In November, California voters took a (yet another) sharp turn in the data privacy lane and passed Proposition 24, better known as the California Privacy Rights Act (CPRA). This replaces the California Consumer Privacy Act (CCPA), which itself just came into effect last year. That’s a lot of change in a small amount of time, and it can leave compliance officials with a lot of head-spinning questions: Why did California change its data privacy laws (again)? What do I have to change? How much time do I have?
A Little History
To fully incorporate the data privacy changes within the CPRA, it helps to understand the history behind the push for consumer protections in California. In 2016, real estate developer Alastair Mactaggart and his advocacy organization Californians for Consumer Privacy proposed a new ballot initiative that would transform data privacy protections in California (and, by extension, the nation). This drew concern from tech companies as well as some privacy advocates, who worried an initiative would be difficult to amend. The California Consumer Privacy Act (CCPA), put forward in response to Mactaggart’s proposed 2018 data privacy ballot initiative, represented a legislative attempt to address privacy concerns.
However, the hastily crafted craft ultimately failed to satisfy anyone. It lacked clarity for businesses, disproportionately impacted small businesses, and lacked adequate mechanisms (and funding) for enforcement. So, in 2020 Californians for Consumer Privacy introduced a refined version of its original ballot initiative. According to Mactaggart, the new Act is needed to accomplish 4 key goals:
- Further protect personal information (PI)
- Increase fines for violating children’s privacy
- Create more transparency
- Establish a new enforcement arm
The CPRA, then, reflects an attempt to “fix” CCPA in one of 4 critical areas. This has resulted in several key changes, including:
1. New Enforcement Agency
Arguably the biggest change in the CPRA is the creation of the California Privacy Protection Agency. The CCPA was enforced by the state’s Attorney General, who faced significant resource constraints. Under the CPRA, enforcement will be managed by a separate agency with full administrative power, authority, and jurisdiction. The law also creates a Chief Privacy Auditor to conduct audits of businesses.
2. Sensitive Personal Information
Another major change is the creation of a new classification of PI – sensitive personal information (SPI). This is a subcategory of PI that includes:
- Social Security, driver’s license, state ID, or passport numbers
- Financial account information
- Precise geolocation
- Racial or ethnic origin
- Sex life or sexual orientation
- Religious or philosophical beliefs
- Union membership
- Nonpublic communication (including mail, email, and text content)
- Genetic, biometric, and health data
Any collection of SPI carries additional disclosure, opt-out, and use requirements. Under CPRA, consumers have the right to limit the use of their SPI. Companies must provide a “clear and conspicuous link” on their homepage title “Limit the Use of My Sensitive Personal Information.” This is in addition to the CCPA’s required opt-out link (though businesses can use a single link to execute both functions).
3. Covered Businesses
The CPRA makes several changes to which businesses are covered. On one side, it expands coverage to include all businesses that share personal data, whether they receive monetary compensation or not. However, it also increases the CCPA collection threshold from 50,000 consumers/households to 100,000, and it removes devices from this count. Also, commonly controlled businesses or those that share common branding are no longer covered unless they also share consumers’ personal information. These changes will provide relief to many small businesses.
4. Required Audits
Another major component of CPRA is the requirement that companies processing high-risk data perform annual cybersecurity audits. Audit results would be submitted to the California Privacy Protection Agency. This mirrors the GDPR, which requires such companies to perform data protection impact assessments (DPIAs).
5. Right to Opt-Out
CPRA also expands the CCPA’s right to opt-out to include the sale and sharing of personal information. This includes the transfer of PI to a third party for “cross-context behavioral advertising.” This clarification was made to affirm that companies must provide a right to opt-out of third-party sharing for advertising purposes, including through cookie-based collection on websites and apps.
6. Right to Access, Delete and Correct
In addition to opt-out, Californians now have several additional data rights, including the right to have their PI deleted and corrected. Businesses will also be required to notify third parties of these requests if they shared the data in question.
Like under GDPR, consumers now have the right to access information about how companies use automated decision-making technology, specifically with regards to profiling. This includes “meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.” However, CPRA goes even further, giving consumers the right to opt-out of any form of automated decision making (GDPR only gives consumers the right to not be subject to decisions made solely by automated processes).
7. Increased Penalties and Liability
As MacTaggart noted, the CPRA increases fines for privacy violations regarding minors. Companies that misuse the PI of those under the age of 16 can be fined $7,500 for each violation. The Act also eliminates the 30-day cure period that companies had to fix compliance violations. CCPA’s Right of Action
These are just a few of the changes CPRA is making to the world of data privacy compliance. The full nature and scope of the Act’s impact will continue to evolve as the state of California readies for enforcement. The clock is ticking; enforcement begins January 1, 2023. But if the evolution of CCPA has taught us anything, it’s that decisions made in the time in between will shape the data privacy space for years to come.
In the meantime, here are some actions you can take:
Determine if CPRA Applies to Your Business
Because of the coverage changes, some businesses that weren’t subject to CCPA will be impacted by CPRA, and vice versa. Recalculate your collection estimates, removing devices from your count. If that number is less than 100,000, you may well be exempt. Do you share common branding with other businesses but not PI? Then you might no longer be covered. Conversely, not receiving monetary compensation from sharing personal data no longer excludes you.
Implement a Data Security Plan
This is a smart practice even if you aren’t covered by CPRA. Implementing best practice security frameworks, creating policies, and establishing performance metrics can help keep your data safe and protect your business from increasing fines.
Like GDPR, CPRA now requires organizations managing “high-risk” PI to perform annual cybersecurity audits. Make sure you know the types of data your company stores, how it flows throughout your organization, and the impact of a potential breach.
Get CCPA Compliant
Finally, it’s important to remember that CCPA is still in effect, and will be for some time. Make sure that your organization is taking all the proper steps to remain in compliance – regulators will be, too.