<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=229461991482875&amp;ev=PageView&amp;noscript=1">

The California Privacy Rights Act of 2020 (CPRA 2020) is a modification of and an extension to the California Consumer Protection Act of 2018 (CCPA 2018) which is concerned with providing protection for the personal information of Californian consumers obtained by certain businesses then processed and possibly shared or sold to other parties.

In a nutshell, CPRA 2020 has the following key terms and features:

Consumer

A natural person who is a California resident.

Personal information

Information not publicly available that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household of consumers.

Sensitive personal information

A sub-category of personal information used to separate out aspects of personal information deemed to be more sensitive than other aspects, including:

  • Personal information that reveals a consumer’s:
    • Social security, driver’s licence, state identification card or passport number
    • Account log-in, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account
    • Precise geolocation
    • Racial or ethnic origin, religious or philosophical beliefs or union membership
    • Mail, email and text message contents, unless the business is the intended recipient of the communication
    • Genetic data
  • The processing of biometric information for the purpose of uniquely identifying a consumer
  • Personal information collected and analysed concerning a consumer’s health, sex life or sexual orientation.

Business

An organisation meeting the following criteria:

  • A for-profit legal entity that does business in California, collects or has collected on its behalf consumers’ personal information and sensitive personal information, that alone or with others determines the purposes and means of processing such information, and meets one or more of the following criteria:
    • As of January 1 in a calendar year had annual gross revenues exceeding USD25M in the preceding calendar year, as adjusted every odd-numbered year to reflect any increase in CPI
    • Alone or in combination, annually buys, sells or shares the personal information of 100,000 or more consumers or households of consumers
    • Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Consumer rights

CPRA 2020 will allow consumers to:

  • Request, and receive within 45 days, or if extended by notice to the consumer, 90 days, details of the specific categories of personal information that has been collected about them in the 12-month period preceding such request, the categories of sources from which that information was collected, the reasons for its collection, the categories of third parties to whom it has been sold or shared (if any), and the categories of service providers and subcontractors to whom it has been disclosed (if any)
  • Control the use of  their personal information, including their sensitive personal information and, via opt-out options, its sale to or sharing with other parties
  • Access their personal information and correct it, delete it, and take it with them from one business to another via a commonly used and machine-readable format via easily accessible self‐serve tools, or allow their authorised agents to do so
  • Exercise these rights without being penalised in any way for doing so
  • Hold businesses accountable for failing to take reasonable precautions to protect their most sensitive personal information from hackers and security breaches
  • Benefit from businesses’ use of their personal information.

Service provider

A person who processes a consumer’s personal information on behalf of a business, in accordance with a written contract agreed with the business, following receipt of that information from it or on its behalf.

A service provider may engage any other person to assist it in processing personal information for a business purpose on behalf of the business. It must do so via a written contract with the other person obliging it to observe all the requirements established in the service provider’s own contract with the business, and notify the business of such engagement.

Similar arrangements apply if any other person engaged by the service provider engages another person itself to assist it in processing personal information for a business purpose.

Contractor

A person to whom a business makes available a consumer’s personal information for a business purpose, in accordance with a written contract agreed with the business.

A contractor may engage any other person to assist it in processing personal information for a business purpose on behalf of the business. It must do so via a written contract with the other person obliging it to observe all the requirements established in the contractor’s own contract with the business, and notify the business of such engagement.

Similar arrangements apply if any other person engaged by the contractor engages another person itself to assist it in processing personal information for a business purpose.

Third party

A person who is not:

  • A business with whom a consumer intentionally interacts and that collects personal information from the consumer as part of such interaction
  • A service provider
  • A contractor.

A business may sell personal information to, or share it with, a third party in accordance with a written contract agreed with the third party.

Business Responsibilities

In terms of key responsibilities, a business must:

  • Inform consumers about the following with respect to the collection of their personal information, in a notice at or before the point of collection:
    • the categories of non-sensitive and sensitive personal information to be collected
    • the categories of sources from which it is collected
    • the purposes for which it is collected or used
    • whether it is sold or shared
    • length of data retention for each category, or the criteria used to determine that duration, that is reasonably necessary for the disclosed purpose
  • Establish a contract with any service provider or contractor it discloses personal information to, or any third party it sells personal information to or shares personal information with
  • Only collect consumers’ personal information for specific, explicit, and legitimate disclosed purposes, and should not further collect, use, or disclose consumers’ personal information for reasons incompatible with those purposes without first providing the consumer with appropriate notice and choice
  • Collect consumers’ personal information only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared
  • Provide consumers or their authorised agents with at least two easily accessible means to allow consumers and their children to obtain their personal information, to delete or correct it, and to opt‐out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their personal information
  • Itself act on when applicable, or pass on for action to any service providers, contractors and third parties who process a consumer’s information and right down any chain of their sub-processors, any verifiable requests from a consumer to have their information deleted when not required to be retained for some purpose
  • Not sell or share the personal information of a consumer or minor consumer following receipt of their direction to not sell or share it
  • Not penalise consumers for exercising their rights under CPRA 2020
  • Take reasonable precautions to protect consumers’ personal information from a security breach
  • Disclose certain information in its online privacy policy or on its website, covering:

    - A description of a consumer’s rights to know what personal information is being collected, to access that personal information, to know what personal information is sold or shared and to whom, and to suffer no retaliation following opt-out or exercise of other rights, as well as two or more methods for submitting requests about that personal information

    - A list of the categories of personal information about consumers it has collected, sold or shared, or disclosed for a business purpose in the preceding 12 months

    - A list of the categories of personal information about consumers it has not sold or shared or disclosed for a business purpose in the preceding 12 months

Activity relationships between the participants in CPRA 2020

The following diagram summarises at a very high level how Californian consumers’ personal information can be obtained and moved between the key players who might process it.

California Privacy Protection Agency (CPPA)

The CPPA is the body tasked with formulating and promulgating various regulations covering a wide range of issues specified in CPRA 2020 as candidates for consideration. Some of these issues relate to very specific terms to be included in contracts a business might arrange with service providers and contractors for processing consumers’ personal information on the business’s behalf.

One notable possible regulation would require businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to submit to the CPPA on a regular basis a risk assessment with respect to their processing of that information.

When a business uses service providers, contractors or third parties to perform such processing, enactment of such a regulation would require the business to conduct  a risk assessment on each of those other parties in order to prepare an overall assessment for the CPPA.

There appears to be no strict timetable in place for the development of any such regulations. No doubt the CPPA will issue public statements about the enactment, applicability and timing of new regulations when it is ready to do so. It will then be up to the affected businesses to do what’s needed to comply with all such regulations.

Readiness for CPRA 2020

CPRA 2020 will go into effect 1 January 2023 and be enforceable from 1 July 2023.

By 1 January 2022 though, businesses that will be subject to CPRA 2020 from 1 January 2023 should have addressed any necessary changes to their privacy policies and programs in order to be compliant with CPRA 2020 obligations regarding the reporting of historical data.

For such businesses, the following actions should have been taken, or still might need to be, to prepare for CPRA 2020 compliance.

  1. Operational / Technical Actions

Automated decision-making

  • Disclose the logic involved in any automated decision-making technology with respect to cross-context behavioural advertising, as well as a description of the likely outcome of the process
  • Expand the opt-out function to include opt-out of the use of automated decision-making technology, including profiling.

Data minimisation limits on purpose and storage

  • Ensure that use, retention and sharing of personal information is reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose.

High-risk processing activities

  • Review practices with respect to data collection and use, and identify processing that may represent significant risk to consumers’ privacy or security
  • Where high-risk processing activities are identified, prepare a process for performing annual cybersecurity audits.

Data use limitation and opt-out functions

Sensitive personal information:

  • Map data flows with respect to the collection, use and sharing of sensitive personal information
  • Implement an internal function to receive and respond to requests to limit the sharing of sensitive personal information
  • Post a ‘Limit the use of my sensitive personal information’ link, or combine with a ‘Do not sell or share my personal information’ link on the business’s website

Data sharing (for businesses that engage in cross-context behavioural advertising):

  • Expand the opt-out function to include opt-out of data sharing
  • Map practices and data flows with respect to the collection, use and sharing of personal information, including data sources and parties to whom such information is disclosed.

Updates to privacy policies and notices

Website privacy policies:

  • Add categories of sensitive personal information collected, purposes of collection, and whether sold or shared
  • Add new rights (request correction, and restrict use and disclosure of sensitive personal information
  • If applicable, add disclosures regarding data-sharing for cross-context behavioural advertising purposes
  • Add information about any use of automated decision-making technology.

Notice at the point of collection:

  • Add categories of sensitive personal information collected and purposes of collection
  • Add whether any personal information is sold or shared
  • Add data retention periods for each category of personal information collected.

2. Contract Actions 

Identify service providers and contractors

Review data disclosures to other parties to determine which are:

  • Service providers
  • Contractors
  • Third parties.

Agreements with service providers and contractors

All existing agreements with service providers and contractors must be updated, and any new agreements created, to:

  • Specify that personal information is used for limited and specified purposes
  • Require the service provider or contractor to comply with applicable obligations under CPRA 2020 and provide the same level of privacy protection that it specifies
  • Grant the business the right to:
    - Ensure the service provider or contractor uses personal information consistent with the business’s CPRA 2020 obligations
    - Following notice to the service provider or contractor, take reasonable and appropriate steps to stop and remediate their unauthorised use of personal information
    - Subject to agreement, monitor the service provider’s or contractor’s compliance with the contract
  • Require the service provider or contractor to notify the business:
    - If it determines it can no longer meet its CPRA 2020 obligations
    - When it engages another person to process personal information via a binding contract using the same terms to which it is bound
  • Requires the service provider or contractor, to delete any relevant personal information they hold for a particular consumer, when requested by the business in connection with responding to any consumer requests it has received to delete their personal information
  • Includes a certification made by the service provider or contractor that it understands the actions it is prohibited from taking and will comply with them.

The contract must prohibit the service provider or contractor from:

  • Selling or sharing the personal information without consent
  • Retaining, using or disclosing the personal information for any purpose other than the business purposes specified in the contract, unless such actions are specified for a commercial purpose
  • Retaining, using or disclosing the personal information outside of the direct business relationship between it and the business
  • Combining the personal information which it receives from or on behalf of the business, or collects itself, with other personal information it receives from or on behalf of another person or persons, except as otherwise allowed by CPRA 2020

Agreements with third parties

All existing agreements with third parties must be updated, and any new agreements created, to:

  • State that personal information is sold / disclosed for specified purposes
  • Require the third party to notify the business if it determines it can no longer meet its CPRA 2020 obligations
  • Require the third party to comply with CPRA 2020
  • Provide the business the right to:
    - Ensure the third party uses personal information consistent with the business’s CPRA 2020 obligations
    - Stop and remediate any unauthorised use of personal information.

Wrap-up

CPRA is almost here. For those organisations that are completely ready for it, well done. Those who might be a little or a lot behind the 8-ball should get their running shoes on.

As it is with so much legislation, it can be difficult to get to the essential obligations contained in CPRA 2020.

It needs to be thoroughly read and understood before an organisation can determine what it needs to stop and start doing in the context of what it currently does or doesn’t do as required by CPRA 2020. This article merely provides some idea of its scale and scope."


Various parts of an organisation will need to participate in deciding just how it will deal with these new regulatory obligations, operationally and contractually. Those parts will need to ensure that they work in sync to produce a coherent and consistent approach, and that could take some time.

Consider also that Virginia, Colorado and several other states have similar acts in the works that might be applicable. Getting a handle on the general broad requirements of each can take some doing. And that’s before taking account of the things that each state will do differently and any unique requirements they might have.

