’ of data as covered by the CPRA’s draft regulations released end of May 2022, as this presents a significant change, with the scope of what data transfers qualify as ‘sharing’ being significantly greater than what is traditionally understood as ‘selling’ under the CCPA.
The draft regulations flesh out the CPRA’s requirements that seek to restrict a service provider’s control of the personal information it receives from a business – the service provider must grant the same level of protection as the business that is directly regulated by California privacy laws. For example, the CPRA requires that the service provider be contractually limited to processing personal information for the business purposes for which it received the information in the first place. The business purposes must be specifically listed beyond a mere reference to the purpose of the contract. These requirements are likely to mean businesses and service providers will need to renegotiate their agreements in addition to cooperating to implement consumer requests.
In addition to the service provider requirements, the draft regulations impose obligations on third parties. The term “third party”, although not specifically defined in the draft regulations, seems to refer to persons who are not service providers or contractors. If one business interacts with a consumer but another party is involved and “controls” the collection of personal information, then the consumer must be informed of the identity of the third party and its data collection. Examples would include an e-commerce site using a cookie analytics provider, or, an example given by the CPPA: a coffee shop allowing a business providing Wi-Fi to collect personal information (the coffee shop must inform customers of the third party data collection through a sign or some other method).
The agreements with third parties must: (i) require the third party to only use and retain the personal information for the narrow purposes for which the personal information is being sold or disclosed; (ii) require the third party to comply with the CPRA including by providing the same level of privacy protection; and (iii) allow the business to require the third party to verify its compliance with its obligations under the agreement as well as the CPRA. Finally, the third party that does not have such an agreement in place would not be permitted to retain or process the personal information it receives from a business in any way.
Failure on the part of a business to conduct due diligence of any third parties with which it shares personal information may prohibit the business from using ignorance of any misuse of the personal information as a defense in the face of a breach or violation of the CPRA or the draft regulations.
Given the California Attorney General’s Office made modifications to CCPA regulations on six occasions since their release in 2020, the slower but thorough approach being taken by the CPPA could be better for businesses so they are assured their data processing compliance work, including updating policies and procedures to meet enhanced privacy requirements, will not require multiple adjustments. Even better for the CPPA and businesses would be a formal or informal extension on the July 1, 2023 enforcement deadline. An expanded grace period would allow organizations to effectively address compliance obligations, while also allowing the agency to stand firm on privacy compliance expectations, having given businesses ample time. This is especially true for businesses that process personal information that the CPRA has declared as “sensitive”.
PRIVATECH will keep you informed of the CPPA’s announcements as the agency moves toward finalizing the CPRA regulations. For assistance with your California privacy compliance obligations, contact PRIVATECH.
Also, an absolute must for CPRA compliance is having an effective privacy management program in place. As a privacy professional, earning your CIPM designation with the International Association of Privacy Professionals sets you up for success. The CIPM training teaches a process for conceptualizing, designing, building and operating a data privacy management program. CLICK HERE for information about PRIVATECH’s CIPM preparatory course in the Fall.