You’ve made sure you’re complying with GDPR. Everything is taken care of for CCPA. That’s great! 

Now what about CPRA?

Wait, you might be saying, you just said that – you mean CCPA. And I’m squared away, thank you very much.

Not the case. While the California Consumer Privacy Act has just become enforceable as of July 1, there’s another privacy rights act lining up for the November 2020 ballot. This new act aims to build off of the work accomplished by CCPA to increase transparency and control for consumers over their personal information.  

For consumers, the California Privacy Rights Act (CPRA) – affectionately referred to by some as CCPA 2.0 – represents an expansion of privacy rights. For businesses, it represents both a challenge to keep up with compliance requirements as well as an opportunity to create an exceptional customer experience.

How so? Awareness of privacy issues are on the rise. Your customers are going to increasingly expect transparency on how you’re handling their data. Your privacy plans and policies are a big part of building a relationship with them. 

Ultimately, compliance isn’t just important to stay in line with the law. It’s important to sustain your consumers’ relationship with your business.

Where Did CPRA Come From?

Who’s driving this policy train? Californians for Consumer Privacy, the nonprofit group that helped get CCPA on the 2018 ballot. 

Although CCPA had yet to become enforceable at that time, in September 2019, Californians for Consumer Privacy submitted a ballot initiative for a new, in-depth privacy act that would build off of CCPA: the California Privacy Rights Act (CPRA). 

By May 2020, they had gathered more than 900,000 signatures to qualify for the ballot and on June 24th, 2020, the California Secretary of State announced that CPRA was eligible for the November 2020 election.

It’s important to note that CPRA is being brought forth as a ballot initiative. If CPRA is enacted by voters as part of a ballot initiative, it will only be able to be amended through another ballot initiative, not through legislation. This gives voters a greater voice in privacy measures rather than relying on the legislative process to move the needle forward.  

What is CPRA? 

CPRA takes many of the ideas and concepts from CCPA and expands them for California residents, allowing them a greater degree of control over their personal information while implementing further requirements for businesses in regards to how they collect, use, and store that personal information. Some aspects of it even move the law closer to the General Data Protection Regulation (GDPR), such as new requirements on data retention, an expanded right to know and access personal information, and further definitions of sensitive data.

Much like CCPA, the impact of CPRA would be felt far beyond California’s state borders. Also similar to CCPA, it would apply to businesses and organizations that meet certain eligibility requirements and process California residents’ personal information – regardless of where the business or organization operates from.

But these are generalities. What are some of the important – and specific – additions and changes being made to CCPA within this legislation if it ends up being enacted?

Establishment of a California Privacy Protection Agency

This agency would oversee enforcement of CPRA rather than the California Attorney General, who is the sole arbiter of CCPA enforcement.  

Until the California Privacy Protection Agency is enacted, the Attorney General would have rulemaking authority to issue regulations on topics like identifying business purposes for the use of personal information, updating the definition of personal information, and more.

Sensitive Personal Information

Sensitive personal information is at the core of privacy issues. The CPRA would establish a further category of sensitive personal information under Cal. Civ. Code § 1798.140(ae)—“sensitive personal information,” which is defined as not publicly available including:

  • Social security number
  • Driver’s license number
  • Passport number
  • Financial account information
  • Precise geolocation
  • Race and ethnicity
  • Religion
  • Union membership
  • Personal communications
  • Genetic data
  • Biometric and health information
  • Sexual orientation and sex life information

Sound familiar? Some of these items are reminiscent of GDPR and its categories of sensitive data – genetic data and biometric information, religion, race and ethnicity, sexual orientation and sex life information, and union membership are all held in common between the two regulations. 

As part of this new category of personal information, businesses have to offer transparent disclosures about what sensitive data they process. Those same businesses would be subject to greater restrictions in its use as well. 

Along with the expanded definition, CPRA would allow consumers more extensive rights around the use of their sensitive personal information. Among those rights would be the right to request to correct personal information held by a business if that information is inaccurate. 

This may sound like an odd provision to include in the law, since many businesses already provide this service to their customers as a courtesy. However, mandating a correction mechanism increases the stakes if you don’t. 

