All about the CPRA : is California getting even closer to our GDPR?

That’s it, a new bill is born in California. As usual on our blog, we are going to talk about personal data: it is the California Consumer Privacy Act (CCPA) of 2018, new generation. Indeed, it was the ancestor of the California Privacy Rights Act (CPRA). This one intended to be more protective and is a little closer to our dear General Data Protection Regulation (GDPR). But still,it is far from the mark.

When will it be applicable?

On the calendar, we have already passed the date of its adoption: on November 3, most Californian electors voted. For now, is just a “Law proposition”. A final regulation will be adopted on July 1, 2022 Even further : its enactment, scheduled for January 1, 2023. In addition, since January 1, it has frozen any other law on the same subject, making it a masterpiece of the protection of the privacy of Californians. But… Not really all “Californians”, because the definition of “people” concerned remains quite succinct.

Who is concerned?

Californian “consumers” and “households”. Be careful here, the definition of consumer is still nebulous. Well, in fact, lawmakers can be quite refrained from giving it to us. So you have to think backwards, well, not exactly, but all we are given is the definition of “business”, thus, we know who the law is for.

Let’s recap : Any company with lucrative business in the State of California, having annual gross revenues in excess of 25 million dollars ($ 25,000,000) in the preceding calendar year. But one parameter has changed: its is no longer annually buys, sells, or shares the personal information from 50,000 consumers or households but from 100,000. This further reduces the scope of the companies targeted by the text.

Nevertheless, the definition of household is intended to be more precise: means a group, however identified, of consumers who cohabitate with one another at the same residential address and share use of common devices or services.

Despite everything, in the introduction, the Legislator made the effort to give us a little history to show how much privacy was important to him. In 1972 ? Crazy right ?! So what in 1972 ? Well, Californian electors changed the Constitution to include the right to privacy with the “Inalienable” Rights of All. They are therefore the pioneers in terms of personal security against evil collectors and sellers of “personal information“.

Wait! But what is “personal information” already? Because this recipe for sensitive personal information seems to contain a lot of ingredients!

Information  that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This information can be :

• Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier,
• Internet Protocol address, email address, account
• name, social security number, driver’s license number,
• passport number, or other similar identifiers.
• personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Biometric information.
• Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.
• Geolocation data.
• Audio, electronic, visual, thermal, olfactory, or similar information.
• Professional or employment-related information.
• Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
• Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Phew! In fact it’s more scary than Hollywood science fiction when you see all the personal information that is “exploited” by American companies. And yet this law “protects” only Californians. However, we may see duplicates with the list of what is considered sensitive personal information.

What to do with this new notion?

Californians will be able to choose to limit the use and disclosure of this information. Concretely, businesses will have to restrict usage to what is strictly necessary to perform the services or supply the goods reasonably expected by an average consumer. And if ever the company wishes to exceed this limitation, it must inform the consumer and obtain his agreement. In other words, the company will have to play it Great Lord with consumers and households by asking them for express authorization to be able to sell or share such information.

A contract must be settled to oblige third parties to ensure the same level of privacy protection and thus provide the same guarantee regarding data security. In addition, the business receiving a request from a consumer to delete their data, will have to inform the third parties with whom they share or sell the information.

In this case, the CCPA does not oblige service providers to respond to consumer opt-out requests. The law requires the latter to contact the company directly and authorizes the supplier to deny the request. Likewise, if the supplier is unable to say which companies he has the information from, it is up to the consumer to take the initiative to trace the source himself. But this is sometimes impossible. We must therefore hope that the strengthening of contracts with third parties will make it possible to remedy this shortcoming.

However, the text still does not provide for documenting the company’s activity in this area. There is still no mention of “register” or similar term as required with the GDPR. It is therefore to be expected that there will still be some vagueness in access to information.

But let’s get back to the major innovation…

Data Retention Requirement

Another timid rapprochement with the GDPR which already requires it since 2018. From now on, records will have to include a retention period for each category of personal information or determine length criteria if this period is impossible to establish. The CPRA wishes to prohibit retention beyond what is reasonably necessary.

It’s a bottle thrown overboard, as in the GDPR, it’s up to the company to put in place a data lifecycle policy. In Europe, it is the data controller who must find out in the regulations what are the legal periods or the legitimate retention periods. In Europe, it is the data controller who must find out in the regulations what are the legal periods or the legitimate retention periods. There is no guide, except possibly a data protection officer. But across the Atlantic, companies must manage to comply with this new obligation. We are in the land of the free so that makes sense, right? There may be laws planned, but CPRA does not say if we should refer to them.

• Civil actions:

We will say it again, there is nothing for consumers if companies do not comply with the provisions of the law to the letter. The consumer can only bring a civil action if their data has been breached when the company has not secured the data with an encryption or unredacted measure.

This is no longer the only possibility. Indeed, if there is unauthorized access with theft and exfiltration of data from an email address protected by a password or a security question, an action can be brought.

