Binary Check Ad Blocker Security News

With the passage of the Consumer Privacy Rights Act (CPRA), we are presenting several blog articles on different topics related to the new law. We previously wrote about key effective dates and the newly-added definition of sensitive information. This week, we will focus on consumer opt-out rights and data profiling.

Consumer Opt-Out Rights

The CPRA created several new rights for consumers – one of which is the right to opt out of the sale or the sharing of their personal information. In order to understand this new opt-out right, we need to review the new definition of sharing personal information in the CPRA.

The CPRA differentiates between the sale of personal information and the sharing of personal information. Sharing personal information means disclosing it to third parties for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” Section 1798.140 (a)(h)(1).

What is cross-contextual behavioral advertising? Think about advertising targeted to the consumer based on their internet behavior. Contextual advertising might be an ad shown specifically to a consumer for a product related to that consumer’s internet search. If you are a California resident, the CPRA will give you the right to opt out of the sharing of your personal information in this way. How will a consumer exercise this right? The CPRA states that a consumer shall have the right, at any time, “to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information.” Section 1798.120(a).

Data Profiling – What is it?

Another consumer right related to the consumer opt-out rights found in the CPRA pertains to data profiling. Profiling is defined in the CPRA as the automated processing of personal information to “to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” Section 1798.140 (z). One bright note is that Section 1798.185 (a)(16) states that regulations will need to be developed “governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”

We will be following these opt-out rights closely – both from a consumer privacy standpoint and for businesses that use such targeted advertising technologies, including automated processing of personal information – to see how the regulations will address the logic involved in the decision-making process and its impact on consumers.

The California Consumer Privacy Act (CCPA) requires businesses covered by the CCPA to notify their employees of the categories of personal information the business collects about employees and the purposes for which the categories of personal information are used. The categories of personal information are broadly defined in the CCPA and include personal information such as medical information, geolocation data, biometric information, and sensory data.

As a result of the COVID-19 pandemic, many businesses are conducting screenings of employees for COVID symptoms. In many states, it is either required or recommended that businesses conduct such screenings of employees prior to entering the workplace. These employee screenings vary across the country but many include documenting an employee’s temperature, whether they have any COVID-related symptoms or exposure to individuals with COVID-19, or documenting travel out of state or out of the country. States vary too, in the method of collection of this information, with employees completing a written questionnaire via email, text, or mobile application. COVID-19 screening and temperature data is recorded and kept daily to demonstrate compliance with state and local public health requirements.

So, what does this mean for CCPA compliance? None of us could have predicted a year ago that employers would be collecting temperature data, lists of symptoms, and travel information from our employees. If you drafted your CCPA employee notice prior to the start of the pandemic, you may want to review the categories of personal information you now collect in light of these COVID-19 data collection requirements and recommendations. For example, depending upon the type of temperature check, this data could be considered biometric information or sensory data. Your employee notice may also need to disclose how such categories of personal information are used by the business, such as to comply with state and local public health requirements.

While the CCPA requires notice to employees of the categories of data collected, in light of the pandemic, businesses may wish to review their employee notice to determine if it needs to be updated to accurately reflect any additional categories of personal information collected and how the business is using that personal information.

With the passage of the ballot initiative known as the Consumer Privacy Rights Act (CPRA or Act) in California, we are presenting several blog articles on different topics related to this new law. Last week, we wrote about the newly-added definition of sensitive information. This week we will focus on some key effective dates in the CPRA along with what it will mean to have a separate privacy rights enforcement agency.

CPRA Effective January 1, 2023

The good news is that the CPRA’s effective date is January 1, 2023, so businesses have some time to assess and get ready for the new law while the California Consumer Privacy Act (CCPA) is still in effect and enforceable. The CPRA functions like an overlay to CCPA. Once the CPRA takes effect in 2023, it will become the privacy law of the land in California.

There is one exception to the 2023 effective date and that is with respect to the right of access. The CPRA’s right to know or right of access applies to personal information collected by a business on or after January 1, 2022. The exemptions for employee information and business-to-business information remain in place until January 1, 2023. The CPRA also provides additional rulemaking authority, which may also take place prior to the effective date.

Creation of the California Privacy Protection Agency

Section 24 of the CPRA creates the California Privacy Protection Agency (CPPA or Agency), established in the state government of California. The Agency is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act. Section 1798.199.10(a) states that: “[t]he Agency shall be governed by a five-member board, including the Chair. The Chair and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.” Subsection (b) states that the initial appointments to the Agency shall be made within 90 days of the effective date of the Act.

The board will have the authority to appoint an executive director and the Agency will have broad powers to protect “the fundamental privacy rights of natural persons with respect to the use of their personal information.” Section 1798.199.40 (c). The CPRA allows individuals, businesses, customers, advocacy groups and vendors to file complaints with the Agency regarding the privacy practices of a business. The Agency will have the power to investigate complaints, to hold hearings to determine if a violation has occurred, and to issue orders to: cease and desist, and to pay an administrative fine up to $2,500 for each violation or up to $7,500 for each intentional violation as well as each violation involving the personal information of minor consumers. The Agency also has the power to bring a civil action in the superior court for the purpose of collecting unpaid administrative agency fines.

The Agency also is charged with providing guidance to both consumers and businesses regarding their rights and responsibilities under the CPRA. One final note is that Section 1798.199.100 states that the Agency “shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title.”

The California Privacy Rights Act (CPRA) expands the definition of personal information as it currently exists in the California Consumer Privacy Act (CCPA). The CPRA adds “sensitive personal information” as a defined term, which means:

(l) personal information that reveals:

(A) a consumer’s social security, driver’s license, state identification card, or passport number;

(B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;

(C) a consumer’s precise geolocation;

(D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;

(E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;

(F) a consumer’s genetic data; and

(2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer;

(B) personal information collected and analyzed concerning a consumer’s health; or

(C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

This is perhaps the broadest definition of personal information in the country as it now includes entirely new classes of personal information such as racial, ethnic origin, religious or philosophical beliefs or union membership, the content of a consumer’s mail, email and text messages, genetic data, biometric data, and data collected and analyzed concerning a consumer’s health or sex life or sexual orientation.

What does this mean for a business that is covered by the CPRA? In a previous post, we provided a detailed overview of  the CPRA, but suffice it to say that if the business had to comply with CCPA, it also will likely be covered by CPRA. Given this new definition of sensitive personal information, one of the first steps in thinking about CPRA compliance will be to think about data mapping to determine whether the business collects any of these new categories of sensitive personal information. The CPRA is still very much a consumer-focused law with the goal of expanding consumer knowledge about the types of personal information businesses collect about consumers and how that personal information is used, sold, or shared. It will be a critical first step for businesses to understand the data and personal information they collect about consumers and whether they collect any sensitive personal information under this new definition.

According to the Los Angeles Times and other media outlets, Californians passed Proposition 24, also known as the California Privacy Rights Act of 2020 (CPRA). With 71.61 percent of precincts reporting, the measure passed with 56.1 percent of the vote. We wrote about the CPRA last week, and we provided an overview of this new privacy law in California that expands on the California Consumer Privacy Act (CCPA).

The CPRA has some new privacy provisions that pull from other privacy laws. Of particular interest in the CPRA are provisions to expand the restrictions on the sale of personal information to include the sharing of personal information, the regulation of automated decision making, the requirement of additional security and risk assessments for certain businesses, additional requirements for third parties, and the creation of a new regulatory agency for enforcement actions.

We will continue to review the CPRA and will provide more details soon regarding this new California privacy law and what it means for businesses.

Binary Check Ad Blocker Security News

The California Consumer Privacy Act of 2018 (CCPA) currently exempts from its provisions certain information collected by a business about a natural person in the course of the person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor of a business. This exemption is set to expire on December 31, 2020. In addition, the so-called business-to-business exemption for transactions and communications with the business that occur solely within the context of the business conducting due diligence regarding or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency is also set to expire on December 31, 2020.

Recent legislation passed in California would extend both of the exemptions until January 1, 2022. Assembly bill 1281, (AB 1281) which was presented to Governor Gavin Newsom on September 8, 2020, extends the one-year exemption for employee information and business to business information for another year until January 1, 2022. The bill also provides that the extension of these exemptions is contingent upon voters not approving the ballot Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA). Should the CPRA pass on November 3, it would extend these exemptions until January 1, 2023. Some other highlights of the CPRA include the creation of a new category of sensitive personal information (SPI) that would give consumers the power to restrict its use, a provision that allows consumers to prohibit businesses from tracking their precise geolocation to a location of approximately 250 acres, and the addition of email and passwords to the list of defined “personal information” included in a data breach.

The key takeaway here is that if AB 1281 is enacted or if Proposition 24 passes, employee/job applicant information as well as business-to-business communications will continue to be exempt from the CCPA. Both AB 1281 and AB 713 regarding medical information, which we wrote about recently here, are currently on Governor Newsom’s desk.