From CCPA to CPRA:
New rules for handling consumers’ rights
New Year, new consumers’ rights for Californian residents. With 1 January, 2023, the CPRA, sometimes also referred to as CCPA 2.0, entered into force. Main changes are related to privacy rights of Californian residents with the CPRA introducing new rights as well as amending rights already granted under CCPA.
The high relevance of these changes come from the increasing awareness of consumers for privacy related issues. Consumer behaviour is changing almost as quickly as global privacy regulations. With the increasing awareness the number of requests that companies face is constantly on the rise. In addition to volume, the complexity of dealing with requests across multiple jurisdictions in parallel and having to tailor processes for each regime presents a challenge for companies and can require the investment of significant resource.
This article is the first in a series designed to give clear guidance on the handling of consumer rights under the revised CCPA, the new CPRA. Below we set out the general steps to managing CPRA requests. Subsequent articles will deal with the mechanics of specific rights.
I. CCPA; CPRA AND THE REGULATIONS
The CPRA is an amendment of the CCPA changing the privacy related provision in the Californian Civil Code. With the new amendments by CPRA Californian residents are granted the following rights:
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to know:
- what personal information is being collected and access such information
- what personal information is sold or shared and to whom;
- Right to opt out from sale and sharing
- Right to limit use and disclosure of sensitive personal information
- Right of no retaliation following opt out or exercise of other rights
The CCPA is supplemented by regulations (CCPA Regulations) providing guidance to businesses mainly on how to comply. The power to lay down the CCPA Regulations vested with the Attorney General. Under the CPRA the rulemaking authority is transferred to the newly established California Privacy Protection Agency (CPPA), which proposed amendments of the CCPA Regulations with the purpose to:
- update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA;
- operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and
- reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.
The deadline for these new CPRA Regulations was 1 July, 2022, but it was extended into 2023 with the effect that the CPRA entered into force without the supplementing regulations. As the enforcement of the CPRA will not begin until July 1, 2023, it leaves some time still for the CPPA to publish the revised regulations under the CPRA but this shortens the time left for companies to comply. This article assumes that the proposed CPRA regulations will not see substantial changes regarding the general steps to manage Californian consumer requests.
II. GENERAL STEPS IN MANAGING CPRA REQUESTS
The steps of handling privacy requests can be split into general steps required for more than one type of request and specific steps which are unique for one type of request. The general steps are not necessarily the same for all types of rights but deal with the same process step:
1. Intake of request
The CPRA defines the term “designated methods for submitting requests” by listing certain established methods (such as mailing address, email address, internet web page, internet web portal, toll-free telephone number) and by leaving scope for the introduction of new consumer-friendly means of contacting a business (technological neutral approach). Businesses are required to provide at least two designated methods for submitting requests. Which methods to offer is not entirely up to a business, but partially stipulated in the CPRA. For requests to delete, requests to correct, and requests to know the following scheme applies:
- If a business operates exclusively online and has a direct relationship with a consumer, it shall only be required to provide an email;
- If a business doesn’t operate exclusively online, it shall provide two or more designated methods for submitting requests:
- If a business has a website, one of those methods must be a webform;
- at a minimum, a toll free telephone number;
- If the consumer has an account with the business, the business may require the consumer to use that account to submit a request.
Neither the Attorney General nor the CCPA says, what “operate exclusively online” or “having a direct relationship with a consumer” means, it can be assumed that this means:
- the business does not have any physical customer premises but instead offers their services via a website; AND
- the business provides their goods or services directly to the customer instead of via or on behalf of third parties.
For requests to opt-out from sale and sharing of personal information one of the designated methods must be an interactive form accessible via link on the business’s website. The link shall read, “Do Not Sell or Share My Personal Information.”
Receipt of a request does not automatically mean that a business must handle it. Eligible to the rights granted by CPRA are only Californian residents. Californian residents include:
- every individual who is in the State of California for other than a temporary or transitory purpose, and
- every individual who is domiciled in the State of California who is outside the State for a temporary or transitory purpose.
Eligibility does not, therefore, depend on the geolocation of an individual. In case there is uncertainty relating to the residency of an individual, a business facing a request may require a consumer to provide proof that they are a resident of California.
3. Verifiable consumer request – Identification
The CPRA uses the term “verifiable consumer request” and defines it as a request that is made by a consumer that the business can verify, using commercially reasonable methods, to be the consumer about whom the business has collected personal information.
If a business cannot verify the request it is prohibited to comply with requests (i) to know, (ii) to delete or (iii) to correct data, meaning that the identification of the consumer is a precondition for taking action on the request. It is important to note that requests to opt-out of sales or sharing, as well as requests to limit the use and disclosure of sensitive personal information do not require identification.
A consumer request is verified, if a business can verify that it has collected personal information about the requesting consumer. A business is only required to use commercially reasonable methods. The effort would be disproportionate, if the time and/or resources expended by the business to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding.
When a consumer uses an authorized agent to submit a request, a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request.
4. Third Party – Processor
In case of requests to delete, opt-out or limit the use or disclosure of sensitive personal data a business shall notifying all third parties to whom the business has sold or shared the personal information to also comply with the consumer’s request and forward the request to any other person with whom the third party has disclosed or shared personal information.
The rules on when businesses shall react and respond to a consumer privacy request differ and depend on the type of right.
In case of requests to delete, requests to correct, and requests to know a business shall confirm receipt of the request within 10 business days and shall provide information about how the business will process the request. The final response shall be delivered no later than 45 days from receipt of the request with the option to prolong this period for another 45 days to a total of 90 days.
By contracts, a business has a maximum of 15 business days to comply with requests to opt-out of sale/sharing and requests to limit use and disclosure of sensitive personal information.
|Rights to||Timeline||Action required|
|- Know |
|10 business days||- Acknowledge request |
- provide information on response process
|- Know |
|45 calendar days |
Possibility to extend a further 45 calendar days
|- Verify request |
- Provide final response
|- Opt-out |
|15 business days||Comply with request|
There are a number of general exemptions that a business may be able to rely upon for not having to comply with a consumer request, including but not limited to:
- that no obligation shall restrict a business’s ability to comply with a range of obligations including the need to comply with federal, state or local laws, comply with civil, criminal or regulatory enquiries, investigations etc, cooperate with law enforcement and government agencies or exercise or defend legal claims; that no obligation shall restrict a business’s ability to collect, use, retain, sell, share or disclose consumers’ personal information that is deidentified or aggregate consumer information or collect, sell or share consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California; Sectorial specific exemptions such as in respect of medical information no duty on a business to disclose trade secrets;
- exemption for activities relating to a consumer’s credit worthiness etc;
- exemptions for certain information collected, processed, sold or disclosed subject to identified US legislation;
- exemptions relating to certain vehicle and ownership information;
- requests that are manifestly unfounded or excessive, in particular because of the repetitive nature. A business may either choose to charge a reasonable fee for handling the request, taking into account the administrative cost of providing the information or communication or taking the action requested, or opt to refuse to act on the request and notify the consumer of the reason for refusing to do so. The burden of demonstrating that a verifiable consumer request is manifestly unfounded or excessive rests with the business wishing to rely on the exemption;
- requests relating to household data.
Prighter Group is centered around the mission to enable companies around the world to conduct international business in compliance with multiple data protection regimes. We provide specialised privacy representation services in combination with a SaaS solution for the management of your privacy related interactions, allowing company to reach out to new markets in compliance with the local data protection laws. Bringing together the best of both software and professional legal services, delivers our market leading privacy offering. Grow your business with confidence, protected by Prighter.
For more privacy related news and content follow us on Linkedin