The California Privacy Rights Act Is Already Effectively In Effect – To Which Companies Does It Apply?

By Abhilipsa Panda

Legal updates regarding the California Privacy Rights Act (CPRA) usually state that the law does not become “fully effective” until January 1, 2023.  While technically accurate, that statement is misleading from a managerial standpoint.

 

The CPRA imposed additional privacy law requirements effective as of January 1, 2022, but delays “enforcement” of them until this coming January of 2023.  The important wrinkle in this system is that starting as of 2023 there is a “lookback” period to January 1, 2022.  In other words, it is merely a delay in when prosecutions can begin, rather than a grace period.  It’s as if speed limits were lowered by twenty miles per hour as of last January, and won’t be prosecuted until next January  –  but every time that someone exceeded the lowered limits during 2022 that was an offense that can be prosecuted next year.

 

Many smaller companies are comforted that since the CPRA generally only applies to businesses with revenue above $25 million per year or 100,000 consumer records, the law does not cover them.  Beware, though of the following possible surprises that could bring your company under CPRA coverage.

 

If your business provides financial incentives, such as a loyalty program to consumers, then it needs to comply with CPRA regardless of how many consumer records it holds.  The CPRA requirements apply to all consumer records that it holds, regardless of whether they participate in the incentive program.

 

More generally, in counting consumer records, small businesses might unknowingly collect 100,000 records as a result of any combination of the following circumstances:

 

  1. Consumers sign in to your platform from different devices.  Each device has a different IP address and hence will count as separate identifiable personal information (PI).
  2. If your business platform places cookies on the visitor’s computer or collects geolocation information, then such visitors are consumers under the CPRA and count towards the 100,000 number.
  3. When a business’ platform is used by various members of a household, even when they use the same login credentials, each member counts as a different consumer.
  4. Starting January 1, 2023, employee information is classified as a consumer record. This includes emergency contact information of family members as well.

 

If two companies enter into a joint venture in which each owns at least 40% of the venture, or enter into a 50-50 partnership, then it is assumed that they share consumer information.  The number of consumers of both companies will thus be counted together to determine if they have collected 100,000 consumer records.

 

If two companies do “common branding,” which means a shared name, service mark, or trademark, then under the CPRA, such common branding causes the average consumer to understand that the entities are commonly owned.  Hence, such companies need to combine their consumer records to determine if they are above the 100,000 consumer records.

 

Even without a formal joint venture entity, agreements for marketing and distribution between two companies whereby they jointly share their consumer records for the purposes of providing a service might bring them under the CPRA.

 

Even if your company is under the threshold of CPRA coverage, if you are to be acquired by a larger company that requires CPRA compliance, you should have accurate records of consumer privacy requests.  This includes records of requests for deletion, right to know, opt-out, data disclosure, etc., since the acquiring company needs to process the requests that were received by you.  Remember also that your employees are now effectively covered by the CPRA, and any employee who was careful enough to make a request has higher than average odds of following up.  Lastly, if the acquiring company sells consumer data, then you need to send out a privacy notice to your consumers stating how their personal data will now be processed by the acquiring company.

 

Thus, in light of some surprises under the CPRA, and the 2023 lookback into 2022, even some smaller companies need to have a CPRA compliant Privacy Policy, an Internal Employee Privacy Policy, and an Information Security Policy (ISP), and comply with various other requirements that went into effect on January 1, 2022.  The extent of adjustments that are needed now will differ among companies, depending on how closely their previous policies and practices followed the CPRA requirements.