Throw in the fact that the Federal Government is working on the American Data and Privacy Protection Act at a national level, and it’s clear that some organisations are in for a busy time. There are bound to be operational and compliance headaches for those who will be subject to multiple regulatory regimes.

Ringo Starr once sang “you know it don’t come easy”. That’s pretty much how it’s going to be for businesses needing to comply with CPRA 2020 and other similar legislation.

If you would like more information about how Gatekeeper can assist with management of contracts related to CPRA 2020, then contact us today.

Rod Linsley
Rod Linsley

Rod is a seasoned Contracts Management and Procurement professional with a senior IT Management background, specialising in ICT contracts

Tags

Contract Management , Contract Lifecycle Management , Vendor Management , Contract Management Software , Contract Lifecycle , Supplier Management , Case Study , Contract Risk Management , Contract Management Strategy , Risk Mitigation , Vendor Management Software , Contract Repository , CLM , Contract Automation , Contract Ownership , Contracts , Risk , Supplier Performance , Supplier Risk , Workflows , Compliance , Contract Redlining , Gatekeeper Guides , Legal , Negotiation , COVID-19 , Legal Ops , RFP , Vendor Onboarding , Artificial Intelligence , Business continuity , CLM solutions , Contract Managers , Contract Performance , Contract Review , Metadata , Supplier Management Software , Supplier Relationships , Third Party Risk Management , Vendor Portal , contract renewals , AI , Clause Library , Contract Administration , Contract Management Plans , Contract Monitoring , Contract Risk , Contract Templates , Electronic Signatures , Excel , Kanban , Procurement Strategy , RBAC , Redline , Regulation , Regulatory compliance , SaaS , Security , Spend Analysis , TPRM , Vendor risk , collaboration , webinar , Clause Template , Contract Approvals , Contract Breach , Contract Governance , Contract Management Audit , Contract Management Automation , Contract Management Features , Contract Obligations , Contract Outcomes , Contract Tracking , Contract Value , Contract compliance , Dashboards , Data Fragmentation , Employee Portal , FCA , Gatekeeper , ISO Certification , IT , KPIs , LegalTech , Obligations Management , Procurement Planning , Recession Planning , SOC Reports , Scaling Business , Standard Contractual Clauses , Suppler Management Software , Sustainable Procurement , Touchless Contracts , automation , central repository , eSign , time-to-contract , Audit preparedness , Audit readiness , Audits , Australia , BCP , Breach of Contract , Brexit , Business Case , Business Growth , CCPA , CMS , CPRA 2020 , CSR , Categorisation , Centralisation , Certifications , Cloud , Conferences , Confidentiality , Contract Ambiguity , Contract Analysis , Contract Attributes , Contract Challenges , Contract Change Management , Contract Community , Contract Disengagement , Contract Disputes , Contract Drafting , Contract Economics , Contract Execution , Contract Management Optimisation , Contract Management pain points , Contract Negotiation , Contract Obscurity , Contract Reminder Software , Contract Reporting , Contract Routing , Contract Stratification , Contract Termination , Contract Volatility , Contract relevance , Contract relevance review , Contracting Standards , Contracting Standards Review , Data Privacy , Data Sovereignty , Definitions , Digital Transformation , Disputes , ESG , EU , Enterprise , Enterprise Contract Management , Financial Services , Force Majeure , GDPR , Hotels , ISO , Implementation , Integrations , Intergrations , Key Contracts , Legal automation , Measurement , Mergers and Acquisitions , Microsoft Word , Modern Slavery , NDA , Operations , Parallel Approvals , Partnerships , Pharma , Planning , Port Agency , Pricing , Procurement , RAG Status , Redlining , Redlining solutions , Requirements , SaaStock , Shipping , Spend optimzation , Startups , Supplier Cataloguing , Technology , Usability , contract reminders , remote working , vendor centric

Related Content

 

subscribe to our newsletter

 

Sign up today to receive the latest GateKeeper content in your inbox.

Subscribe to Email Updates