One of the most widely watched legislative measures on the ballot in the 2020 U.S. elections was a privacy proposal for California voters. The passage of Proposition 24, also known as the California Privacy Rights Act (CPRA), amends the recently implemented California Consumer Privacy Act (CCPA), which is already notable as the first comprehensive data protection law implemented in the country. The CPRA drew mixed reactions ahead of the election, with opposition from businesses and privacy advocates who argued that it enabled “pay for privacy” schemes, among other controversial provisions. While these arguments are not without merit, overall, the CPRA is a big step forward in protecting consumer privacy.
A New Sheriff in Town
One of the most noteworthy provisions of the CPRA creates the first agency in the United States dedicated solely to privacy. The California Privacy Protection Agency (CPPA) will take over enforcement responsibilities and rule-making activity from the California attorney general’s office. The creation of a dedicated agency will likely mean greater enforcement activity and more compliance incentives. Indeed, under the EU’s General Data Protection Regulation, member states have their own data protection authorities and have brought more than 3,200 cases in 2020 alone.
The CPRA also dramatically changes the requirements for compliance. The law introduced a new definition of sensitive personal information (SPI) that is even broader than the “special categories of personal data” designation under the GDPR. CPRA’s SPI definition includes new data types like precise geolocation, genetic data, religious beliefs, biometrics and health data.
Companies also must offer consumers new options to limit the use and disclosure of their sensitive personal information. Building on the expanded definition of SPI, the CPRA includes new requirements regarding data retention and data minimization, as well as annual audits and independent cybersecurity risk assessments for businesses that perform processing that presents significant risks to consumer privacy or security.
The CPRA’s changes are particularly significant for the advertising technology industry. While some advertisers have argued that CCPA’s “do not sell” requirement does not equal an “opt-out” of targeted advertising, CPRA effectively ends that debate. It incorporates the additional ability for consumers to opt-out of sharing their information, specifically for behavioral advertising purposes. Between passage of the CPRA, efforts by major internet browsers to do away with third-party cookies, and Apple’s iOS14 privacy updates to provide a required opt-in to “tracking,” the ad tech industry will need to evolve or risk becoming obsolete.
This new de facto minimum national standard for consumer privacy raises the bar for efforts to pass federal legislation before CPRA goes into effect in January 2023. A number of states had proposed their own privacy bills before the pandemic hit and, as the world starts to return to normal, the CPRA will likely inspire a resurgence of these proposals. For example, the Washington Privacy Act is a state bill that borrows pro-consumer provisions from both CPRA and GDPR. Many are also closely watching the State Uniform Law Commission’s draft proposal, which aims to create legislation that all states could adopt.
Even if they are already CCPA compliant, businesses will need to make a number of changes to align with CPRA. The good news for these enterprises is that they will have several years to work toward compliance. As companies begin developing CPRA compliance plans, they should:
Coordinate a multi-stakeholder approach. Whether it is a Fortune 100 corporation or a family-owned business, it is critical that companies designate a cross-functional team to manage CPRA compliance processes. This team should include legal, cybersecurity and data governance professionals, in addition to the business leaders who manage the company’s data processing activities.
Know your data. Given the breadth of the new SPI definition and requirements, one of the main practical challenges for enterprises will be ensuring they truly know their data. Traditional approaches to data discovery like surveys and manual inventories do not always accurately identify all of the data the organization controls. Companies should invest in automated tools to ensure they can accurately discover and classify SPI, and can quickly act on consumer requests.
Audit existing data protection practices. If an organization qualifies for annual risk assessments, it should act now to get ahead of the curve. Companies should conduct a full audit of internal privacy and security protocols to ensure they are prepared if and when regulators come knocking.
The CPRA introduces a number of new and expanded requirements for companies, but adjusting to this new environment does not need to be daunting. A proactive and data-centric approach to compliance can dramatically mitigate the threat of enforcement, minimize business risk, and increase consumer confidence in the data, thereby benefitting the entire organization.