Stay Ahead of the Compliance Curve
On November 3, 2020, California residents made it clear that their privacy is a top-of-mind issue for them when they overwhelmingly passed the California Privacy Rights Act (CPRA). CPRA expands on the already-established California Consumer Protection Act, making California legal code the source of the most comprehensive privacy regulation in the United States.
While CPRA won’t come into force until January 2023, you’ll need to plan ahead to anticipate new consumer rights, regulatory obligations, and enforcement mechanisms.
FAQ
How is CPRA different from CCPA?
The California Consumer Protection Act, which became enforceable on July 1, 2020, is a landmark privacy legislation requiring businesses that do business in California, or collect personal information from California residents, and either earn more than $25 million in annual revenue OR collect/process 50,000 consumer records annually OR derive 50% of annual revenue from selling personal information to provide the following rights to its consumers:
- Knowing what information the business had collected about them
- Stopping the sale of their information with an easily accessible “Do Not Sell My Info” button
- Deleting their information from company databases
- Expecting businesses to take reasonable security measures for safeguarding data
- Accessing their information in a portable format
- Special protections for minors
CPRA clarifies the vaguer aspects of CCPA. Like CCPA, CPRA applies to businesses that operate in California and/or collect information from California residents and either earn more than $25 million in annual revenue OR derive 50% or annual revenue from selling personal information. But CPRA relieves small businesses of compliance obligations by raising the threshold for the number of records processed annually from CCPA’s 50,000 to 100,000.
CPRA keeps CCPA protections, but requires increased risk assessment obligations for businesses and adds more consumer rights, including:
- The ability to browse without pop-ups or sale of information.
- Specific protections for a new category of personal information (SSN, precise geolocation, driver’s license number, financial account information, race/ethnicity, religion, health data, sexual orientation).
- Limits on the time personal information can be stored, and the amount of data that can be collected.
- Right to opt out of advertisers using precise geolocation to send targeted ads.
- Increased transparency around profiling and automated decision making.
- Civil liability exposure for businesses if data breaches result in sensitive personal data being compromised.
- More robust restrictions on collecting data from minors and increased fines for violating said restrictions.
- Enforcement of CPRA regulations and other privacy laws via the newly created California Privacy Protection Agency (CPPA).
The California Consumer Protection Act, which became enforceable on July 1, 2020, is a landmark privacy legislation requiring businesses that do business in California, or collect personal information from California residents, and either earn more than $25 million in annual revenue OR collect/process 50,000 consumer records annually OR derive 50% of annual revenue from selling personal information to provide the following rights to its consumers:
- Knowing what information the business had collected about them
- Stopping the sale of their information with an easily accessible “Do Not Sell My Info” button
- Deleting their information from company databases
- Expecting businesses to take reasonable security measures for safeguarding data
- Accessing their information in a portable format
- Special protections for minors
CPRA clarifies the vaguer aspects of CCPA. Like CCPA, CPRA applies to businesses that operate in California and/or collect information from California residents and either earn more than $25 million in annual revenue OR derive 50% or annual revenue from selling personal information. But CPRA relieves small businesses of compliance obligations by raising the threshold for the number of records processed annually from CCPA’s 50,000 to 100,000.
CPRA keeps CCPA protections, but requires increased risk assessment obligations for businesses and adds more consumer rights, including:
- The ability to browse without pop-ups or sale of information.
- Specific protections for a new category of personal information (SSN, precise geolocation, driver’s license number, financial account information, race/ethnicity, religion, health data, sexual orientation).
- Limits on the time personal information can be stored, and the amount of data that can be collected.
- Right to opt out of advertisers using precise geolocation to send targeted ads.
- Increased transparency around profiling and automated decision making.
- Civil liability exposure for businesses if data breaches result in sensitive personal data being compromised.
- More robust restrictions on collecting data from minors and increased fines for violating said restrictions.
- Enforcement of CPRA regulations and other privacy laws via the newly created California Privacy Protection Agency (CPPA).
The General Data Protection Regulation (GDPR) was described by everyone as the European Union's “game-changing data privacy law.” It went into effect in March of 2018 and businesses have been chasing compliance ever since.
They aren’t wrong. GDPR is the biggest data protection law to come about in the last 20 years since the internet, mobile devices, e-commerce, social media, and big data took off. It affects businesses of all sizes around the world.
But what does that really mean?:
In plain English, the GDPR set guidelines that businesses, organizations, non-profits, essentially anyone who touches someone’s personal information in connection with goods and/or services to EU residents. Money doesn’t even need to change hands – the rules can apply if you’re asking for people’s personal information in exchange for information, subscription to an email list, etc.
—-
GDPR instructs businesses and organizations, but at its core, it’s about giving individuals control over their data. GDPR includes a number of pieces in place designed to provide that control, including:
- The right to be informed
- The right to access
- The right to rectification
- The right to erasure/to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Combined, all of these rights give EU residents the right to be informed and understand how their personal data is being collected, stored, and used by companies. Companies have to get people’s content before using their data and they have to delete it if you ask them to. Learn more about the full scope of GDPR rights and how they differ from the new data protection law, CCPRA.
What do I need to do differently?
What you will need to change depends on where you are in your privacy strategy journey. If you are CCPA compliant, simple tweaks can improve the responsiveness and security of your data inventory, which will make responding to individual rights requests much more efficient. You'll have to keep better track of the data you’re collecting, how you’re using it, and how long you are storing it, but the bulk of the work is likely behind you. It will also be necessary to make sure you have adequate and more frequent audits and risk assessments, but you should be doing that, anyway.
If you’ve never heard of CCPA or CPRA, you have a little more work ahead of you. But don’t worry! We can get you there.
How long do I have?
Good news! Time is on your side. CPRA doesn’t go into effect until January 1, 2023, with a lookback period for January 1, 2022. But two years will go faster than you think. And as other states and countries pass their own privacy legislation, companies that have already begun implementing privacy best practices cannot respond to changes more quickly, they will also be able to capitalize on the goodwill customer-centric data policies deliver.
And by the way, even if you don’t do business in California or you collect fewer than 100,000 records a year, it’s still in your company’s best interest to stay in line (or ahead of) trends in privacy regulations. The why’s are numerous: vendors might be concerned about your privacy operations before doing business with you. You might be planning to expand operations and want to stay ahead of the compliance.
And, as always, customer expectations for privacy are significant. Just because you think you’re too small doesn’t mean your customers are inclined to give you a break for that—consumer expectations are the same across the board when it comes to privacy and security. No hall passes.
Who enforces CPRA?
CCPA’s reliance on the extremely busy California Attorney General’s Office for enforcement actions is one of its biggest weaknesses. The CPRA rectified this oversight by creating the California Privacy Protection Agency, the nation’s first agency dedicated solely to monitoring and enforcing privacy law.
The law states the CPPA was created to “vigorously enforce” the CPRA and to educate consumers and companies about their privacy rights. They also are tasked with educating the public about their privacy rights, which means they will watch your company from every angle. Besides enforcement and rulemaking, the CPPA will have an important educational function. This agency will have the funds and resources to partner with other agencies to allow for more aggressive crackdown on violations.
What kind of exposure comes with non-compliance/data breach?
Under CPRA, your users can claim compensation and other relief for breaches that expose email addresses, passwords, and security questions/answers besides hacks that expose financial or identity-related data. A breach can also result in your company facing increased administrative sanctions from the newly created CPPA. While it’s not clear yet exactly what the remedy parameters will look like, the old way of doing business is no longer.