CCPA 2.0 is set to come into effect on Jan. 1, 2023 meaning CCPA compliance alone, may soon not be enough for businesses operating in the Golden State.
Officially known as the California Privacy Rights Act (CPRA) and proposed by Californians for Consumer Privacy coalition as ballot Proposition 24 (Prop 24) in the recently concluded US General Election, CCPA 2.0 is focused on not only strengthening, but also expanding the scope of the existing California Consumer Privacy Act (CCPA), hence the name, CCPA 2.0.
Furthermore, the CPRA is also expected to address ambiguities identified under the CCPA.
Although CCPA 2.0’s provisions are expected to come into effect on January 1, 2023, it is important for businesses operating in California to start preparing in advance for the enforcement of the CPRA.
Early readiness is important because the precedent set by the GDPR, and later, California’s CCPA, as well as Brazil’s LGPD, is for businesses to implement data protection measures by design and default.
So, which provisions of the CCPA are expected to be affected by clarification changes introduced by CCPA 2.0?
- Expanding The CCPA definition of personal information
- New definition for consent
- Making changes to the CCPA cookie notice at collection
- Strengthening CCPA protections for children’s data
- Introducing an independent data protection enforcement body
- Introducing a clear data security obligation for businesses
- Expanding the written agreements’ requirements for service providers
- Extending of the employee personal information and B2B data exemptions
- Increasing data breach liability exposure for businesses
Definition of Personal Information under CCPA 2.0
One of the notable changes to be introduced by the California Privacy Rights Act (CPRA), is the introduction of a new subcategory of personal data referred to as “Sensitive Personal Information.”
In a move widely considered as following the precedent set by the GDPR, the CPRA specifically defines the following as what you can consider sensitive personal information;
- A consumer’s racial or ethnic background
- Religious beliefs
- Union membership
- Contents of a user’s email or text messages
- Genetic information
- A user’s sexual orientation
- A consumer’s account login, financial account, debit or credit card, alongside any other necessary security or access code, password, or credentials that facilitate access to an account
- A consumer’s specific geolocation
Consent under CCPA 2.0
With the CPRA comes an amended definition that expands the scope of what consent entails in the current CCPA framework. There is a general feeling that this definition is inspired by the GDPR’s definition of cookie consent.
Basically, the CPRA defines valid consent as being;
- Freely given
What this means is; valid consent under CCPA 2.0 must is based on clear and affirmative action from the user indicating their willingness to allow you to share their personal data for a specific purpose.
However, it is important to note that unlike GDPR, CCPA 2.0 only requires prior consent from minors under 16 years of age and only for sharing of their data, not for collection.
If you are already compliant with GDPR, this requirement may not pose a big challenge. However, if you are only CCPA-compliant, you will be expected to stop relying on implied consent through the continuous use of a service.
Notice at Collection under CCPA 2.0
CCPA 2.0 adopts some changes to this requirement and provides some clarifications to ambiguities identified in the current CCPA framework. Essentially, CPRA compliance will require you to reveal to your users;
- The categories of sensitive personal information you collect, if any, and the purposes for which you collect or use it. Additionally, you must reveal whether you sell or share this kind of information.
- The duration you intend to keep each category of personal and sensitive personal information you collect or the criteria you use to set this retention period.
- The categories of personal data you share or sell to third parties.
- A clear “Limit the Use of My Sensitive Personal Information” link to the homepage. You are allowed to integrate together with the CCPA’s existing requirement for a “Do Not Sell My Personal Information” link.
CCPA 2.0’s Requirements for the Protection of Children’s Data
With CCPA 2.0, you will be required to have a clear opt-in for minors under the age of 16 before any business can share or sell their data.
However, unlike the current CCPA, the California Privacy Rights Act (CPRA) imposes a fine three times heavier than an ordinary penalty if you are found to violate data protection requirements in the collection or processing of children’s personal data.
The California Privacy Protection Agency
Similar to Brazil’s LGPD, which created a national data protection agency referred to as the ANPD, CCPA 2.0 will set a precedent in the US with the creation of a government agency whose core duty will be to safeguard the privacy and digital rights of California residents.
