While California is far afield from New Zealand, the recent expansion and strengthening of consumer privacy laws in that State will, due to their extraterritorial reach, likely have ripple effects when the Consumer Privacy Rights Act of 2020 (CPRA) comes fully into force on 1 January 2023. California’s consumer privacy laws apply to certain legal entities that do business in the State of California, so may impact New Zealand businesses that collect the personal information of residents of California.
The CPRA updates and adds to the California Consumer Privacy Act of 2018 (CCPA) and the California Consumer Privacy Act Regulations of 2020. Our view on some key changes that are being brought about by the CPRA include:
- A right for consumers to limit use and disclosure of sensitive personal information;
- Adding to the existing disclosure requirements that the length of time information is to be held be advised;
- Requiring a business that collects consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose to enter into an agreement with such a party that meets certain defined requirements in the Act (aimed at extending the obligations to those other parties);
- The consumer’s right to know what personal information is sold and to be able to opt out of that sale will be extended to personal information that is shared (e.g. for cross context behavioural advertising); and
- The consumer’s right to have personal information deleted will be extended to require a business to notify all third parties to whom the business has sold or shared the personal information to delete the consumer’s personal information unless this proves impossible or involves disproportionate effort;
- An ability to issue new regulations to require annual risk assessments and cyber-security audits for businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security.
There were also some changes that have already taken effect. One such change is the creation in December 2020 of the California Privacy Protection Agency and tasking it with enforcement of, and education surrounding the law. It has also been given the power to investigate privacy complaints. And, from July 2021 it will have rulemaking authority.
In our view, the changes brought about by the CPRA align California more closely with the European’s GDPR. Some of the new obligations also go beyond New Zealand’s own recently updated Privacy Act 2020.
If you do business in California or collect personal information of residents of California and would like to understand more about your obligations under the CPRA, please get in touch with us.
Click here for other Corporate Law articles.