Businesses subject to the California Consumer Privacy Act of 2018 (CCPA) and its amendments under the California Privacy Rights Act (CPRA) have faced considerable administrative burdens since these rules began to be enforced by the California Privacy Protection Agency.
The enforcement dates for California’s wide-reaching privacy legislation were:
- July 1, 2020 – CCPA
- July 1, 2023 – CPRA amendments
CPRA vs CCPA: Extra Rights for California Consumers
The Californian Consumer Privacy Act amendments to the CCPA gave California consumers even more control over how businesses may collect and then use their personal information.
The main updates to individual rights are:
- Stronger right to know – when a California consumer makes a data subject request under CCPA they have a right to know the details of the pieces of personal information collected about them, along with the categories of information a business then discloses/shares or sells – and the purposes for those disclosures.
- Right to correct or delete – California consumers who make a data subject request can also ask for records of their personal information to be corrected or permanently deleted.
- Right to limit use of sensitive personal information – this additional right allows consumers to request businesses not disclose sensitive personal information (SPI) including precise geolocation, racial or ethnic origin, beliefs or sexual orientation – it also allows consumers to limit how long a business can store SPI records. (For more information about SPI under CPRA, read TrustArc’s Summary of the California Privacy Rights Act (CPRA) Main Rules.)
- Expanded right to opt-out of sale or sharing of personal information – the amendments allow consumers to opt-out from having personal data shared by a business with third parties, including via automated decision-making technology and tools used for cross-context behavioral advertising purposes.
To be considered CCPA compliant businesses must also undertake:
- regular privacy risk assessments;
- annual cybersecurity audits;
- data minimization activities (restricting the amount of data processed to only be what is “reasonably proportionate” to the business purpose); and
- purpose-limitation activities (restricting the processing of data for a “predetermined or compatible purpose”).
California Attorney General Privacy Enforcement Actions
TrustArc’s privacy experts reported on the first round of CCPA enforcement actions by the California Attorney General in our September 2022 article: Critical CCPA Compliance Lessons to Learn from AG Enforcement.
The AG’s judgment against makeup retailer Sephora included a $1.2 million settlement penalty for several CCPA violations:
- Failure to disclose to consumers it was selling personal information;
- Failure to process consumer requests to opt-out of sale of their personal information signalled via consumer-enabled Global Privacy Control settings; and
- Failure to cure these violations within the 30-day cure period allowed at the time.
Under the settlement, Sephora had to comply with the following injunctive terms:
- Make it clear to consumers it intends to sell data through updated online disclosure notices and its Privacy Policy.
- Ensure consumers can opt-out of sale of personal information, including via the Global Privacy Control.
- Update its service provider contracts to ensure third parties are CCPA compliant, and document compliance monitoring in the annual report.
- Provide reports to the Attorney General about its sale of personal information, status of its service provider relationships, and its efforts to honor Global Privacy Control.
Note: the CCPA’s 30-day cure period expired on January 1, 2023, giving both regulators (AG and the Agency) the power to impose penalties; however, a new regulation that is sent to come into force in March 2024, gives the Agency discretion in how it proceeds, allowing it to consider in all of its investigations all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements (see §7301).
Kaiser Foundation’s Patient Privacy Violation Part of $49 Million Settlement
On September 8, 2023, California Attorney General Rob Bonta, in partnership with six district attorneys, announced a major ruling against healthcare provider Kaiser, which operates the Kaiser Foundation Health Plan and Kaiser Foundation Hospitals.
Under the ruling Kaiser must pay a $47.25 million settlement and undertake other remedies to resolve allegations it illegally disposed of hazardous waste, medical waste and protected health information.
These violations were discovered during undercover inspections of dumpsters at 16 Kaiser facilities by the district attorneys’ offices. The business faces an additional $1.75 million in civil penalties if by September 2028 it hasn’t spent $3.5 million to ensure compliance with laws it has alleged to have violated in California.
Although the case wasn’t prosecuted under CCPA/CPRA regulations, it is noteworthy for privacy sector professionals because along with hazardous and medical waste (in violation with several waste-disposal regulations) the dumpsters were found to hold more than 10,000 paper records containing the personal information of more than 7,700 patients.
As the contents of Kaiser’s dumpsters would normally be disposed of at publicly accessible landfills, the business had unlawfully exposed patients’ information, including sensitive personal information, in violation of California’s Confidentiality of Medical Information Act and Customer Records Law, as well as the federal Health Insurance Portability and Accountability Act (HIPPA).
Kaiser had previously paid $150,000 in penalties and attorneys’ fees to settle a privacy lawsuit brought by the California Department of Justice in 2014. Kaiser was found to have delayed notifying its employees about the discovery of an unencrypted USB drive containing more than 20,000 employee records at a Santa Cruz thrift store.
Under the ruling, Kaiser agreed to:
- comply with California Data Security Reporting requirements to notify California residents of data breaches that expose unencrypted personal information;
- provide notification of any future data breach; and
- implement additional training across the business and with suppliers about the sensitive nature of employee records and how they should be properly handled and protected.
California AG’s CCPA Enforcement Sweep of Employers
California Attorney General Rob Bonta announced on July 14, 2023 his office is conducting an investigative sweep of employers to review companies’ CCPA compliance related to personal information of employees and job applicants.
The CCPA exemptions to employee data expired on January 1, 2023. Under the CPRA amendments to CCPA, California citizens who are employees or involved in business-to-business relationships with a company gained new personal data rights protections in line with consumer rights.
In his announcement, AG Bonta said:
“The California Consumer Privacy Act is the first-in-the-nation landmark privacy law, and starting this year, the personal information of employees, job applicants, and independent contractors received greater data privacy protections because of it. We are sending inquiry letters to learn how employers are complying with their legal obligations. We look forward to their timely response.
California Consumer Privacy Act Assessments
If your business hasn’t already done so, we recommend it undertakes a California Privacy Assessment with TrustArc to:
- Review your current CCPA privacy position and identify remedies for any gaps in compliance
- Develop an action plan based on a heatmap outlining risks and estimating the levels of effort and resources needed to achieve compliance
- Build consensus across the business for compliance and create an audit of your CCPA compliance efforts.
For more background on the implications of CCPA, we also recommend reading our experts’ earlier commentary: