2023 - Volume 2 - Summer - Flipbook - Page 16
-Privacy: Continued from page
•
•
•
•
practices to protect the collected personal information from unauthorized or illegal access, destruction, use, modification or disclosure.
15-
defines a “sale” of personal information broadly, to include providing access to personal information to a third party for monetary or nonmonetary consideration.
Following the CPRA amendments, consumers
also have the right to know what personal information is “shared” and to whom. “Sharing” is
defined as sharing for cross-context behavioral
advertising purposes, whether in exchange for
consideration or not.
Consumers have the right to opt out of the sale
or sharing of their personal information.
Following the CPRA amendments, consumers
have the right to limit a business’s use and disclosure of their sensitive personal information.
Consumers have the right to not face any retaliation for exercising their statutory privacy
rights.
A New Era of Implementing
Regulations and Enforcement
Prior to the CPRA, only the California Attorney
General had authority to write CCPA implementing
regulations, investigate potential violations and bring
civil enforcement actions. But the CPRA delegated
rule making authority to the Agency, which the Agency has already begun to exercise. And as of July 1,
2023, the Agency has authority to investigate potential
violations and bring enforcement actions. The Agency
is governed by a five-member board with one seat currently vacant. The board includes two law professors, a
consumer privacy advocate and a technology equity
advocate.
The Agency’s statutory functions include:
In addition to responding to consumer requests to
exercise those rights, a covered business must:
• Adopting implementing regulations to clarify,
and expand, CCPA requirements pursuant to the
statute’s mandates.
• Conducting investigations of potential violations.
• Bringing administrative enforcement actions.
• Providing guidance to consumers regarding their
rights under the law and guidance to businesses
regarding their duties and responsibilities under
the law.
• Appoint a Chief Privacy Auditor to conduct audits of businesses to ensure compliance with the
CCPA.
• Establish a mechanism pursuant to which entities
doing business in California that do not meet the
definition of a “business” set forth by the CCPA
may voluntarily certify that they are in compliance with it, and make a list of those entities
available to the public.
• Minimize the collection of personal information
to that which is reasonably necessary for business purposes.
• Publish a comprehensive privacy policy, and
separate notices at collection, that explain the
business’s online and offline collection, use and
disclosure (and, if applicable, sale or sharing) of
personal information. The privacy policy must
also explain the rights consumers have under
the CCPA and how to exercise them.
• If the business offers a financial incentive in
exchange for a consumer’s personal information (such as offering a discount in exchange
for a consumer’s email address), publish a notice that explains how the business places a value on that personal information and how the
incentive works.
• Make available to consumers two or more designated methods for submitting requests to
know/access, delete or correct their personal
information.
• If the business sells or shares personal information, or uses sensitive personal information
to build a profile of a consumer, offer consumers an appropriate mechanism to opt out.
• Enter into appropriate contracts with service
providers, contractors and third parties to whom
the business discloses personal information.
• Implement reasonable security procedures and
Because the Agency can now bring administrative
enforcement actions against businesses, that means that
the Agency can find businesses in violation of the
CCPA, levy fines and issue injunctions under its own
authority, without taking a business to court. Importantly, the Agency has subpoena powers, and can
compel witnesses and require production of any records from a business to audit that business’s compliance with the CCPA. The Agency cannot bring an administrative action more than five years after the date
-Continued on page 17-
16
