California Publishes New Consumer Privacy Regulations
California Publishes New Consumer Privacy Regulations
On March 29, 2023, the California Privacy Protection Agency (“CPPA”) published final regulations implementing the Consumer Privacy Rights Act of 2020 (“CPRA”). The regulations, which became effective immediately, amend previous regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). The combined regulations now provide more precise directions about the privacy practices that California businesses must adopt in order to comply with the two Acts. Senior care providers that are subject to the CCPA and CPRA should be aware of the new regulations and be prepared to update their privacy policies and compliance programs accordingly.
Expansion of Consumer Privacy Rights
The CCPA, CPRA, and the regulations promulgated under them give California consumers certain privacy rights with regard to personal information gathered and retained by California for-profit businesses with annual gross revenues of more than $25 million. The focus is on electronic information obtained through online visits to a business’ website. The CPRA and the regulations that now have become effective expand those rights in certain ways.
The CCPA and its regulations provided the following rights to California consumers:
- Right to Know – Consumers may request that a business disclose what personal information the business has collected, used, shared, or sold about them, and the purposes for which it did so.
- Right to Delete – Consumers may request that a business delete personal information collected about them. The new CPRA regulations expand this right, such that a business that receives a consumer request to delete personal information not only must delete the information, but also require all of its service providers who received such information from it to do so as well. It must do the same with all third parties to whom it sold or with whom it shared the information unless this would be impossible or would involve “disproportionate effort.”
- Right to Opt Out of Sale – Consumers may request that a business stop selling their personal information.
- Right to Non-Discrimination – A business cannot deny goods or services, charge a different price, or provide a different level or quality of goods or services just because a consumer has exercised rights under the CCPA.
The CPRA provided certain new rights to California consumers, which the recently promulgated regulations have expanded on. They are as follows:
- Right to Correct – Consumers may request that a business correct inaccurate personal information maintained by the business. According to the new regulations, a business may deny such a request if it determines the information is more likely to be accurate than not, given the “totality of the circumstances.”
- Right to Opt Out of Sharing – Consumers may request that a business stop sharing their personal information. “Sharing,” is defined by the CPRA as the transfer or making available of a “consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
- Right to Limit Use or Disclosure of Sensitive Personal Information – Consumers may request that a business limit its use of their sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected by the consumers. If the business uses or discloses sensitive personal information for other purposes, the business must notify the consumer(s) and provide them the right to limit its use and/or disclosure.
The concept of “disproportionate effort,” first introduced in the CPRA, permits a business to decline a consumer request to exercise a right if the time and/or resources required to honor the request significantly outweigh the benefit to the consumer. For this term, and for a number of other new or revised terms, the new regulations provide specific situational examples to aid with implementation.
To operationalize the rights to opt out and to limit use or disclosure of sensitive personal information, the new regulations require a business to include conspicuous links on its website and either to (1) immediately effectuate any request to opt out and or to limit uses or disclosures or (2) direct the consumer to a webpage that explains the consumer’s opt-out and limitation rights, along with the way to exercise those rights.
Downstream Contracting Requirements
The CPRA requires businesses to include certain provisions in agreements with other entities to which they disclose personal information. These include entities that process personal information on behalf of a business (“service providers”), entities to whom the business makes available a consumer’s personal information for a business purpose (“contractors”), and any other entity that receives personal information from the business (“third parties”). The new regulations revise and consolidate existing requirements for service provider contracts and add a section specifically addressing contracts with contractors and third parties.
The updates provide examples to help determine when and how service providers and contractors can retain personal information obtained in the course of providing contracted services. They also place additional requirements on “third parties.” For example, a business’ contract with a “third party” must include a provision specifying that the business is disclosing personal information to the “third party” for limited and specified purposes and that the “third party” may use such personal information only for those purposes. Further, when a “third party” collects personal information from a consumer online and receives an opt-out or use limitation preference signal, the “third party” must recognize that signal and refrain from using, retaining, or disclosing that personal information unless informed by the business that the consumer has consented, or if the “third party” becomes a service provider or contractor.
New Notice to Consumer Requirements
The new regulations address the CPRA’s new or expanded requirements for notices that businesses must provide to consumers. In addition to existing requirements, a business’ notice at collection would need to provide:
- A list of categories of sensitive personal information to be collected;
- Whether personal information is sold or shared;
- How long the business intends to retain each category of personal information (or, if not possible, the criteria used to determine the retention period); and
- If the business permits third-parties to collect personal information from consumers, the names of all the third-parties or information about the third-parties’ business practices.
The CPPA is currently enforcing the CCPA and will begin enforcing the CPRA no earlier than July 1, 2023. Accordingly, businesses, including covered senior care providers, are encouraged to conduct thorough evaluations of their current CCPA/CPRA compliance plans to ensure that they meet existing requirements and respond appropriately to the newly finalized regulations.
For further information, the full text of the final regulations and supporting documents can be found here: https://cppa.ca.gov/meetings/materials/20230203_item4_text.pdf