Frequently Asked Questions

Quick Answer

The November 2020 California general election brought major changes to the State’s privacy regime that will require substantial compliance efforts by covered businesses over the next 12-24 months. The new CPRA was approved by voters in the November general election and officially became law on December 16, 2020, five days after election results were certified. The CPRA substantially amends and amplifies the requirements of the CCPA, bringing California privacy law closer, in many respects, to Europe’s GDPR. The main provisions of the CCPA will continue in full force and effect. However, until the CPRA becomes fully operative on January 1, 2023, and there are rolling series of implementation dates between now and then that will impact the compliance efforts of CPRA-covered businesses. 

Deeper Dive

The CPRA is an amended and amplified version of the CCPA – in fact, some have referred to it colloquially as “CCPA 2.0”. The CPRA slightly raises the threshold for determining what is a covered “business”. This means that until January 1, 2023, a company doing business in California is covered by the existing requirements of the CCPA where it (1) has $25M in annual gross revenues, or (2) collects for a commercial purpose the personal  information of 50,000  or more California consumers, households or devices, or (3) derives from 50% or more of its revenues from selling personal information.

As of January 1, 2023, the “original” version of the CCPA goes away, and businesses will only be covered by the surviving CPRA to the extent they (1) had $25M in annual gross revenues as of January 1 in the preceding calendar year, or (2) buy, sell or share the personal  information of 100,000 California consumers or households, or (3) derives from 50% or more of its revenues from selling or sharing personal information. In light of this revised test, most companies that triggered the coverage threshold based on annual revenues likely will continue to be covered, but many businesses that were covered by the CCPA merely because they collected the personal information of 50,000 devices (a threshold not difficult to trip for many online businesses), for example, will now fall outside the scope of the CPRA.

The CPRA also provides for the creation of the California Privacy Protection Agency (Agency), further detailed below, to be responsible for enforcement of California’s consumer data privacy laws, shifting this responsibility from the California Attorney General as of July 1, 2021. The Agency will have a five-member board, with the Chair and an additional seat appointed by the Governor and the Attorney General, Senate Rules Committee, and Speaker of the Assembly each appointing one seat.

In addition to changing who is covered by the law, some of the CPRA’s most noteworthy changes include:

• Sunsetting the CCPA’s exception for employee personal information and B2B personal information on January 1, 2023 – this means that California employers and traditional B2B businesses that are “covered businesses” under the CPRA will need to take substantial steps between now and January 1, 2023, to roll out a CPRA compliance program in respect of their HR-related and B2B-related personal information.

• Introducing an explicit, overarching purpose limitation obligation, in which collection and use of personal information must be bounded by principles of necessity, proportionality, and compatibility.In particular, a business’ collection, use, retention, and sharing of a personal information must be:

  • Reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context of the collection; and
  • Not further processed in a manner incompatible with those purposes.

• Establishing several new consumer rights like the right to correction, creating a new category “sensitive personal information” more in line with the GDPR’s definition and substantially increasing compliance requirements in respect of this kind of information. The definition of sensitive personal information, includes:

  • Personal information that reveals a consumer’s SSN, driver’s license number, or passport number, account credentials, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, personal information concerning a consumer’s health or sex life or sexual orientation, as well as contents of a consumer’s mail, email and text messages.
• Streamlining and eliminating potentially overly broad exceptions available for the CCPA’s existing right to delete.
• Adding a new consumer right to correct inaccurate personal information.
• Expanding the “Do Not Sell” opt-out requirement to mere “sharing” of personal information for purposes of cross-context (or third party) advertising
• Requiring businesses to affirmatively respect a consumer’s opt-out preference signal – see 1798.135I.
• Implementing a new set of vendor flowdown requirements that will require covered businesses to revisit contracts they likely already revised for the CCPA.

• Adding an independent and explicit duty for businesses handling consumers’ personal information to implement reasonable security procedures and practices:

  • “A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure[.]”

• Requiring enactment of regulations to direct businesses that process personal information in a manner that presents “significant risk” to consumers’ privacy or security to:

  • Perform annual (“thorough”and “independent”) cybersecurity audits; and
  • Submit to the newly formed Agency on a regular basis a risk assessment with respect to their processing of personal information, including identifying and weighing the business benefits of processing the information against the potential risks to consumer rights. Factors to consider in determining whether processing is “significant risk” includes size and complexity of the business and the nature and scope of the processing activities.

Much like the CCPA, key details of the CPRA will be further fleshed out by regulations, including right of correction rules, technical requirements for opt-outs, and data use agreements for service providers and the newly defined “contractor” entities. The CPRA imposes July 1, 2022, as the deadline for adopting final regulations, so the new Agency will have its work cut out for it in the next 18 months to allow time for comment, revision and adoption. 

For a list of immediate action items that companies doing business in California can do now, see our latest update: Top 10 Action Items for 2021: The California Privacy Rights Act (CPRA).

Refer to Cal. Civ. Code § 1798.140

Quick Answer

The CPRA modifies the scope of the CCPA by changing the definition of a covered “business”. The CPRA applies to “businesses,” so the types of entities that fall under the definition determine the scope and applicability of the law. The CPRA modifies the two existing categories of businesses described in the CCPA and adds two new categories to capture new types of businesses. The four categories are summarized below.

Deeper Dive

Directors of Processing

The first category is entities that direct the processing of personal information of California residents. To qualify as a business, an organization must:

• Be a legal entity organized or operated for the profit or financial benefit of its shareholders.
• Collect consumers’ personal information or have such information collected on its behalf.
• Alone, or jointly with others, determine the purposes and means of the processing of consumers’ personal information.
• Do business in the state of California.

• Meet one or more of the following criteria:

  • As of January 1, of the calendar year, have annual gross revenues more than $25,000,000 in the preceding calendar year.
  • Alone or in combination, annually buy or sell, or share the personal information of, 100,000 or more consumers or households.
  • Derive 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

The CPRA made notable changes to these three qualifying threshold statistics:

• The CPRA clarifies that revenue threshold of $25,000,000 should be calculated as of January 1 in relation to the revenue generated by the potential business in the preceding calendar year.
• The CPRA limits the threshold providing for a minimum number of consumer records by increasing the threshold from 50,000 to 100,000 and by removing from the scope of the threshold calculation of any personal information that the potential business had received for the business’ commercial purposes that had not otherwise been bought, sold or shared, and information about devices that are not identifiable to consumers or households.
• The CPRA clarifies that the 50 percent revenue generation threshold should include the sharing of consumers’ personal information for cross-context behavioral advertising.