The amount of compensation remains the same: Minimum $ 100 and no more than $ 750 per consumer, per incident or per actual damage (you must therefore choose the higher of the two).

Before taking these actions, the consumer must notify the company, which then has 30 days to “heal” and institute measures ensuring that no further violation can occur. It is only after this 30-day period that the court can award compensation to the consumer. Above all, these companies should not waste their money compensating consumers! This is surely justified by the sums they will have to commit to implement adequate security measures…

What is the US administration doing against abuse?

Administrative actions

A budget of $ 5 million will be allocated to the Agency for its 2020-2021 fiscal year from the General State Fund. And $ 10 million for each fiscal year, adjusted for cost of living. By way of comparison, the CNIL has a budget of almost 20 million euros to fulfill its mission as guardian of human rights and privacy against the excesses of IT.

In addition, the “Consumer Privacy Fund”, which compensates for all costs incurred by the courts in connection with the actions brought, will be subsidized by the State Treasury to promote the protection and educate children in the area of online privacy. It will also fund programs to fight fraud and other illicit activities on consumer data.

Here’s how the Legislator thought about the budget for this privacy campaign:

91% will be invested in financial assets with the aim of maximizing returns over the long term. That is to say, it will be the money invested in the general fund to finance operations in this area.

Finally, these companies must derive 50% of their annual income from the sale or sharing of personal information (yes, californians don’t mean “personal data” like their european neighbors. You must know how to distinguish yourself… *cough*). Oops, keep our masks on and stay at home.

So that’s always a lot of conditions to feel concerned about protection. On the contrary, the GDPR protects the personal data of any natural person, processed by private or public entities, a consumer, an employee, a customer, a supplier, etc. And this, without any threshold. Clearly, it is not comparable.

Like its counterpart, the CPPA, the CPRA aims to regulate the rights a California resident may have over their personal information held by a company. As well as the responsibilities of the latter.

Besides, the law rather awkwardly equates “personal information” with a list of ingredients.

Indeed, the text justifies the contribution of increased consumer protection by offering them more control and visibility as they would have while shopping at the supermarket. And no, it is not overkill. Voters tell us : “In the same way that ingredient labels on foods help consumers shop more effectively, disclosure around data management practices will help consumers become more informed counterparties in the data economy”. While keeping in mind that this will “promote competition”. Yay, some Californian residents will be able to know what is done with their data as easily as what makes up their plates!

What else does this bill holds for us?

After an unbearable wait (nooo), on reading the CPRA, we discover an extraterrestrial CCPA notion of 2018. Uh no, we are not in an American science fiction. But, a new point comes into play. This is “sensitive” personal information. Aka the “sensitive data” of Europeans???

Sensitive personal information

As a reminder, “sensitive data”, in the European sense of the term, is information that reveals:

• The alleged racial or ethnic origin;
• Political opinions;
• Religious convictions;
• Philosophical convictions;
• Union membership;
• Processing of genetic data;
• The processing of biometric data for the purpose of uniquely identifying a natural person;
• Health data;
• Sexual life or sexual orientation

Their processing is in principle prohibited unless:

• The person has given consent;
• The information is clearly made public by the data subject;
• They are necessary for the safeguard of human life;
• If their use is justified in the public interest;
• And if they concern the members or members of a political, religious, philosophical, political or trade union association or organization.

Now let’s take our California prescription glasses to see what the law means by “sensitive personal information”:

• Consumer social security number; Driver’s license ;
• Identity card or passport number;
• Connection to a consumer’s account, financial account;
• Debit card or credit card number in combination with any required security or access code, password or credentials to access an account;
• Precise geolocation of a consumer;
• The racial or ethnic origin of a consumer;
• Religious or philosophical beliefs Union membership;
• The content of paper and electronic mail, SMS, unless the company is the direct recipient of the communication;
• The genetic data of a consumer;
• The processing of biometric information for the purpose of uniquely identifying a consumer;
• Information concerning the health of the consumer;
• Personal information collected and analyzed relating to a consumer’s sex life or sexual orientation.

This excludes sensitive personal information that is made public by the consumer.

Anyway, that’s a lot of things collected, used, sold and shared. But hey, the Americans have integrated it well: personal data must be a real business – as well as that of the food industry, QED. Remember: it’s all about etiquette.

Responsibilities incumbent on companies

In the US, you are in the realm of the personal information “deal”. After all, all the Silicon Valley companies are headquartered there. However, the Legislator tells us that we must place the consumer on an equal footing with businesses during negotiations. He explains to us that the consumer must come to understand “at a glance” whether a good or a service is expensive or affordable.

Unfortunately, it is often difficult to understand a company’s usage practices. For Californians, this is a waste of timen and time is definitely money! Thus, the consumer’s right of control must be strengthened. The intention is this : companies must be able to provide information on what exactly they hold as information about their consumers and determine the purposes of the processing. In essence, this is what was already applicable by the CCPA.

