Who is Covered by CPRA (formerly CCPA) and What Does It Require?
In January 2020, the California Consumer Privacy Act (CCPA), aka “California’s GDPR,” ushered in a new era of compliance, prompting companies to do far more than update their privacy policies. California’s new law affected thousands of businesses that leverage a wide range of personal data connected to the nearly-40-million California residents, their households, and devices.
In November 2020, voters approved the California Privacy Rights Act (CPRA) to build on CCPA. CPRA will go into effect on January 1, 2023, providing California consumers even more rights to control the personal information that businesses hold about them. CPRA adds significant new compliance obligations on covered businesses. There’s no singular roadmap or strategy to being “CPRA compliant”, but there’s no shortage of strategies to prepare for CPRA and DocuSign can help.
This information is provided for general information purposes only. It does not constitute and is not a substitute for legal advice.
Who exactly is covered by CPRA?
Currently, CCPA essentially applies to any for-profit entity doing business in California that collects, shares, or sells California consumers' personal data, and:
- Has annual gross revenues in excess of $25 million; or
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers' personal information.
Starting January 1, 2023, the new CPRA will apply to any for-profit entity doing business in California that collects California consumers' personal data, and:
- Had gross revenues exceeding $25 million as of January 1 in the preceding calendar year; or
- Buys, sells, or shares the information of 100,000 or more consumers or households; or
- Derives 50 percent or more of their annual revenue from selling or sharing consumers’ personal information.
Subject to the effective date, if your business leverages personal data from California residents and meets any of the three criteria above, it is likely subject to CCPA/CPRA. While neither CCPA nor CPRA provide a definition of “doing business in California,” related legal standards suggest this is an easy threshold to meet and does not require having operations or employees in California.
CCPA also applies to any entity that owns, is owned by, or shares common branding with a covered business — extending its reach even further. CPRA expands this CCPA definition: the covered business must share personal information with the entity, and sharing common branding would cause the average consumer to understand that the entities are under common ownership.
CPRA further adds a third group of applicable entities: a joint venture or partnership made up of businesses in which each business has at least a 40 percent interest. The joint venture or partnership itself, and each business that composes the joint venture or partnership will be separately considered a single business. Personal information in the possession of each business and disclosed to the joint venture or partnership will not be shared with the other business.
Though CCPA/CPRA has various exemptions to avoid overlap with other data privacy laws like the Health Insurance Portability and Accountability Act (HIPAA), and the finance-focused Gramm-Leach-Bliley Act (GLBA), such exemptions are not absolute. Health and life sciences providers and financial services firms can potentially be impacted by CCPA/CPRA as well.
Do CPRA’s requirements differ from those of GDPR?
Despite some similarities, CPRA is narrower in some respects and it provides more limited rights for consumers to access and delete personal data. However, CPRA is pushing privacy law closer to GDPR including specific requirements for businesses to:
- Disclose to consumers that they sell or share personal information
- Affirmatively collect consent to sell data from any consumer under 16, or from a parent or guardian for any consumer under 13
- Treat customers equally on service and price regardless of whether they have exercised their rights under the law
- Provide notice to consumers, at or before the point of collection, about how the businesses uses, sells, and shares the personal information
- Only collect, use, or share personal information that are reasonably necessary and proportionate to achieve the purposes for which the personal information was collected
- Delete consumers’ personal information following a consumer’s request to delete, subject to certain CCPA/CPRA exceptions
These additional requirements necessitate action above and beyond the steps that affected businesses may have already taken for GDPR compliance.
What are the penalties under CPRA?
CPRA creates a private right of action for consumers whose personal information or email login information is compromised via data breaches, with penalties up to $750 per consumer per violation. These statutory damages can add up: a single breach affecting 100,000 California customers could yield $75M in statutory damages alone, which can be pursued via class action litigation. And consumers are not limited by the statutory amount if they are able to show greater actual damages from a violation.
The private right of action only arises, however, where the business failed to follow “reasonable practices and procedures” to avoid the data breach. Although CPRA does not define what such practices are, there are numerous cybersecurity standards and certifications judges can look to when cases arise.
The law also provides a 30-day cure period for noticed violations, theoretically providing a critical way out of statutory penalties. However, “cure” is not defined in the law, and it’s not entirely clear how a business could “cure” a data breach that has already affected consumers. CPRA slightly clarifies this ambiguity by stating that the implementation and maintenance of reasonable security procedures and practices following a breach does not constitute a cure to that breach. What’s more, the California Attorney General may seek additional penalties of up to $2,500 per violation, or up to $7,500 for each intentional violation. Further, the AG may seek an injunction against a company it believes to be violating CPRA, which could grind business to a halt.
Why was there so much uncertainty around CCPA?
CCPA was drafted exceedingly quickly for political and logistical reasons, and creating an effective law of such broad reach was a legislative challenge under the best of circumstances. Proposed rule-making and amendments will update existing privacy regulations, provide clarity and specificity to implement the CPRA, and reorganize and consolidate CCPA and CPRA requirements set forth in the law to make CPRA easier to follow and understand.
On July 8, 2022, the California Privacy Protection Agency began the formal rule-making process for CPRA. The Agency issued a Notice of Proposed Rulemaking and Initial Statement of Reasons, and released the proposed regulations. The proposed regulations, once passed, will provide comprehensive guidance to consumers, businesses, and third parties on how to implement changes introduced by CPRA. It will simplify compliance for covered businesses and avoid unnecessary confusion that may have been created by CCPA.
How can DocuSign help with CRPA?
DocuSign provides much more than the industry-leading e-signature service. DocuSign solutions include a broad array of tools to help organizations prepare, sign, act on, and manage their agreements.
For addressing the challenges of CPRA, that means tools to help:
- Securely process consumer requests to access private data and “opt out” of sharing
- Automatically analyze data privacy risk areas across volumes of agreements
- Reliably capture consent to changing Terms and Conditions and privacy policies
- Efficiently prepare and execute revised agreements with third parties that handle private customer data
And that’s good because data privacy compliance challenges continue to grow. In addition to California, Colorado, Connecticut, Utah and Virginia have enacted comprehensive consumer data privacy laws. These laws also give consumers greater rights and control over their personal data, including the right to access and delete personal information and the ability to opt-out of the sharing of their personal information.
With all these laws on the books, in addition to proposed successor US legislation on the horizon aimed at remediating the invalidated US Privacy Shield, managing data privacy risk is an ever-more-challenging priority and presents a patchwork quilt of compliance obligations. Now more than other, modernizing your organization’s system of agreement can go a long way toward achieving privacy law readiness.