---

Common Branding

The second modified category of businesses are entities that control or are controlled by a business that directs the processing of personal information of California residents (i.e., the first category). To qualify under this category, the potential business must share common branding with the covered business and receive personal information from the covered business for cross-context behavioral advertising purposes. This latter requirement—sharing personal information with the potential business—is a new arrival under the CPRA. Two notable points:

• Unidirectional sharing trigger. This category of business is only triggered if the covered business shares PI with the entity/potential business, not the other way around.
• Sharing is a defined term. The CPRA section uses the term “shares,” which is defined under the law to mean sharing for cross-context behavioral advertising purposes. Sharing for purposes other than cross-context behavioral advertising would not result in an entity’s classification as a business.

Moreover, the CPRA also adds to the definition of “common branding,” a requirement that the shared name, servicemark or trademark must be such that “the average consumer would understand that two or more entities are commonly owned.” The addition contemplates an element of consumer understanding about the branding that must be evaluated when considering whether applicable entities qualify as “businesses” under this section. The exact test for consumer understanding is not defined in the law and may be set out in forthcoming implementing regulations.

---

Joint Ventures

The first new category of businesses under the CPRA relate to joint ventures and partnerships in which independent businesses have at least a 40% interest. Under the new interpretation, the joint venture or partnership and each business that composes the entity are separately considered independent businesses. The definition here includes a hidden rule: personal information in the possession of each business that is disclosed to the joint venture or partnership shall not be shared with the other business. The ramifications of violating this rule may be that the joint venture or partnership and the composite businesses will be considered a single business for the purposes of CPRA compliance. However, this interpretation may be clarified in still-to-come regulations from the new California Privacy Protection Agency (further detailed below).

---

Certified Businesses

Finally, the second new category of businesses under the CPRA is an individual or an entity that does business in California and voluntarily certifies to the Agency that it is in compliance with, and agrees to be bound by, the CPRA.

Refer to Cal. Civ. Code § 1798

Quick Answer

The CPRA creates a broad new category of personal information – “sensitive personal information” and provides consumers with a new right to limit the use and disclosure of their sensitive personal information. Separately, businesses will be required to include distinct disclosures on their sensitive personal information collection and use practices.

Deeper Dive

“Sensitive personal information” is defined as “personal information that reveals:

• A consumer’s social security, driver’s license, state identification card, or passport number.
• A consumer’s account log-in, financial account, debit card or credit card number combined with any required security or access code, password or credentials allowing access to an account.
• A consumer’s precise geolocation.
• A consumer’s racial or ethnic origin, religious or philosophical beliefs or union membership.
• The contents of a consumer’s physical mail, email and text messages, unless the business is the intended recipient of the communication.

• A consumer’s genetic data.

  • Biometric information processed for the purpose of uniquely identifying a consumer.
  • Personal information collected and analyzed concerning a consumer’s health.
  • Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

The CPRA also provides that the regulations will update or add categories of sensitive personal information to those enumerated above to “address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.”

---

Additional Obligations

The CPRA also expands a business’ obligation to provide notice to consumers “at or before the point of collection” to include separate disclosures for “sensitive personal information” collected, its purpose for collection and use, and whether such information is sold or shared. Businesses are not permitted to collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are “incompatible” with the disclosed purpose for which the sensitive personal information was collected without first providing the consumer(s) with notice. These additional obligations will require updates to existing data maps and to consumer privacy notices. 

The CPRA also provides consumers a new right to direct a business to limit its use of the consumer’s sensitive personal information to use that which is necessary to perform the services or provide the goods reasonably expected by the consumer. If the business uses or discloses sensitive personal information for other purposes, the business must notify the consumer(s) and provide them the right to limit its use and/or disclosure.

The business is required to create a “Limit the Use of My Sensitive Personal Information” link on its online services or a combined sensitive personal information, sale and sharing opt-out link.  Alternatively, the business can respect automated opt-out preference signals.

Notably, the CPRA requires businesses to pass these obligations down to service providers and contractors via contract. Service providers and contractors are also required to comply with these obligations after receiving instructions from the business.

For any consumer that exercises their right to limit the use and disclosure of their sensitive personal information, the business must wait at least 12 months before requesting that the consumer authorize the use and disclosure of the consumer’s sensitive personal information for additional purposes (or as authorized by the regulations).

These heightened restrictions and opt-out options for sensitive personal information increase the complexity and burden of compliance for businesses, particularly when considering how to present both a “Do Not Sell/Share” option and a “Limit My Sensitive Personal Information” option. From a practical perspective, businesses should start thinking about consumer notices that will have to be updated and creating (or amending) a privacy addendum to ensure these new obligations are passed down to service providers and contractors.

Refer to Cal. Civ. Code § 1798.100

Quick Answer

The CCPA requires a covered business to provide notice of the categories of personal information to be collected and the purposes for which the information will be used “at or before the point of collection” to consumers. The CPRA expands on this requirement to also require notice of (1) whether the information will be sold or shared; (2) length of data retention, and (3) additional disclosures about collection and use of “sensitive personal information.”

Deeper Dive

The CPRA broadens the obligation of a covered business to provide notice “at or before the point of collection” to consumers under Cal. Civ. Code § 1798.100. As set forth below, the CPRA retains the CCPA-required notices and introduces additional retention and purpose limitation disclosures borrowed from Europe’s GDPR. 

Content of Notice

Like the CCPA, the CPRA requires notice at collection to include “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used”. However, the CPRA also requires covered businesses to include the following disclosures:

• Whether the individual’s personal information is sold or shared.
• The length of time the business intends to retain each category of personal information or the criteria it will use to determine how long it will retain such information.
• If “sensitive personal information” is collected, a separate disclosure identifying the categories of sensitive information collected, the use purpose, and whether such information is sold or shared.

---

Data Retention and Destruction

Embedded in this notice requirement is a new obligation that prohibits a business from retaining a consumer’s personal information or sensitive personal information for longer than is reasonably necessary for the purpose for which the data was collected. While this concept is not new to United States privacy jurisprudence, the CPRA codifies the obligation for businesses to establish clear data destruction policies and to discontinue the practice of retaining data indefinitely.

