CPRA Passed: What Does That Mean for Your Privacy Program?
While votes are still being tabulating for The Big Question of the election, you can count on one measure: California has passed the California Privacy Rights and Enforcement Act (CPRA).
I know, you might feel that you were just getting into the swing of the California Consumer Protection Act (CCPA). Now you have a new privacy law to work with?
But CPRA makes some important strides. It clarifies ambiguous parts of the law. It brings its intent into greater focus. And given that CCPA provided a model of privacy regulation for other US states, CPRA takes a few important steps forward.
So let’s get to the good stuff — what does CPRA do differently?
New rights, new definitions
New rights under CPRA build off of what CCPA had already established, bringing privacy closer in line with the EU’s General Data Protection Regulation (GDPR). New rights include:
- Right to Correct: Consumers can correct inaccurate information held by businesses about them.
- Automated Decision Making: Consumers can opt-out of having their personal information used in automated decision-making.
- Right to Data Portability: Consumers can request that pieces of their personal information be moved to another entity.
One right that we should call out in particular stems from the Right to Restrict Use of Sensitive Personal Information. In a move that is very GDPR-esque, CPRA expands the definition of sensitive personal information. It now includes data like social security numbers, passport number, religion, genetic data, and sexual orientation.
What this means
If a business is collecting personal information in this category, consumers can limit how their own data is used to what is relevant for providing goods and services. Additionally, businesses will need to offer a “Limit the Use of My Sensitive Personal Information” link. This is on top of the already existing requirement to have a “Do Not Sell My Personal Information” link.
Businesses should also prepare their teams to handle individual rights requests to support the newly established CPRA rights. Eventually, you’ll need to train up on verifying consumer identities and review your policies for fulfilling requests, but for now focus on documentation. Get a handle on what sensitive information your business has, how it’s used and how it’s collected.
Once you have that information, ask yourself if that data is being used beyond purposes other than what the consumer intended it for. If it’s being used for additional purposes other than what it was provided for originally, under CPRA you’ll need to go back and have the consumer make a decision on whether or not they approve that use.
CCPA baked in the concept of “selling” personal information to its privacy framework, but there were clear complaints that the definition was less than defined. CPRA separates out selling into selling and sharing, denoting “sharing” as its disclosing a consumer’s personal information for “cross-context behavioral advertising” – ad targeting based on information obtained about a consumer across different apps or services. Consumers may opt-out of sharing just like they can selling.
What this means
If cross digital device targeting is a part of your marketing strategy, you need to start thinking about how you’re going to allow consumers to opt out. And get ready to add in another piece to that end of year planning – figuring out how this is going to impact your marketing plan.
Adjusts eligibility requirements to give small businesses more flexibility
Anytime there is a privacy regulation, the first thing businesses want to know is whether it applies to them. When it came to CCPA, the threshold for compliance was a sticking point for some. To address this, CPRA lifted the upward limits on personal information processing.
Like CCPA, CPRA applies to businesses that do business in California, collect personal information from California residents, and determine how that information is collected, used, and shared. Businesses also must meet one of the following three requirements:
- Earns more than $25 million in revenue per year OR
- Collects or processes 100,000 consumer records per year OR
- Derives 50% of its annual revenue from selling personal information
That 100,000 consumer records number is a change up from CCPA’s 50,000 records threshold. Small businesses rejoice! But don’t get too comfortable. Even if your business is under that 100,000 number, customers and investors are still expecting compliance. (Compliance is just good business is our mantra for a reason!)
New mechanisms for privacy oversight and other enforcement issues
Handling civil action, along with the other aspects of regulatory oversight, is a time-consuming effort. CPRA provides funding for a Privacy Protection Agency to enforce CPRA and other privacy-related laws. Previously, this fell under the umbrella of the state attorney general’s office.
What this means
The new agency will receive substantial funding, staff dozens of employees, and create the resources to meaningfully enforce and guide privacy practices. For businesses that may involve more help understanding regulatory requirements, but also more aggressive auditing and enforcement.
Data breach liability
Under CCPA, data breach liability was something of a murky area. Yes, your business could face legal action if found responsible for compromised personal information as a result of a data breach. However, the extent of a business’s responsibility in implementing reasonable security measures wasn’t clear.
CPRA brings this topic into greater focus, articulating that if a breach compromises a consumer’s email address and either their password or security question/answer, the business may be held liable. If you have any type of user accounts, it’s going to be critical to make sure you have the proper security in place.
Making sense of (and implementing) CPRA
Need help interpreting what the full impact of CPRA will be for your business? We’re here to help. Drop us a line to schedule a consultation. We’d love to chat.