Think about it from the consumer’s perspective: It’s all about trust and relationships. When consumers give you their information, they’re trusting you with just that. THEIR information! 

They have a right to access and control it. By helping them exercise that right, your business actively demonstrates their rights and needs matter to you. Your relationship is a two-way street! 

Children’s Data

Protecting children’s privacy has been a major point for CCPA. CPRA takes it even further. Under CPRA, businesses and organizations that violate CCPA’s opt-in right will face triple the amount of fines. 

They will also have to get opt-in consent to sell or share data from any consumer under the age of 16. (Currently, under CCPA, parents must provide consent for children under the age of 13. For children between 13-16, the child themselves must provide consent.) (Currently, under CCPA, this applies to consumers under the age of 13.)  

Transparency

CPRA would add new layers of transparency and data governance policies. One meaningful addition is that it would require businesses to notify consumers at or before the collection of data:

  • Whether information is sold or shared
  • Information on sensitive categories of personal information that are collected
  • How long consumer’s personal information is retained 

Moreover, CPRA would aim to prohibit keeping personal information for longer than is “reasonably necessary” for the specifically disclosed purposes of collection. It would also limit the collection, use, retention, and sharing of data to what is “reasonably necessary” to achieve those same disclosed purposes. 

It’s especially important for your business to take transparency requirements to heart. This isn’t just a legal need. It’s a customer experience need. Think of all the stories in the news about lack of transparency. It may not sink the boat immediately, but it significantly damages your customers’ ability to trust you. 

Data Breach Liability Provision

Data breaches are a significant – and increasing – worry for consumers. Almost half of surveyed consumers in a 2019 report by Ping Identity were more worried about data breaches than they were the previous year. But while they’re worried about it, they expect businesses to help safeguard them: 63% of consumers believe that a company holds responsibility for protecting their data. 

So it’s not surprising that a data breach liability provision was included in CPRA to expand on existing CCPA rules. The CCPA already grants consumers in California the right to bring legal action for damages resulting from a data breach. However, CPRA provides greater clarity by stating that breaches compromising a consumer’s email address and either their password or security question/answer can result in liability for the company.

This provision helps resolve the ambiguity in the current CCPA regarding a business’ duty to implement reasonable security and when a consumer’s right to legal action following a data breach might apply. 

Is your team smart on data breaches? How you handle it has a huge impact on how quickly you recover from one. A training program can make all the difference.

If it’s enacted, would CPRA apply to my business or organization?

If you’re already required to comply with CCPA, then the new terms of CPRA would apply to you. However, CPRA changes the scope of CCPA in some significant ways.

  • CPRA will extend the CCPA’s exemptions for workplace-related information until January 1, 2023 (i.e., for employees, job applicants and business-to-business contacts). If CPRA doesn’t pass, these CCPA exemptions will expire on January 1, 2021. 
  • Increases the threshold of businesses to for-profit entities that process 100,000+consumers or households, meaning that many small businesses would fall outside of the scope of the legislation. However, if enacted, this wouldn’t go into effect until 2023, meaning that these businesses would still need to comply with CCPA requirements.
  • Requires entities sharing common control and common branding that also share consumer personal information to be considered the same “business” 

What if CPRA passes in November? What comes next?

CPRA will be voted on by California residents in the General Election in November 2020. If it passes, eligible businesses and organizations will have until January 2023 to bring their data collection programs into compliance with the new law. 

Two years is a long time, though, in terms of data and security issues. As per CPRA, the California Privacy Protection Agency would be established during this time. Until it is established, CCPA would continue its regulatory work under the Office of the Attorney General.

There is still a lot of discussion to be had around CPRA as November inches closer and closer. But it shows a continued movement towards GDPR-type legislation in the US and increases the likelihood that other states will follow suit. For businesses, this indicates clearly: compliance (and transparency) is becoming more than a best practice. It’s becoming a business necessity. 

We know that new compliance requirements can be a challenge to juggle with existing ones. It can be even harder to make sure that they’re part of your consumer relationships. We’re here to help with that. Contact Red Clover Advisors today for a free consultation.