However, the law wanted to emphasize the relationship between companies and third parties. Indeed, any company must be able to provide information on “the commercial purpose of the collection, sale or sharing and the categories of third parties for whom the information is intended”.

In addition, as we saw above, consumers can limit the use of their sensitive information to what is strictly necessary. This is a good point which will be accompanied by two new rights:

• the right to ask businesses to rectify inaccurate personal information maintained by the business. It is a right that we already have in Europe since GDPR 2018.
• The right to refuse the sharing of personal information that establishes “contextual behavioral advertising“. It’s a California-specific right that we don’t have here. We have the right to object to processing, but we are not aware of this right to prohibit sharing because, in principle, the controller does not share personal data with third parties. Here it looks like the right not to consent to cookies being used by a website.

As a result, a California business’s web page display settings should display 3 choices to the consumer. These three choices can appear on a single link.

• The choice to disable the sale, sharing of personal information and limitation of sensitive information.
• The choice to limit sensitive information.
• Choosing not to sell or share my information for behavioral advertising.

Unless this is “technically impossible”, of course, one must always foresee the impossible or else justify the exploitation of data under the guise of “guaranteeing the safety” of consumers. It is recalled that the choice to refuse the sale or the sharing, must not degrade the consumer’s experience. This is the principle of the right to non-discrimination which was already mentioned by the CCPA in 2018.

And if not, are there penalties for any breach of the law … ?

Sanctions

Regarding offenses, the 2018 CCPA provides that the Attorney General can hold companies liable for each violation. The amount of up to $ 2,500 and $ 7,500 for each intentional violation.

In the CPRA if the violation, even unintentional, involves a minor under the age of 16, the penalty will be directly increased to $ 7,500.

And great novelty!

The sanction must be brought by a new player: the California Privacy Protection Agency.

The California Privacy Protection Agency.

Let’s talk about this new creation. Will it perform the same functions as our dedicated Commission Nationale de l’Informatique et des Libertés (CNIL)? “An independent watchdog” are the words used by the West Coast Legislator to describe the Agency.

The Agency’s missions

• Ensure that companies respect the protection of privacy
• Implementation of administrative sanctions
• Promote public awareness and understanding of risks, rules, responsibilities, guarantees and rights.
• Provide advice to consumers regarding their rights
• Provide advice to companies regarding their responsibilities and appoint a Chief Privacy Auditor to perform audits.
• Provide technical assistance and advice to the Legislator regarding the protection of privacy
• Cooperate with other relevant agencies in terms of privacy law

Having an independent actor overseeing the application of the rules will likely make the measures more effective. This is a sure additional guarantee of privacy protection. The Agency may be able to push for a broadening of the scope of the law.

But by what will it be financed?

The budget

9% will be made available to the California Privacy Agency, of which 3% will be allocated to the following categories:

• Non-profit organizations and public agencies, including schools, to educate children about online privacy;
• Locals and state law enforcement agencies;
• Cooperation programs with international law;
• Law enforcement agencies to combat fraud and consumer data breach activities.

We see a small investment effort from California to say that it cares about the privacy of its residents.

Let’s take stock of all this…

Despite the lawmaker’s tirades advocating increased consumer protection, the words seem unbalanced in the face of what is actually put in place by the text.

The angry points:

• A scope that has been restricted: the law targets companies that no longer sell, share or buy the information of 50,000 consumers and households, but 100,000;
• A low budget to guarantee a private life neglected for too long;
• Always the principle of the opt-out: you must say not to use your data rather than authorize it.

Points for improvement:

• The introduction of a new category of information: sensitive personal information;
• Two new rights: the right to correct and the right to limit the use of sensitive personal information;
• The creation of the California Privacy Agency;
• A budget committed to privacy programs, no matter how shy, the effort can be noted.

But what would be the consequence if ever all residents refused to sell their personal data?

Facebook makes 22 billion profit in 2018 thanks to the immense volume of personal data it has from its users. However, the legislator pointed out that it is thanks to these gains that these services do not charge consumers any fees. In the future, will we have to pay any fees to use the platform? This is not just a distant dream: in France, we are starting to see sites that leave only a very limited choice to its users: It is either you accept cookies and your personal data is used, or you pay an entrance fee. For example, Allociné offers a price of 2 euros for 1 month. The CNIL was not in favor of “Wall Cookies” but they are not totally prohibited. For information, since April 1, the CNIL began its control actions on the use of cookies and the collection of consent. We will see in the future whether these practices will remain permitted.

In the meantime, we will have to meet again in 2023 to see if there are any developments at the level of the CPRA and realize the consequences of the application of the law. Until then, changes can be made.

You see, the American dream has a lot of dark sides, but if you are GDPR compliant, don’t panic, you are already one step ahead of them when it comes to personal data protection!