eBook - ePub
The California Privacy Rights Act (CPRA) – An implementation and compliance guide
Preston Bukaty
This is a test
Share book
- 129 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
The California Privacy Rights Act (CPRA) – An implementation and compliance guide
Preston Bukaty
Book details
Book preview
Table of contents
Citations
About This Book
On May 4, 2020, Californians for Consumer Privacy (an advocacy group founded by Alistair MacTaggart) announced that it had collected more than 900, 000 signatures to qualify the CPRA (California Privacy Rights Act) for the November 2020 ballot. Also known as 'CCPA 2.0', the CPRA enhances privacy protections established by the CCPA and builds on consumer rights.
The CPRA effectively replaces the CCPA and will bolster privacy protections for California consumers when it takes effect in 2023. While many elements of the two laws are similar, there are some striking differences that could impact CPRA implementation plans, including:
- Limiting deletion rights that apply to unstructured data
- A new right to data minimization with retention requirements related to personal data
- New definitions and obligations related to cross-context behavioral advertising
- Amending breach liability to include an email address in combination with a password or security question
- Establishing a new regulatory enforcement body: the California Privacy Protection Agency
Organizations that fail to comply with the CPRA's requirements will be subject to civil penalties of up to $7, 500 and a civil suit that gives every affected consumer the right to seek between $100 and $750 in damages per incident, or actual damages if higher.
The law is complex and requires careful reading to understand the actual requirements for organizations – The California Privacy Rights Act (CPRA) – An implementation and compliance guide is here to help.
Ensure your business is CPRA compliant with essential guidance
This book is your ideal resource for understanding the CPRA and how you can implement a strategy to ensure your organization complies with the legislation.
The California Privacy Rights Act (CPRA) – An implementation and compliance guide is essential reading for anyone with business interests in the state of California. Not only does it serve as an introduction to the legislation, it also discusses the challenges a business may face when trying to achieve CPRA compliance. It gives you the confidence to begin your CPRA compliance journey, while highlighting the potential ongoing developments of the CPRA.
Buy this book and start implementing your CPRA compliance strategy today!
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is The California Privacy Rights Act (CPRA) – An implementation and compliance guide an online PDF/ePUB?
Yes, you can access The California Privacy Rights Act (CPRA) – An implementation and compliance guide by Preston Bukaty in PDF and/or ePUB format, as well as other popular books in Derecho & Derecho científico y tecnológico. We have over one million books available in our catalogue for you to explore.
Information
Topic
DerechoSubtopic
Derecho científico y tecnológicoCHAPTER 1: CPRA JURISDICTION – TERRITORIAL
Relevant provisions of the California Civil Code that collectively make up the California Privacy Rights Act (CPRA) consistently refer to the rights of consumers as they apply to a “business.” For example, “A consumer shall have the right to request that a business that collects a consumer’s personal information disclose” certain things to that consumer.20 Or, “A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”21 As a result, the law’s applicability hinges on key definitions of a “business,” and, like all laws, organizations will need to carefully review definitions and terms to determine which portions of the statute apply.
Although many legal instruments include key terms as part of introductory text, the definitions for terms found in the CPRA are less obviously located. Many key terms can be found in section 1798.140. For example, “business” is defined in section 1798.140(d) as:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.
(C) Derives 50 percent or more of its annual revenues from selling, or sharing consumers’ personal information.
(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business and with whom the business shares consumers’ personal information. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
This lengthy definition is not easy to understand. In order to know if the CPRA applies, an organization must first determine whether it does business in the State of California, such that the average consumer would understand that two or more entities are commonly owned.
Although the CPRA does not elaborate on what it specifically means to “do business in the State of California,” there is relevant case law that can provide guidance. First, courts will look for general personal jurisdiction, which relates to a court’s authority to hear cases within its established geographic area.
Typically, an incorporated business entity will be subject to the general personal jurisdiction of its home state. This is generally considered the state of incorporation, and/or the place of principal business (i.e. its headquarters).22 For many organizations, this will mean that they can be subject to the general jurisdiction of two states. For example, if a company is incorporated in Delaware and its headquarters is in California, both Delaware and California will have general jurisdiction over the company. Thus, any organization actually established in California – perhaps by virtue of registering with the Secretary of State, among other things – should consider itself subject to the general jurisdiction of California’s courts. Also, if the organization maintains a physical presence in California, the law will most likely apply.
