With CPRA, California Takes Another Leap Closer to GDPR
But companies will need distinct compliance strategies for these key reasons.
California voters just passed Proposition 24— a ballot initiative known as the California Privacy Rights Act (CPRA).[1] CPRA will officially supersede the California Consumer Privacy Act (CCPA) on January 1, 2023.
CCPA already provides various rights that mirror those granted by Europe’s General Data Protection Regulation (GDPR), such as a right to delete personal information, and a right to request that a business disclose its general personal information collection practices as well as identify specific personal information that it has collected. Both laws also require businesses to inform individuals of their rights by posting a privacy policy, and to enter into written contracts with other entities to ensure privacy compliance. Both give additional protections to minors. Both address data security.
CPRA retains CCPA’s core rights, and turbocharges California’s enforcement capabilities by establishing the California Privacy Protection Agency (CPPA)—just as GDPR established Data Protection Authorities. California’s Attorney General will retain discretionary authority to pursue investigations or civil actions, but CPPA will take on most privacy enforcement activity. And it will have plenty of resources to do so, with an annual budget of $10 million. According to Californians for Consumer Privacy (CPRA-mastermind Alistair Mactaggart’s nonprofit organization), “[t]his funding would equate to roughly the same number of privacy enforcement staff as the FTC has to police the entire country (the FTC has 40 privacy professionals).”[2]
CPRA also adds several new provisions that bring California’s legislative framework closer to GDPR. New GDPR-like rights include a right to correct personal information and a right to opt-out of “profiling” conducted by automated processing. Moreover, embracing the spirit of GDPR’s data minimization principle, CPRA instructs that personal information should be kept no longer than reasonably necessaries for the purposes the business has disclosed to the consumer. Some businesses will have to perform risk assessments, which could resemble GDPR’s data protection impact assessments (CPRA does not specify which businesses will be subject to this requirement, and instead tasks the new agency with fleshing out implementation details). Businesses that offer goods or services in Europe and California will thus continue to find significant areas of overlap in their compliance efforts.
However, compliance with one jurisdiction’s requirements will never provide full coverage in the other for several reasons.
First, CPRA retains CCPA provisions that go beyond GDPR requirements and introduces a new right to prohibit geolocation tracking that may also exceed GDPR obligations. Notably, California consumers will continue to have a right to opt-out from the “sale” of their personal information, and businesses will still have to post a “Do Not Sell My Information” link. CPRA even expands “do not sell” rights (and constrains creative workarounds) by giving individuals the ability to prevent “sharing” for “cross-context behavioral advertising,” as well as selling. Thus, businesses that provide information to advertising partners to deliver interest-based advertising will have to honor consumer opt-out requests.
CPRA also regulates the offering of financial incentives in exchange for personal information. GDPR does not contain equivalent requirements. And short of preemption by a future federal privacy law, there is little chance that California will ever scale back these requirements. CPRA expressly provides that the law can only be amended by the legislature if the amendments are consistent with the stated purpose of the law—protecting consumer privacy. Any change that weakens consumer rights would be challenged in court. The only other option would be to pursue an expensive (and likely unpopular) ballot initiative process. Even the ad industry may balk at that road.
Second, GDPR applies more broadly than CPRA and contains its own unique requirements. Notably, GDPR applies across every industry. CPRA is preempted by sectoral federal laws such as GLBA and HIPAA (at least with respect to activities conducted for certain banking or healthcare purposes). Similarly, GDPR applies to the data of any data subject (natural person) residing in the European Union— which means it extends beyond customers to cover prospective or current employees and independent contractors, and even business-to-business contacts.[3] By contrast, CPRA expressly delays compliance obligations with respect to business-to-business contacts and in most employment contexts (other than rights to know what personal information is collected) to 2023 in order to give the legislature more time to negotiate with labor groups and employers. GDPR also expressly restricts certain cross-border data transfer activities. CPRA does not have such requirements.
Third, despite sharing core rights, CPRA and GDPR nonetheless diverge in ways that impact implementation. One key philosophical difference is that CCPA (and now CPRA) is an opt-out regime, while GDPR is an opt-in regime. Thus, even though CPRA introduces a new category of “sensitive personal information” that is a broader version of GDPR’s “special categories of personal data,” businesses only need to give California consumers notice and a means to limit the use or disclosure of sensitive personal information to certain necessary purposes, but businesses cannot process similar data without first obtaining affirmative opt-in consent from consumers in the European Union. Likewise, CPRA focuses more on disclosure of the business or commercial purpose of collection, whereas GDPR more rigorously requires businesses to have “legal bases” for processing personal information.
Other implementation differences may not have deep philosophical roots, but nonetheless require precise differences in mechanics. For example, the laws specify different time frames for responding to requests from individuals. CPRA indicates that its implementing regulations will establish technical specifications for an opt-out signal that identifies children as less than 13 or between 13 and 16.
And there are other more subtle but potentially significant differences. The laws categorize third parties such as service providers somewhat differently. They even provide slightly different definitions for basic concepts such as “personal information.” CPRA introduces more specific examples of interactions that do not constitute consent and expressly prohibits the use of “dark patterns” (defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice”). Differing terminology requires different wording in privacy policies, notices, and contracts to ensure compliance.
In addition, California’s forthcoming new privacy agency has until July 1, 2022 to finalize implementing regulations for CPRA. Whoever leads the CPPA (five Board members will be appointed within the next several months) may well bring a different philosophy to the task of drafting regulations than Attorney General Xavier Becerra did when drafting CCPA regulations. Such implementing regulations could introduce more differences in operationalizing compliance programs in multiple jurisdictions.
Fourth, interpretation of the laws will evolve separately in each jurisdiction. Guidance or enforcement decisions issued by a European regulator interpreting GDPR may differ from those issued by a California regulator or court interpreting CPRA, even when considering similar concepts or fact patterns. Moreover, GDPR has not fully harmonized the privacy laws of European countries. GDPR expressly allows countries to adopt their own implementing rules. For example, countries may choose different ages for the privacy rights of teenagers.
Thus, there is no substitute for tailoring compliance strategies to specific jurisdictions. Although the time frame for achieving CPRA compliance is, thankfully, far longer than the hurried window for CCPA compliance, businesses should start taking CPRA into account when launching new products and making long-term business plans.
Footnotes
[1] See https://www.oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf
[2] See https://s25kktkjvr2g7bnh48bvn812-wpengine.netdna-ssl.com/wp-content/uploads/2020/04/WhyCPRA.pdf (emphasis in original, bold removed).
[3] See https://gdpr.eu/article-88-processing-of-employees-personal-data/; https://ico.org.uk/for-organisations/in-your-sector/marketing/the-rules-around-business-to-business-marketing-the-gdpr-and-pecr/