---

Notice by Third Party Data Collectors

The CPRA contains a provision that suggests that a business that is acting as a third party and controls the collection of personal information also has a duty to provide notice to the consumer. Presumably, this provision could apply to third party operators whose services are embedded into a website or mobile app (such as an analytics or advertising partner who collects personal information through an API, SDK, web overlay or web pixel) or providers of bundled services. The CPRA specifies that a business collecting information as a third party may satisfy the notice requirement by providing the required information “clearly and conspicuously” on its own website. However, if the business acting as a third party collects personal information about a consumer on its premises, including in a vehicle, the business must provide notice at such location. This term could be read to clarify that multiple notices may need to be provided to the consumer, depending on the number of businesses controlling the collection of personal information directly from the consumer through a website, mobile app, physical location, product or service.

---

Potential Impact to Businesses

The most significant impact of these new notice obligations is the procedural and administrative obligations on the business that occur behind the scenes. The CPRA’s obligation to disclose the retention periods or retention criteria in its notice shall force businesses to carefully analyze the information they collect and store across the business, determine data retention periods or criteria for retention periods for each category of information, and delete information according to a set schedule or criteria. 

The CPRA disclosure requirements suggest a business could potentially be required to provide extensive, detailed notices (including notices from other third party data collectors) at the point of collection, introducing a high degree of friction into the user onboarding flow and taking up valuable website/app real estate. Let’s take the CCPA experience as our guide. It is quite likely that the regulations implementing the CPRA will provide more detailed and practical guidance to businesses regarding the location, content and form that will be required for businesses to present consumer notices.

Refer to Cal. Civ. Code § 1798.100

Quick Answer

Codifying a concept found in the Fair Information Practice Principles and the GDPR, the CPRA requires imposes an overarching purpose limitation principle, requiring a business to collect, use, retain and share a consumer’s personal information only as “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected.”

Deeper Dive

The CPRA adopts an explicit, overarching purpose limitation obligation on covered businesses. With its amendment to the CCPA, the CPRA requires that a business’ collection, use, retention, and sharing of a consumer’s personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” If the business intends to use personal information for an additional purpose that is not compatible with the disclosed purpose, the business must first provide a new notice to consumers.

While the CCPA and implementing regulations currently require covered businesses to provide additional notice to consumers before collecting or using their previously-collected personal information for materially different purposes, the CPRA’s purpose limitation obligation goes further in requiring a business to consider the justification for its data collection and use practices in the first instance. This provision codifies a key concept found in the Fair Information Practice Principles and the GDPR that many companies already endeavor to implement regardless of legal obligation.

However, over-collection of data is commonplace across industries and businesses of all sizes. Some companies, particularly those who have not gone through a GDPR compliance exercise, may struggle to wean themselves from the habit of over-inclusive data collection practices to ensure that data collection is reasonable and proportionate for the company’s intended business purpose. Moreover, because the CPRA requires businesses to provide notice of the purpose of the data processing at the point of collection, a covered business may need to be much more thoughtful when crafting such disclosures, leaving some flexibility to enable the business to use data for its current purposes but also those purposes that are reasonably anticipated in the near future. Last, a covered business may also benefit from developing internal guidelines for permissible data processing and creating guardrails to restrict its business teams from using personal information for new or secondary purposes in the future, which may exceed the scope of the processing that was disclosed to the consumer at the time the data was collected.

Quick Answer

The CPRA provides unprecedented rights for California consumers by expanding several consumer rights established by the CCPA as well as adding new consumer rights and protections. The CPRA provides for the following consumer rights:

• The right to delete personal information
• NEW - The right to correct inaccurate information
• The right to know categories and specific pieces of personal information
• The right to opt-out of the sale or sharing of personal information
• NEW - The right to limit the use and disclosure of sensitive personal information
• The right of non-retaliation
• NEW - The right to opt-out of automated decision-making technology

---

Deeper Dive

The Right to Delete Personal Information

Refer to Cal. Civ. Code § 1798.105, § 1798.145

The CCPA provides consumers a right to request a business delete the information the business collected from the consumer. Upon receipt of a verifiable consumer request, the business must delete the consumer’s information (subject to certain exceptions) and notify its service providers to delete the consumer’s information. Under the CPRA, the business must notify its service providers and contractors and also notify any third parties to whom the business has sold or shared (for cross-contextual advertising purposes) the consumer’s personal information, unless this “proves impossible or involves disproportionate effort.” Additionally, each service provider must also notify its own downstream service providers to delete the consumer’s information.

The CPRA provides several new exceptions or clarifications to the deletion requirement. The business is not required to delete:

• Household data, defined as data relating to a group of consumers who cohabitate at the same residential address and share common devices or services.
• Personal information about the consumer that belongs to, or that the business maintains on behalf of, another natural person,
• Personal information that applies to a student’s grades, test scores, or educational test results that the business holds on behalf of a local education entity.
• A particular piece of information if the consumer has consented to the business’s use of that information to produce a physical item (such as a yearbook) if the business has incurred significant expense and compliance with the deletion request would not be commercially reasonable.
• Who bought or received the consumer’s personal information, subject to certain exceptions, of the consumer's request. Furthermore, service providers and contractors also must pass the deletion request downstream in certain circumstances. Under the CCPA and the accompanying regulations, a business is not required to notify any third party or service provider of the deletion request.

---

The Right to Correct Inaccurate Personal Information

Refer to Cal. Civ. Code Sections 1798.106, 1798.185

The CPRA introduces a new right for a consumer to request that a business correct inaccurate personal information maintained by the business. This right to correct information must be disclosed to consumers in the privacy notice, similar to the rights introduced by the CCPA. Once a business receives a verified request to correct inaccurate personal information, the business must use “commercially reasonable efforts” to correct said personal information as directed by the consumer and the adopted regulations. The CPRA calls on the California Attorney General to promulgate regulations governing how a business should respond to such a request, including exceptions for requests for which the response would be impossible or involve disproportionate effects, and how concerns over the accuracy of personal information should be resolved.

---

The Right to Know Categories and Specific Pieces of Personal Information

Refer to Cal. Civ. Code Sections 1798.110, 1798.115 and 1798.130

Under the CCPA, a consumer may request that a business tell the customer about its collection and treatment of its personal information, including what categories of personal information the business collected about the person in the past twelve (12) months and the categories of sources from whom it was collected; the business or commercial purpose for collecting or selling the personal information; the categories of personal information that were sold and for each such category, the categories of third parties to whom it was sold; and the categories of personal information that were disclosed for a business purpose. The CPRA modifies and/or expands these rights by:

• Requires the business to also provide information about the categories of personal information shared with third parties, where “shared” is defined as providing personal information to a third party for cross-contextual behavioral advertising.
• Removing the 12-month look-back limitation by requiring a business to provide more than 12 months of information, so long as such a disclosure would not be "impossible" or "involve a disproportionate effort," though this requirement would not apply to any data collected by the business prior to January 1, 2022.
• Clarifies that the right to knowledge requests encompass personal data collected by the business directly or indirectly, including through or by a service provider or contractor. The CPRA also emphasizes the obligation for service providers or contractors to aid the business with respect to the business’s response to a verifiable consumer request.
• Clarifies the obligation that the business provide specific pieces of personal information in a structured, commonly used, machine-readable format “which also may be transmitted to another entity at the consumer’s request without hindrance” to the extent it is technically feasible.
• Additional guidance on these revised obligations is expected from the California Attorney General.