However, there remains a question of extraterritorial reach. The issue is whether California, as a sovereign state, can apply its laws and regulations to organizations based outside the state but operating within it. These situations are often complex, and critical distinctions in a case can rely on individual factual circumstances. What if a business is not operating within the physical confines of the state but maintains a limited amount of business connections with California consumers? Does this subject the actions of an organization based in one state to the sovereignty of another state’s courts? If one organization can therefore be held accountable by multiple (possibly many) states all at once, how many business connections with a state are necessary for that state to establish jurisdiction? In particular, how many connections with California consumers are necessary for a California law to apply to an organization based in another state?
When US courts fail to establish general jurisdiction, they then look to specific jurisdiction. Specific jurisdiction relates to the amount of contacts that a defendant has with a state. The idea is that a court operating in one state may not have sufficient authority over an out-of-state defendant to claim general jurisdiction by virtue of geography, but, based on the actions of the defendant – either by working within the state or dealing with local residents – a sufficient level of contact is established to grant the local court jurisdiction over the out-of-state defendant.
Typically, the defendant must have “purposefully avail[ed] itself of the privilege of conducting activities within the forum State,” or have purposefully directed its conduct into the court’s state.23 For example, if a defendant commits a crime in one particular state, that state court will have specific jurisdiction as it relates to the crime, regardless of where the defendant organization is based. Keep in mind that the organization will also be subject to the jurisdiction of the state where it is based, so in theory there is always at least one court to enforce rulings. The question, as mentioned earlier, ultimately relates to extraterritorial reach and the sovereignty of state laws under the US Constitution. It also relates to fairness. Defendants should not have the burden of having to appear in multiple state courts if the matter really does not relate to that state. Moreover, plaintiffs should not be able to sue defendants in multiple states if there is no basis (or need) for that court to enforce additional judgment.
Again, these situations are sometimes complex, and increasingly so in the modern business environment. Large organizations may operate across the country, and thus maintain contact with every state all at once. Because they operate at a national level, it may be difficult to determine which states may exercise jurisdiction over an action that was purposely directed at all states, but not any one in particular.
Consider a company that markets and sells products nationally, such as a customer relationship management (CRM) software vendor. Should that company be subject to the jurisdiction of all state courts (and thus possibly have to appear in all state courts) simply because a few people in each state bought the allegedly liable product? Probably not, as it would place an unfair burden on the defendant, in addition to constitutional questions of state power. This issue also becomes especially important in the context of class-action lawsuits, where huge groups of plaintiffs can be built up across the country. Therefore, in order to establish specific jurisdiction, a court must consider whether the actions of the defendant establish a sufficient level of contact with that state.
So, what is a sufficient level of contact? The California Supreme Court attempted to answer this question in 2016. In Bristol-Myers Squibb Co. v. Superior Court (Anderson), a group of plaintiffs, comprising mainly non-California residents, sued the pharmaceutical company Bristol-Myers Squibb Company (BMS) over alleged health defects caused by its product Plavix.24 The issue was that these plaintiffs sued BMS in California for liabilities under California law, despite there being no real connection to California. “The nonresident plaintiffs did not allege that they obtained Plavix through California physicians or from any other California source; nor did they claim that they were injured by Plavix or were treated for their injuries in California.”25 So, was a California court capable of enforcing judgment on an organization (in addition to the court where the organization was based) over actions that did not take place in California? And perhaps more importantly, could a group of plaintiffs – most with no real connection to California – sue a company in California courts for actions that did not take place in California?
In answering these questions, the California Supreme Court applied a “sliding scale approach to specific jurisdiction.”26 With this approach, the defendant’s range of contacts can be used to show the connection between the defendant and the state.27 As a result, the majority determined that it could exercise specific jurisdiction over the plaintiffs’ claims “based on a less direct connection between BMS’s [activities in California] and plaintiffs’ claims than might otherwise be required [due to] BMS’s extensive contacts with California.”28 Similarities between claims of the group’s California and non-California residents effectively allowed California to hear the claims of the whole group.29
As mentioned earlier, the implications of these sorts of interpretations become immensely important when considering class-action lawsuits. The Court’s ruling in Bristol-Myers Squibb would potentially allow class-action plaintiffs to sue defendants in California courts for violations of California law, even though the violations did not occur in California.
Such an important and far-reaching decision di...