Set to be known as the California Privacy Protection Agency (CPPA), additional duties of this body will be;
- To inform consumers about privacy risks
- Guide users and businesses about their privacy rights
- Issue and enforce fines for data protection violations, with the standard fine being $2,500, which can go up to $7,500 if the violation is intentional.
Additionally, you should be aware that the CPPA, in collaboration with California’s Attorney General can carry out audits and risk assessments on your enterprise if you process consumer data.
Data Security Requirements under CCPA 2.0
One of the key measures you will need to undertake under CCPA 2.0 unlike the situation in the existing CCPA framework is to identify the data categories that will be classified as sensitive data.
Imagine a situation where sensitive personal information is integrated with other categories of personal data and is not systematically organized. In this scenario, you may encounter challenges in applying the CPRA’s “Limit the Use of My Sensitive Personal Information.” requirement adequately.
For this reason, CCPA 2.0 will require you to create a standardized data protection framework consistent with various data protection laws and standards.
It is advisable to have dedicated personnel within your company to oversee your data security program.
Additionally, you need to carry out a risk assessment of your current environment with a key focus on;
- Compliance gaps that may attract penalties
- The compliance status of your cookie and privacy notices
- Carrying out privacy impact assessments
- Data subject rights requests’ responses
- Security controls
CCPA 2.0 on Service Providers and Written Agreements
While the existing CCPA’s definition of service providers is ambiguous, CCPA 2.0 explicitly defines the role of service providers. The key change that comes with this clarification is that service providers are explicitly prohibited from selling or sharing personal information.
Similarly, the CPRA prohibits service providers from combining data received from or on behalf of a data controller with personal data received from other sources, including the service provider’s own engagements with a user.
CCPA 2.0 also introduces explicit requirements for service providers to help data controllers in address verifiable consumer requests that a business may get. This specific help should be informed by the type and purpose of the processing activity involved.
Another crucial change under CPRA in relation to service providers is that you need to have a written agreement that meets specific set provisions.
The provisions are;
- Requiring the service provider to comply with CCPA and CCPA 2.0 as applicable
- Giving the business the right to take necessary steps to guarantee that the third party, contractor, or service provider uses the personal information shared with them in accordance with the CCPA or CPRA.
Business-to-Business Data and Employee Personal Information under CCPA 2.0
While the CCPA’s employees’ personal information and user data collected in a business-to-business context are set to expire on January 1, 2021, the CPRA provides an extension to these exceptions immediately.
30-day Cure Period under CCPA 2.0
In the current CCPA framework, you have a 30-day grace period to address a data breach that may affect the personal data of your users before you are liable for administrative action.
However, the CPRA will remove this 30-day cure period for an alleged data breach or non-compliance.
What this means is that you need to adopt data protection by design and default approach in your company to avoid CCPA 2.0 non-compliance penalties since you will not have a guaranteed chance to address any case of non-compliance before your company is subject to a fine.
CCPA 2.0’s Preemption
CCPA 2.0 makes it clear that it supersedes and preempts all laws and regulations established by local or municipal governments in California concerning the collection and sale of consumers’ personal data.
The Private Right of Action under CCPA 2.0
Although the private right of action provision is already in effect under the current CCPA framework, the recently adopted Prop 24 provides an update to this provision.
Specifically, CCPA 2.0 guarantees users a private right of action in case of unauthorized access or disclosure of an email address and password or security question for an account so long as the access is connected to your company’s inability to implement reasonable data protection measures.
Secure Privacy and CCPA 2.0
If you are an enterprise operating in California and subject to CCPA compliance, it is important to review and understand the changes and updates set to be introduced by CCPA 2.0 following the approval of Prop 24 in the just-concluded US General election.
Although a lot can change between now and Jan 1, 2023, you need to remain compliant with CCPA, while getting ready to comply with the CPRA when it comes into force.
To learn more about how Secure Privacy can help you comply with CCPA, book a call with us and request a demo of our powerful compliance tool.
California Governor’s Notice on CCPA 2.0
What is CCPA and how to make your website compliant guide