---

The Right to Opt-Out of Sale or Sharing of Personal Information

Refer to Cal. Civ. Code Sections 1798.120

The CPRA expands on the existing opt-out right to include both the sale and "sharing" of personal information. "Sharing" is defined by the CPRA as the transfer or making available of a "consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration." The business shall not sell or share personal information of a consumer under the age of 16 unless the consumer (for consumers at least 13 years old) or the consumer’s parent (for consumers who are less than 13 years old) have affirmatively authorized the sale or sharing. Accordingly, the link posted on a business’s homepage shall now be titled “Do Not Sell or Share My Personal Information.”

---

The Right to Limit Use and Disclosure of Sensitive Personal Information

Refer to Cal. Civ. Code Sections 1798.121

New under the CPRA is the definition of “sensitive personal information,” which includes nearly two dozen data elements, including racial origin, religious beliefs, sexual orientation, the contents of a consumer’s mail, email and text messages, health information, and precise geolocation. California consumers will now have the right to direct a business to limit its use of "sensitive personal information" to that "which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services," or for the performance of specific enumerated business purposes. The CPRA will require a second link on the website homepage titled “Limit the Use of My Sensitive Personal Information.” In some circumstances, a business may provide a single homepage link that combines this link with the Do Not Sell or Share My Personal Information link to allow consumers to make one or both of these selections. The CPRA also contemplates the creation of an “opt-out preference signal” sent by the consumer’s request indicating the consumer’s intent to opt-out of the sale or sharing of the consumer’s personal information or to limit the use and disclosure of sensitive personal information, or both, though leaves the details to be presented in the Attorney General Regulations.

---

The Right of No Retaliation (formerly, Nondiscrimination)

Refer to Cal. Civ. Code Sections 1798.125

A business cannot discriminate against a consumer because the consumer exercised any of the consumer’s California rights, unless the price or service difference is reasonably related to the value provided to the business by the consumer’s data. The CPRA expands these protections to prohibit retaliation against employees, applicants for employment, or independent contractors for exercising rights guaranteed under the act. The CPRA also clarifies that existing consumer rights to non-discrimination do not prohibit the business from offering loyalty, rewards, premium features, discounts, or club card programs.

---

Right to Access Information About, and Opt-Out of, Automated Decision-Making Technology

Refer to Cal. Civ. Code Sections 1798.185(a)(16)

While largely silent on the issue of automated decision-technology, the CPRA directs the Attorney General to issue regulations governing access and opt-out rights with respect to the business’s use of automated decision-making technology and profiling. The Act defines profiling to include any automated processing of personal information to evaluate personal aspects related to a natural person, or to analyze or predict aspects concerning the person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location and movements. The text suggests that such regulations may include a requirement for a business to disclose information about the logic involved in the automated decision-making process in response to a consumer request.

Refer to Cal. Civ. Code § 1798.120, § 1798.145, § 1798.155

Quick Answer

Like the CCPA, the CPRA provides additional protections for the personal information of children under the age of 16. The CPRA prohibits a business from selling or sharing (for cross-contextual behavioral advertising purposes) the personal information of a consumer under the age of 16 unless the consumer (for consumers at least 13 years old) or the consumer’s parent (for consumers who are less than 13 years old) have affirmatively authorized the sale or sharing. If the consumer under 16 (or the consumer’s parent if the consumer is under the age of 13) does not provide consent, the business must wait at least 12 months before requesting the consumer’s consent again or until the consumer turns 16. These obligations apply if the business has “actual knowledge” of the child’s age. While the actual knowledge standard isn’t defined, the CPRA cautions that a business that “willfully disregards” the consumer’s age shall be deemed to have actual knowledge of the consumer’s age. Notwithstanding anything in the CPRA, a business must comply with its obligations under the federal Children’s Online Privacy Protection Act for the personal information of children under the age of 13.

Deeper Dive

Penalties for Violations Involving Children’s Data

The CPRA imposes higher administrative and civil penalties for violations involving the personal information of children and minors. Whereas the California Privacy Protection Agency or the Attorney General may seek penalties of up to $2,500 for each violation, or $7,500 for each intentional violation of the Act, they may seek penalties of up to $7,500 for each violation of the Act involving a consumer under the age of 16. There is no corresponding increase in the number of statutory penalties a consumer may seek in a civil action involving a violation of a minor’s privacy rights under the Act.

---

New Carve-Outs for Student’s Educational Information

The CPRA clarifies that the Act does not require a business to comply with a consumer request to delete a student’s grades, educational scores or test results that the business holds on behalf of an educational agency. Moreover, a business is not required to provide access to standardized educational assessments if the consumer’s access could jeopardize the validity and reliability of that educational assessment. This clarification helps to address some of the concerns raised that students could misuse the CCPA consumer rights to manipulate grades or gain an unfair advantage over other students by accessing testing materials. However, to the extent that such grades, educational scores or assessments are considered part of a student’s academic record under the Family Educational Rights and Privacy Act (FERPA), the information is excluded from the CCPA and CPRA’s scope of coverage anyway.

Refer to Cal. Civ. Code § 1798.140

Quick Answer

The CPRA significantly amends existing vendor contracting obligations under the CCPA. Pursuant to the CPRA amendments, a business is required to provide California residents with notice and the right to opt-out of two types of disclosures of personal information to third parties outlined below.

Deeper Dive

The two types of disclosures California residents can opt-out of include: (1) “sales,” defined broadly to include most circumstances in which the business makes personal information available to a third party for monetary or other valuable consideration, and (2) “sharing,” defined more narrowly to include circumstances in which the business makes personal information available to a third party specifically for the purpose of cross-context behavioral advertising, even if no money is exchanged. The CPRA establishes minimum requirements to establish a vendor either as a CPRA “service provider” or as a CPRA “contractor”—each a status that permits the disclosure of personal information without triggering the notice and opt-out requirements for sales and sharing.* In addition, the CPRA establishes new minimum contract terms that a business may need to impose whenever it discloses personal information externally, including when the information is sold or shared for behavioral advertising purposes. In short, the CPRA moves the goalposts for contracting in compliance with California privacy law, even for a business that has already taken steps to comply with the CCPA.

Service Providers and Contractors

To establish a vendor as “service provider” or “contractor,” a business must ensure the vendor signs a written contract that complies with applicable requirements under the CPRA. The “service provider” and “contractor” contract requirements are similar. For example, a “service provider” contract must prohibit the vendor from:

• Selling or sharing the personal information.
• Retaining, using, or disclosing the personal information other than for business purposes specified in the contract or as otherwise permitted by the CPRA.
• Retaining, using, or disclosing the information outside of the direct business relationship between the parties.
• Combining the personal information received from or on behalf of the business with personal information received or collected in other contexts.

To establish the vendor as a “contractor,” the contract must include the same prohibitions above, as well as a certification that the contractor understands those prohibitions and will comply with them. In addition, a contract with a contractor must permit the business to monitor the contractor's compliance with the contract through measures including: ongoing manual reviews, automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months. These monitoring rights are not mandatory for contracts with “service providers.”

The “service provider” and “contractor” requirements expand on the existing CCPA contracting framework. Under the CCPA, a covered business can choose to impose one of two sets of contractual restrictions to exempt disclosures of personal information from certain notice and opt-out requirements. Permitting CPRA-covered businesses to choose to impose either “service provider” or “contractor” restrictions by contract is consistent with the CCPA construct, but the actual restrictions imposed differ. For example, to qualify as a “service provider” a vendor must affirmatively commit not to sell or share personal information, something that is not currently required in similar circumstances under the CCPA. Furthermore, to qualify as either a “service provider” or a “contractor,” a vendor must commit not to combine personal information from multiple sources. In addition, the CPRA imposes an affirmative obligation on both “service providers” and “contractors” to notify a business when engaging a subcontractor that will assist in processing the business’s personal information and require the subcontractor to agree to comply with the same CPRA contract terms they have agreed to themselves.

---

New Minimum Contracting Terms

The CPRA also creates new minimum contracting terms whenever a business “sells” personal information to a third party, “shares” it for behavioral advertising purposes or otherwise discloses it for a “business purpose” to a service provider or contractor. In each of these circumstances, the contract should:

• Specify the information is sold or disclosed only for limited and specified purposes.
• Obligate the contracting party to comply with the CPRA and provide the same privacy protection level as required by the CPRA.
• Require the contracting party to notify the business if it can no longer meet its obligations under the CPRA.
• Grant the business rights to take “reasonable and appropriate steps” to help ensure the contracting party uses the personal information in a manner consistent with the CPRA or to stop and remediate unauthorized use of personal information.

These restrictions are new under the CPRA—the CCPA, as initially enacted, does not include similar requirements.

---

What to Do Now

While most of the CPRA obligations imposed on businesses do not become operative until January 1, 2023, companies are likely to require a long lead time to address applicable contracting considerations before that date. Accordingly, a business that may be subject to the CPRA should consider taking steps now to:

• Determine existing service providers and contractors to whom the business discloses personal information.
• Amend existing contracts as needed to establish “service provider” or “contractor” relationships under the CPRA or otherwise comply with the new CPRA contracting requirements.
• Negotiate additional CPRA-specific terms for pending or future contracts as needed. Consider using a vendor attestation to survey large numbers of vendors.
• If the business acts as a “service provider” or “contractor” to its customers, amend the company’s standard commercial agreements (e.g., Terms of Service or Master Services Agreement) as needed to include the applicable minimum terms.
• Watch out for related regulatory guidance from the California Privacy Protection Agency.

Quick Answer

The CPRA extends the sunset provisions for the CCPA’s employee and B2B exemptions from January 1, 2021 to January 1, 2023.

Deeper Dive

Employee Exemption

Refer to Cal. Civ. Code § 1798.145(m), (Cal. Civ. Code § 1798.100(a) and (Cal. Civ. Code § 1798.150)

The CPRA maintains the CCPA’s exemption of information collected by a business about its job applicants, employees, controlling owners, directors, officers, medical staff members and independent contractors (collectively referred to as “employee information”) from most obligations and restrictions outlined in the CCPA and CPRA so long as the employee information is collected and used solely in the context of the employer-employee relationship. This employee exemption continues to extend to (1) employee emergency contact information used solely to have an emergency contact on file and (2) benefits information of individuals related to employees used solely within the context of administering their benefits.

Like under the CCPA, the employee exemption still does not apply to the following updated sections of the CPRA:

• Notice at Collection: A business must provide proper notice “at or before the point of collection” of the categories of employee information to be collected (including sensitive personal information), the purposes for which it will be used, whether it will be sold or shared, and the length of time for which it will be retained. Forthcoming regulations may modify the information required for these employee notices.
• Data Breach Private Right of Action: A business that fails to implement and maintain reasonable security procedures and practices appropriate to the nature of the information may be subject to a private civil action for statutory damages in the event certain sensitive employee information (like name and social security number) are breached.

The CPRA extended the date upon which the exemption was set to expire from January 1, 2021 to January 1, 2023. The California Legislature now has two years to decide whether employee information will become subject to the CCPA/CPRA in their entirety, or whether an additional temporary or permanent exemption for employee information is appropriate.

---

B2B Exemption

Refer to Cal. Civ. Code § 1798.145(n), Cal. Civ. Code § 1798.120, Cal. Civ. Code § 1798.125 and Cal. Civ. Code § 1798.150)

The CPRA maintains the CCPA’s exemption of information reflecting a communication or transaction between the business and the employees of a third-party entity (as well as the controlling owners, directors, officers, and contractors of the third-party entity) occurring within the context of the business providing or receiving a product or service to or from the third-party entity, or in the context of conducting related due diligence (“B2B information”).

Like under the CCPA, the B2B exemption still does not apply to the following updated sections of the CPRA:

• Right to Opt-Out of Sales and Sharing: A business must provide consumers the opportunity to opt-out of the transfer or making available of personal information to third parties for (1) monetary or other valuable consideration (“selling”), or (2) for cross-context behavioral advertising, whether or not for monetary or other valuable consideration (“sharing”).
• Right to Non-Discrimination: A business is prohibited from discriminating against a consumer for exercising his or her rights under the CPRA.
• Data Breach Private Right of Action: A business that fails to implement and maintain reasonable security procedures and practices appropriate to the nature of the information may be subject to a private civil action for statutory damages in the event certain sensitive B2B information (like name and social security number) are breached.

The CPRA extended the date upon which the exemption was set to expire from January 1, 2021, to January 1, 2023. The California Legislature now has two years to decide whether B2B information will become subject to the CCPA/CPRA in their entirety, or whether an additional temporary or permanent exemption for B2B information is appropriate.

Quick Answer

In addition to the changes made to the employee and B2B exemptions described above, the CPRA modified, clarified, and added several other exemptions to the CCPA.

Deeper Dive

New Exemptions

Trade Secret Exemption
Refer to Cal. Civ. Code §§ 1798.100(f) and 1798.185(a)(3)
The CPRA explicitly provides that a business is not required to disclose trade secrets as part of its obligation to provide a notice at collection or in response to a verifiable consumer request. Forthcoming regulations should further clarify this exemption.

Household Data Exemption
Refer to Cal. Civ. Code § 1798.145(p)
The CPRA creates an exemption for household data from the Right to Deletion (Cal. Civ. Code § 1798.105), the Right to Correction (Cal. Civ. Code § 1798.106) and the Right to Know (Cal. Civ. Code §§ 1798.110–115).

Student Information and Assessments Exemption
Refer to Cal. Civ. Code § 1798.145(q)(1)
The CPRA provides that a business is not required to (i) comply with a deletion request under Cal. Civ. Code § 1798.105 to the extent the request applies to certain student information (like grades and test results) held on behalf of a local educational agency at which the student is currently enrolled or (ii) comply with a request to know under Cal. Civ. Code § 1798.110 to the extent the request applies to certain educational assessments and would jeopardize the validity and reliability of the assessment.

Physical Item Exemption
Refer to Cal. Civ. Code § 1798.145(r)
The CPRA provides that the Right to Deletion (Cal. Civ. Code § 1798.105) and the Right to Opt-Out of Sales and Sharing (Cal. Civ. Code § 1798.120) do not apply to personal information for which the consumer has consented for the business to use, disclose or sell for purposes of producing a physical item (like a school yearbook) provided certain thresholds are met.

Commercial Credit Reporting Agency
Refer to Cal. Civ. Code § 1798.145(o)
The CPRA exempts commercial credit reporting agencies from the obligations under the Right to Deletion (Cal. Civ. Code § 1798.105) and the Right to Opt-Out of Sales or Sharing (Cal. Civ. Code § 1798.120) for the collection, processing, sale, or disclosure of business controller information solely for the purpose of identifying the relationship of a consumer to a business which the consumer owns or contact the consumer only in the consumer’s role as the owner, director, officer, or management employee of the business.

Government Agency Cooperation If Serious Risk Involved
Refer to Cal. Civ. Code § 1798.145(a)(4)
The CPRA creates an exemption for government agency requests for “emergency access to a consumer’s personal information if a natural person is at risk or danger of death or serious physical injury,” provided that certain procedural steps are followed.

Law-Enforcement 90-Day Hold on Deletion Requests
Refer to Cal. Civ. Code § 1798.145(a)(2)
The CPRA creates an exemption permitting a business to comply with proper direction from law enforcement agencies not to delete a consumer’s personal information for 90 days (plus a potential additional 90-day extension) in order to allow for a proper subpoena, order, or warrant to be obtained.

---

Modified/Clarified Exemptions

Public Information Exemption
Refer to Cal. Civ. Code § 1798.140(v)(2)
The CPRA expands the exemption for publicly available information to apply not only to information that is lawfully made available from federal, state, or local government records but also to true “public” information like information made available to the general public by the consumer or from widely distributed media.

Deidentified Information Exemption
Refer to Cal. Civ. Code §§ 1798.140(m) and 1798.145(a)(6)
The CPRA revises the definition of “deidentified” information to be “information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer,” provided the business that possesses the information implements certain safeguards, including a public commitment to maintain and use the information in deidentified form and not to attempt to reidentify it.

Fair Credit Reporting Act Information
Refer to Cal. Civ. Code § 1798.145(d)
The CPRA clarifies that essentially all activity governed by the Fair Credit Reporting Act (FCRA) is exempt from all obligations and restrictions set forth in the CPRA, except the data breach private right of action in Cal. Civ. Code § 1798.150.

Financial Information Exemption
Refer to Cal. Civ. Code § 1798.145(e))
The CPRA revises the financial information exception to apply to “personal information collected, processed, sold, or disclosed pursuant subject to the federal Gramm-Leach-Bliley Act . . . , or the California Financial Information Privacy Act, . . . or the federal Farm Credit Act of 1971.” (emphasis and revision added). The impact of this change is not clear without further regulator guidance.

Car Dealer-Manufacturer Exemption
Refer to Cal. Civ. Code § 1798.145(g)
The CPRA adds an exemption from the right to opt-out of the selling or sharing of personal information for vehicle or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer for purposes of effectuating a vehicle repair under warranty or recall.

---

Materially Unchanged Exemptions

Aggregate Information
Refer to Cal. Civ. Code §§ 1798.140(b) and 1798.145(a)(6)
The CPRA maintains the exemption for “aggregate” information, which continues to be defined as “information that relates to a group or category of [California residents], from which individual consumer identities have been removed, [and] that is not linked or reasonably linkable to any [California resident] or household, including via a device.”

Medical Information
Refer to Cal. Civ. Code § 1798.145(c)(1)(A)
The CPRA continues to exempt certain medical information governed by other privacy regimes (like HIPAA).

Health Care Providers and Covered Entities
Refer to Cal. Civ. Code § 1798.145(c)(1)(B)
The CPRA continues to exempt providers of health care governed by the Confidentiality of Medical Information Act (CMIA) and covered entities governed by HIPAA, to the extent the provider or covered entity maintains patient information in the same manner as protected medical information.

Clinical Trial or Biomedical Research Study Information
Refer to Cal. Civ. Code § 1798.145(c)(1)(C)
The CPRA continues to exempt personal information collected as part of a clinical trial or other biomedical research study subject to or conducted in accordance with certain clinical trial and research study regulations and guidelines.

Driver’s Privacy Protection Act of 1994 Information
Refer to Cal. Civ. Code § 1798.145(f)
The CPRA continues to exempt personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994, except with respect to the data breach private right of action in Cal. Civ. Code § 1798.150.

