On November 3, 2020, Californians voted in favor of making sweeping changes to their existing state privacy law. Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA), modifies and expands on the California Consumer Privacy Act of 2018 (CCPA).
The CPRA creates new and expanded rights for California residents and new compliance obligations for businesses. Since it is one of the most expansive privacy laws in the United States, the CPRA also creates a template for other privacy laws at both federal and state levels. Therefore, it is critical that employers pay attention to its key aspects and take necessary steps to ensure CPRA compliance.
Background of the CPRA
Given that the California legislature has proposed and considered several bills to amend the CCPA, one of its original proponents filed the CPRA ballot initiative to further enhance consumer privacy in California. The ballot initiative included a provision limiting legislative amendments that might weaken its provisions in order to secure the long-term viability of the CPRA. The new privacy law will become effective on January 1, 2023. Only the administrative provisions of the CPRA, which establish the California Privacy Protection Agency and call for new regulations, become effective immediately.
While many of the CPRA obligations are adopted from the CCPA and General Data Protection Regulation (GDPR), compliance with these laws is not sufficient to ensure CPRA compliance or vice versa. As a result, organizations need to comply with multiple, partially overlapping regulatory schemes, with the possibility of additional states adopting similar or different laws in the future.
CPRA Thresholds for Applicability
The CPRA introduces the new threshold requirements. It applies to any for-profit entity that does business in California, collects and uses the personal information of Californians, and either:
- Has annual gross revenues of at least $25 mm in the preceding calendar year,
- Buys, sells, or shares the personal information of at least 100,000 California residents or households, or
- Derives at least 50% of its revenue from selling or sharing personal information.
The CPRA also applies to affiliates of the business with whom the business shares consumers’ personal information, if that affiliate controls or is controlled by a business subject to the CPRA.
New CPRA Data Privacy Rules
To ensure CPRA compliance, it is necessary for organizations to understand new and expanded obligations for businesses as well as new rights for California residents. The CPRA will implement stronger data privacy rules for businesses, additional consumer rights in regards to their data and an independent enforcement agency called the California Privacy Protection Agency (CPPA).
Under CPRA, new data privacy changes include:
- Limitations on the length of time businesses can hold onto consumer data,
- An opt-out option for cross-context behavioral advertising,
- Prevention of businesses from sharing consumers’ personal information,
- Limitations on the usage of sensitive personal information such as race, location, religion, social security details, and more,
- Stronger opt-in requirements enforced for any data pertaining to children, and
- Proper links on every business homepage for consumers to opt-out of their personal data being sold, shared or used if they choose so.
In addition to this, the CPRA provides consumers with an even larger amount of insight into and control over their personal data that has been obtained by various businesses. Under CPRA, consumers can:
- Correct any incorrect personal information businesses may have on them,
- Opt-out of both automated decision-making technology and the sharing and selling of any personal information businesses have obtained, and
- Access meaningful information involved in decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.
How to Ensure CPRA Compliance
While CPRA does not take full effect until January 1, 2023, businesses should begin preparations as soon as possible to secure CPRA compliance, especially taking into consideration the California Privacy Protection Agency and the removal of the cure period for regulatory actions.
Here are some of the steps businesses can take in order to prepare for effective CPRA compliance:
Businesses should perform a data mapping exercise if they have not already done so to understand the types of data that they hold, how they protect it, the purposes for which they use it, and which vendors have access to that data.
Updating Policies and Procedures
Businesses should review their policies and procedures for the new CPRA requirements, including their data retention policies, information security policies, and consumer request-response policies. In case they do not have such policies, businesses should begin to draft them as soon as possible to ensure CPRA compliance.
Updating Privacy Notices
One of the measures businesses should take is to consider if they want to offer consumer rights to all consumers or just California consumers, and update privacy notices accordingly.
Performing a Privacy Impact Assessment
To further protect consumers’ privacy, businesses should assess the risks associated with their processing of personal data and consider adopting additional security or privacy measures.
Reviewing Existing Contracts with Third Parties, Contractors, and Service Providers
The CPRA requires that all personal information disclosures are subject to contractual obligations that protect personal information. Therefore, businesses should understand the scope of the third parties to whom they disclose personal information in order to secure CPRA compliance.
Updating Training and Auditing Programs
One of the necessary measures in the process of maintaining CPRA compliance is updating training and auditing programs, so that company’s employees know how to comply and the company can address any compliance gaps on time.
Adapting to Evolving Privacy Laws
The addition of CPRA proves that privacy law compliance standards continue to evolve, making it necessary for employers to consider the impact that guidelines, such as CPRA, will potentially have on their business operations. Even though the January 2023 implementation date of the CPRA gives businesses significant time to prepare, they need to begin adapting to the inevitable changes.
Businesses should use this time to introduce and increase their transparency with consumers, communicate exactly how and where consumers’ personal data will be used, and for how long. As CPRA compliance is not an easy task to accomplish, employers can consider integrating proper software designed to simplify meeting new protection requirements. This allows them to pay closer attention to the specific data they have on file, analyze why they collect and share data, and track the management of data from start to finish.Use a secure electronic platform to ensure meeting privacy laws’ detailed requirements and simplify the process of implementing compliance plans.