Soon, the new California Privacy Rights Act of 2020 (CPRA) is set to go into effect, essentially replacing the old CCPA law with a more comprehensive privacy framework.
How can you prepare your game company for this? Check out the post below.
CCPA vs CPRA – What’s the difference?
The CCPA shaped the data privacy landscape of California, while the recently-enacted CPRA builds upon that landscape.
The CPRA can be thought of as a more comprehensive version of the CCPA that strengthens CA privacy regulations. It does this by introducing new privacy rights for Californians and increasing the compliance requirements for both small and big businesses (and creates more uniformity with the European Union’s GDPR rules).
The CPRA also establishes a new government agency for the enforcement of data privacy laws in CA, named the California Privacy Protection Agency (CPPA).
Though the CPRA goes into effect on January 1, 2023, any data that businesses collect starting on January 1, 2022 must comply with the CPRA. This is dubbed the “lookback period.”
So it’s past time to start taking it seriously.
7 major ways that CPRA changes CCPA
There are countless ways that the new CPRA law changes, expands, or adds additional rules that the CCPA didn’t have.
Here are the top 7 major ways that the CPRA changes the old CCPA law.
1 – Expanding who is liable
The CPRA expands the definition of “businesses” covered by the privacy act and includes those “sharing” information as liable as well.
The Specifics: Under the CPRA, an organization can classify as a business if they are a legal entity that is operated for profit, involves the collection of California consumers’ personal information (PI), determines the purposes and means of processing PI, and satisfies one or more of the following conditions:
- Has an annual gross revenue of over $25 million in the preceding calendar year.
- Alone, or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households. (This doubles the CCPA’s threshold criteria of 50,000 Californian consumers or households.)
- Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information. (This expands the CCPA’s definition – including annual revenue derived from sharing PI in addition to selling it)
Commonly controlled businesses or businesses sharing common branding are exempted unless they also share consumers’ personal information.
2 – New protected data category
The CPRA creates a new category of highly protected data, called sensitive personal information (SPI).
The Specifics: Under the CPRA, the “Sensitive data” categories include:
- Social Security numbers (SSNs)
- Driver’s licenses
- Financial account or card numbers
- Precise geolocations
- Racial and ethnic characteristics
- Religious and philosophical beliefs
- Union memberships
- Contents of mail, email, and text messages
- Genetic and biometric data
Any information considered SPI has additional requirements that may require businesses to implement additional controls to process and limit the use and disclosure of such data.
This means that businesses must be especially vigilant to protect this class of data and respond accordingly when a consumer decides to opt out.
These new requirements include:
- Updated disclosure requirements
- Purpose limitation requirements
- Opt-out requirements for use and disclosure
- Opt-in consent requirements after a previously-selected Opt-out
3 – A new enforcement agency
The CPRA creates a new privacy enforcement authority – the California Privacy Protection Agency (CCPA). It also requires companies holding high-risk data to conduct and submit annual cybersecurity audits to the CCPA.
The Specifics: The Agency will consist of five members, with the governor appointing the chair. The governor, attorney general, the senate rules committee, and the speaker of the state assembly each elect one member for the remaining four members.
The statute requires appointments be made from Californians with expertise in the areas of privacy, technology, and consumer rights.
The Agency is tasked with investigating alleged violations, determining whether corrective action is needed, conducting hearings if it finds probable cause a violation has occurred, and issuing orders and imposing fines where appropriate. The Agency also has the power to file civil actions to recover unpaid fines.
It remains to be seen how this new agency will wield its authority, but we expect that we will see an increase in the number of investigations and enforcement actions taken by the CPPA.
4 – Expanded consumer opt-out rights
The CPRA expands on the CCPA’s right to opt-out and requires that companies allow consumers the right to opt-out of third-party sharing of their information in addition to selling of their information.
The Specifics: Under the CCPA, consumers are empowered to opt out of the sale of their personal information. To facilitate consumers’ exercise of this right, covered businesses must provide a “Do Not Sell My Personal Information” link on the business’s internet homepage.
This link needs to link to a web page where consumers can opt out of having their personal information sold to third parties.
The CPRA adds a similar right for consumers to opt out of the sharing of their personal information.
The CPRA also provides for regulatory activity that empowers consumers to opt out of the use of automated decision-making technology in connection with certain decisions about the consumer:
- work performance
- economic situation
- personal preferences
- location, or
All of this places an increased burden on companies to provide opt-out mechanisms to consumers.
5 – Expanded right to correct personal info
The CPRA adds the right to correct a consumer’s personal information.
The Specifics: With some exceptions, the CCPA permits consumers to request that covered businesses, and their service providers, contractors, and third parties, delete personal information collected about them.
Contractors and service providers are required to cooperate with the business in responding to deletion requests and, at the request of the business, are required to delete or enable the business to delete the information required under the law.
Now, the CPRA grants consumers the additional right to have businesses correct inaccurate personal information. Covered businesses must disclose the new right to correct inaccuracies to consumers and use “commercially reasonable efforts” to correct personal information upon receiving a verifiable consumer request.
This is more in line with the scope of consumer rights under GDPR in the European Union.
6 – Expanded right to know what has been collected
The CPRA expands the consumer’s right to know what personal information has been collected, as well as the duration of its data retention.
The Specifics: This right was included in the CPPA, though it has been slightly changed by the CPRA.
Under the CCPA, a consumer can request businesses share how they collect and use consumer’s personal information, going back at least 12 months, including:
- what categories of personal information the business collected about the person in the past 12 months and the categories of sources from whom it was collected;
- the business or commercial purpose for collecting or selling the personal information;
- the categories of personal information that were sold and for each such category, the categories of third parties to whom it was sold; and
- the categories of personal information that were disclosed for a business purpose.
The CPRA modifies these rights by:
- Requiring businesses also provide information about the categories of personal information shared with third parties;
- Removing the 12-month look-back limitation by requiring a business to provide more than 12 months of information, so long as the disclosure would not be “impossible” or “involve a disproportionate effort.”
This means businesses must do the work of becoming fully compliant before 2023 (though this requirement would not apply to any data collected by the business prior to January 1, 2022).
- Expanding requests to encompass personal data collected by the business indirectly through a service provider or contractor. The CPRA obligates these service providers and contractors to aid businesses with consumer requests for information.
- Requiring businesses to provide the requested information to consumers in an easy to read format.
If your business is already complying with GDPR data subject requests, most of this will seem familiar.
7 – Data governance changes
The CPRA introduces changes in data governance and transparency, including limitations on storage, data minimization, and contract requirements.
The Specifics: Only data that is necessary for the purpose stated by the business may be collected, used, or disclosed. Also, data must be retained only for as long as it is necessary for the said purpose.
This requirement addresses “the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period, provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”
The requirement that “a business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”
This requires that businesses “only collect consumer’s personal information for specific, explicit, and legitimate disclosed purposes, and should not further collect, use, or disclose consumer’s personal information for reasons incompatible with those purposes.”
What should game developers and other businesses do NOW to prepare for CPRA?
The CPRA was enacted to ensure that consumer data collecting and processing is transparent and clearly defined. For that to happen, companies must know as much as possible about the data they currently have.
So, before companies move forward with becoming CPRA compliant, they need to map out their data to understand what they’re currently using by identifying what data they’re collecting, how they’re using it, and how they sort it.
Then, companies can prepare for CPRA by:
- Making sure their privacy notice is aligned with the CPRA disclosure.
- Reviewing and updating their procedures for consumer data requests
- Checking to make sure contractors and providers the company works with are compliant as well
- Procuring liability insurance policies that cover data breaches (or reviewing their existing cyber liability coverage in light of the higher penalty amounts under CPRA)
- Performing cybersecurity assessments to identify gaps in security controls
Also, a HUGE thank you to my law clerk Jillian Fries for her help putting this article together, from researching the changes to writing them up.