Information Protected by the First Amendment
Refer to Cal Civ. Code § 1798.145(l)
The CPRA maintains that the rights afforded to California residents and the obligations imposed on any business under the CCPA/CPRA do not apply to the extent that they infringe on the noncommercial activities of a person or entity described in Art. I, Sec. 2(b), of the California Constitution (e.g., journalists, reporters, and other members of the press).

Activity Wholly Outside of California
Refer to Cal Civ. Code § 1798.145(a)(7)
The CPRA does not restrict a business’s ability to collect, sell or share a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.

Rights and Freedoms of Others
Refer to Cal. Civ. Code § 1798.145(k)
With relatively minor clarifications, the CPRA maintains the position that the rights afforded to consumers and the obligations imposed on the business by the CCPA/CPRA must not adversely affect the rights and freedoms of other consumers.

Legal Claims
Refer to Cal Civ. Code § 1798.145(a)(5)
The CPRA does not restrict a business’s ability to exercise or defend legal claims.

Evidentiary Privilege
Cal Civ. Code § 1798.145(b)
Certain obligations imposed under the CPRA (Cal. Civ. Code §§ 1798.110, 1798.115, 1798.120, 1798.121, 1798.130 and 1798.135) do not apply where compliance by the business with the CPRA would violate an evidentiary privilege under California law. In addition, the CPRA does not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.

Legal Compliance and Law Enforcement Cooperation
Refer to Cal Civ. Code §§ 1798.145(a)(1) and 1798.145(a)(3)
The CPRA does not restrict the ability of a business to (1) comply with applicable law, court order or subpoena, or (2) cooperate with law enforcement in connection with potentially illegal conduct or activity.

Refer to Civ. Code § 1798.81.5(a)(1)

Quick Answer

The CCPA, which took effect in January 2020, created a private right of action for individuals to sue businesses that fail to implement and maintain reasonable security procedures and practices to protect specified categories of personal information from unauthorized access and exfiltration, theft, or disclosure. However, the CCPA by itself does not require businesses to meet a specific minimum-security standard. 

Deeper Dive

Private Right of Action

The CCPA’s private right of action will remain when the CPRA takes effect in January 2023. Still, the new law will add a separate and explicit affirmative requirement for certain businesses to implement reasonable security procedures and practices to protect consumers’ personal information. The CPRA will also increase the stakes for third parties, service providers, and contractors who process personal information. The new law will require CPRA-covered entities to obtain assurance, through contracts, that certain third parties who receive personal information will provide the same level of privacy protection required of the covered entities.

---

Auditing Requirement

Furthermore, the CPRA will create a new information security auditing requirement for many businesses. Soon-to-be-written CPRA regulations will require annual cybersecurity audits of companies whose processing of personal information presents a significant risk to consumers’ privacy or security. In addition to undergoing annual audits, these same businesses will be required to submit risk assessments of how they process personal information, weighing the business benefits of processing the information against the potential risks to consumer rights. It is currently unclear which businesses will be subject to the CPRA’s new audit and risk assessment requirements, but the criteria will involve the size and complexity of the companies and the nature and scope of information processing activities.

---

Reasonable Security Remains Absent

One thing that will not change under the CPRA is that a clear definition for “reasonable security” will remain absent from the California Code itself. The statute states, “reasonable security procedures and practices appropriate to the nature of the personal information…” (Emphasis added.). This suggests that security measures deemed reasonable differ from industry to industry and, even within an industry, depending on the case-by-case sensitivity of the data, risk of harm, and burdens necessary to secure the data. For guidance on how to satisfy the CCPA and CPRA’s reasonable security requirement, businesses can look to cost-benefit analysis, industry custom, and industry standards. In practice, however, applying this general guidance is understandably tricky. First, quantifying the costs and benefits of specific security measures is not a straightforward process. Second, there may not be a widely known custom for a particular security measure within a given industry. Focusing on any single security measure would be an unfair gauge for whether a company’s overall security is reasonable. Third, many sectors have no uniform, clearly accepted data security standard for all types of personal information. Even if a specific standard exists in one context, creating a universal reasonableness test around that standard could be problematic, mainly if it does not come with a certification safe harbor.

---

Reasonable Data Security Postures

In 2016, the California Attorney General released a Data Breach Report, recommending the 20 controls in the Center for Internet Security’s Critical Security Controls as the minimum level of information security for organizations that collect or maintain personal information should meet, and advising that failure to implement all controls that apply to an organization’s environment constitutes a lack of reasonable security. But businesses should bear in mind that this advice came before the CCPA and CPRA existed, and courts have no requirement to defer this type of agency interpretation. Despite these challenges, California’s laws demand that businesses assess the reasonableness of their data security procedures and practices. Common themes for reasonable data security postures may include having written guidance, internal governance, ongoing risk assessment and training, active management of vendors and third parties and a detailed plan for responding to a cyber incident.

Refer to Cal. Civ. Code § 1798.150 and Cal. Civ. Code § 1798.81.5

Quick Answer

The CPRA adds an email address in combination with a password or security question plus answer to the list of data elements that, if breached, could give rise to a private right of action, and clarifies that maintaining reasonable security procedures does not amount to a “cure” under the law.

Deeper Dive

Types of Information

Under the terms of the CCPA, consumers may bring a private action against a business when certain types of personal information, not encrypted or redacted, are subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure in its duty to maintain reasonable security practices and procedures. The types of information the theft of which would trigger the private right of action are limited to a person’s last name and first name or initials in combination with (1) a social security number, (2) a driver’s license or other government identification number, (3) an account number and any code or password that would grant access to a financial account, (4) medical information, (5) health insurance information, or (6) unique biometric data.

---

New Category

The CPRA adds a new category of data for which a private cause of action may be brought: “email address in combination with a password or security question and answer that would permit access to the account.” Thus, a breach of this information would be sufficient to give rise to a private action resulting from the business’s failure in its duty to maintain reasonable security practices and procedures. Note, however, that this additional category is narrower than the protected personal information in subsection (B) of Cal. Civ. Code § 1798.81.5(d)(1), which includes any “username or email address in combination with a password or security question and answer that would permit access to an online account.” (emphasis added). In short, the private right of action will not apply to breaches of all types of online account credentials – rather, only account credentials that include an email address.

---

Pre-Action Notice-and-Cure Requirement Narrowing

The CPRA also significantly narrows the pre-action notice-and-cure requirement in Section 1798.150(b). As originally drafted, the CCPA required 30-days’ advance notice of an action and an opportunity to cure the alleged violation, without any exceptions or carveouts. If the violation is confirmed in writing to have been cured, then no action may be initiated. In the CPRA, new language states expressly that “[i]mplementation and maintenance of reasonable security procedures and practices . . . does not constitute a cure with respect to that breach,” and is thus not a bar to an action being instituted.

Quick Answer

One of the most significant structural changes to privacy administration that the CPRA introduces is the creation of a new agency tasked with regulation and enforcement of the CCPA as amended by the CPRA. The California Privacy Protection Agency (Agency) is a new administrative agency, overseen by a five-person board of experts in privacy and technology, that will be responsible for administering, implementing, and enforcing the CCPA as amended by the CPRA. The CPRA appropriates $5 million in the first year for creating the Agency and $10 million in each subsequent fiscal year for its operation.

Deeper Dive

Section 24 of the CPRA establishes the Agency, which will be run by a five-member board of experts in privacy and technology to be appointed by various branches of the state government within 90 days of the effective date of the CPRA, which is December 16, 2020. By March 16, 2021, the chair and one member are to be appointed by the Governor and will be joined by one appointee each by the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly. Each member will serve at the pleasure of the appointing authority for up to a maximum of eight years.

The board is to appoint an executive director and officers, counsel, and employees to perform the duties of the Agency. The Agency is empowered to do several things:

• Administer, implement and enforce the CCPA as amended by the CPRA.
• Take over from the Attorney General responsibility for the promulgation of regulations.
• “Protect the fundamental privacy rights of natural persons with respect to the use of their personal information”.
• “Promote public awareness” about “the collection, use, sale and disclosure of personal information,” including by publishing a public report regarding risk assessments.
• Provide guidance to consumers about their rights and to businesses about their duties and responsibilities.
• Provide technical assistance and advice to the California Legislature.
• Monitor technological and commercial developments.
• Cooperate with other agencies in California and elsewhere.
• Establish a mechanism for non-businesses to certify compliance.
• Review and approve grant applications.
• “Seek to balance the goals of strengthening consumer privacy will giving attention to the impact on businesses.”

---

Adoption of Final Regulations

By the later of July 1, 2021, or six months from the Agency’s notification of the Attorney General that it is prepared to take over the promulgation of regulations, the Agency will be responsible for adopting final regulations, which must be complete by July 1, 2022. By statute, the regulations are to include:

• Updating or adding categories of personal information or sensitive personal information.
• Updating as needed the definitions of “deidentified” and “unique identifier”.
• Establishing legally necessary exceptions for the protection of information such as trade secrets and intellectual property.
• Establishing rules and procedures for consumer opt-out requests and business responses.
• Adjustment of monetary thresholds for application of the law to a business.
• Establishing rules, procedures and exceptions for notices and information consumers.
• Establishing rules and procedures for consumer information, deletion and correction requests.
• Establishing rules governing consumer correction requests and business responses to verifiable consumer requests.
• Defining business purposes for which personal information may be used consistent with consumer expectations, for which personal information from different sources may be combined, for which consumer information received pursuant to a contract may be used for the recipient’s business purposes.
• Defining the terms “intentionally interacts,” “precise geolocation,” “specific pieces of information obtained from the consumer” and “law enforcement agency-approved investigation”.
• Requiring businesses whose processing presents significant risk to privacy or security to perform cybersecurity audits and submit risk assessments to the Agency.
• Establishing access and opt-out rights for automated decision-making technology, defining the Agency’s audit authority.
• Defining the requirements and technical specifications for opt-out preference signals, identification of opt-out preferences of minors, and governing use or disclosure of sensitive personal information when a consumer has directed limited use.
• Establishing how a company may provide consumers the opportunity to consent to the sale, use or disclosure after opting out.
• Reviewing regulations governing consumer privacy in the Insurance Code.

---

Investigation and Enforcement Violations

One of the other most significant roles for the new Agency will be the investigation and enforcement of violations. Upon receipt of a sworn complaint or on its initiative, the Agency may investigate potential violations and, if it finds probable cause to believe a violation has occurred, must provide the business notice of that finding and hold a hearing. If the result is a determination that a violation occurred, the Agency may order the business to cease and desist the violation and/or assess an administrative fine of $2500 per violation or $7500 per intentional violation or violation involving the personal information of minors. Any such determination would be subject to judicial review. Fines paid shall go into the state’s Consumer Privacy Fund.

Notably, the CPRA does not strip the Attorney General of the enforcement authority that the CCPA provided it. Thus, a business violating the CCPA as amended may alternatively be subject to an injunction and civil penalty (in the same amount as the administrative fine) in a civil action initiated by the Attorney General. An investigation or prosecution by the Attorney General will take precedence over any administrative action by the Agency. This means that where requested by the Attorney General, the Agency must pause its own investigation or enforcement action and only continue if the Attorney General ultimately decides not to initiate a civil action. However, if the Agency has already issued a decision or order, the Attorney General cannot file a subsequent civil action for the same violation.

In November 2020, California voters approved the CPRA. The CPRA builds on CCPA and includes a two-year ramp-up period for businesses to adjust their practices to comply with the new and revised obligations. The following milestone dates mark the stage-by-stage rollout of the CPRA as it comes into full effect.

December 2020: Preliminary CPRA Effective Date

• The CPRA extended the CCPA personnel/employee exception and Business-to-Business (“B2B”) exception to January 1, 2023.
• The California Attorney General began adopting regulations and the mechanism to transfer regulatory authority to a newly created privacy agency, the California Privacy Protection Agency (Agency), vested with full administrative power, authority and jurisdiction to implement and enforce the CCPA, as amended by the CPRA.

July 1, 2021: Transfer of Regulatory Authority to the Agency

• Beginning the later of this date, or six months after the Agency provides notice that it is prepared to begin rulemaking, the California Attorney General will transfer authority to the Agency to adopt CPRA regulations.

January 1, 2022: Start of Look-Back Period

• Beginning from this date, personal information businesses collect will become subject to obligations under the CPRA. As an exception, this date will have no bearing on consumers’ right to access their personal information.

July 1, 2022: Deadline for Adopting Final Regulations

• The CPRA’s final regulations will be adopted by this date.

January 1, 2023: Full Operative Date

• The remainder of the CPRA will become operative on this date.
• The personnel/employee and B2B exceptions expire.

July 1, 2023: Enforcement Date

• On this date, the Agency will begin enforcing the civil and administrative obligations added by the CPRA, which can only apply to violations occurring on or after this date.