California voters approved a new and even tougher data privacy act. What happens now?
- The CPRA greatly limits how organizations can use personal data and moves the U.S. rules closer to the EU's GDPR.
On November 3, California citizens approved the California Privacy Rights and Enforcement Act (the CPRA), a comprehensive privacy law that amends and expands another privacy law that had just gone into effect in the state on January 1, 2020, called the California Consumer Privacy Act (CCPA).
Among the most important provisions, the CPRA creates new, more stringent requirements for companies that collect and share sensitive personal information and creates the California Privacy Protection Agency, a new agency that will be responsible for enforcing CPRA violations with the aid of the state's Attorney General. The CPRA will become effective on January 1, 2023.
For some guidance on what companies should be doing now, I turned to Karen Schuler, a Practice Leader at BDO's Governance, Risk and Compliance National Practice and Principal at BDO Digital, with whom I discussed the CCPA last year:
The CCPR adds teeth to many of the rules that already existed in the CCPA by beefing up existing rules, setting some pretty tough new regulations, especially around what is defined as "sensitive information" and companies that violate children's data protection requirements. Perhaps, most importantly, it creates a new state agency, backed by the Attorney General, with real power to enforce them and to levy hefty fines on violators.
Most privacy experts believe the CPRA moves California closer to the European Union's General Data Protection Regulation (GDPR) model which means companies that are already complying with GDPR should find adjusting will probably be less complex and costly: Said Schuler:
Under the CPRA, consumers will be able to correct inaccurate personal information that businesses have about them as well as opt out of a business's sale of sensitive personal information-even opt out of the mere use of sensitive personal information even if it's not sold. This moves rule moves CPRA close to the EU notion of "the right to be forgotten.
The CPRA defines "sensitive personal information" as a wide range of data points that includes things like account and login information, precise geolocation data, contents of mail, email and text messages, genetic data, Social Security numbers, drivers licenses, passports, financial accounts, race, ethnicity, religion, union membership, personal communications, genetic and biometric data, health information, and anything about sex life or sexual orientation. Said Schuler:
This will be difficult for many companies. You'll need to identify whether you have this type of sensitive personal information stored in your databases, where it resides throughout the organization, then determine if it falls into any of these ‘sensitive' categories, and, if it does, whether you have the proper controls around it.
And I would go as far to say, you need to understand how and why you collected that data in the first place. Was it for real need or purpose and is there a real legitimate need for it? I would also look to my retention schedule and my policies around retention and see if there's any way I can automate all or portions of retention, because that is also going to help your company manage the data better by limiting what you collect and how long you keep it.
This is important, Schuler said, because the CPRA sets limits on the collection and retention of personal information, requiring a business to retain only that which is reasonably necessary to achieve the purposes for which the personal information was collected or processed. In addition, the CPRA requires businesses to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information, or the criteria used to determine that period.
The CPRA also expands the private right of action for consumers to bring claims against a business for the unauthorized access or disclosure of an email address and password or security question that would permit access to an account, along with access to a consumer's non-encrypted and non-redacted personal information. It creates triple damages for violations relating to consumers who are minors under the age of 16.
One provision of CPRA that has been widely applauded by businesses is the extension of CCPA's existing employee exception and business-to-business exception to January 1, 2023. The current exemptions under the CCPA for handling of employee or business-to-business data were set to expire on January 1, 2021, but CPRA immediately extends the CCPA's existing partial exemptions for information relating to businesses' employees and job applicants, as well as information collected from consumers in a "business to business" context, until at least January 1, 2023.
Who is subject to the CPRA?
CPRA has changed the thresholds at which businesses fall under the rules. First, the business derives at least 50% of annual revenue from sharing or selling the personal information of California consumers. The big change here is the addition of the word "sharing" of personal information, not just selling.
The provision of CCPA that a business has a gross revenue of over $25 million remains unchanged. Companies are covered by CPRA if they buy, sell, or share the personal information of more than 100,000 California consumers. That lets a lot of small businesses off the hook.
The business collects the personal information of more than 100,000 California consumers/ households. This provision changes the threshold from 50,000 under the CCPA to 100,000 under the CPRA. The heightened threshold means that more small businesses will be outside the scope of the CPRA. Schuler believes that the key for companies is to start looking at your data privacy policies now:
Ask yourself, how good is our data hygiene? How much do we know about the data we have? How much do we know about where it goes? Are our contracts up to date? The thing that still amazes me is how serious companies are taking this now. And I think it is because some of the fines that have come out over the last several years. Obviously, some of the larger companies are not that all that affected by larger firms but at the small business and startup end of the spectrum even a few thousand dollars can be devastating. I don't know anyone in the privacy and compliance area who isn't taking this very seriously.
One key change in the CCPA requirements in the CPRA is an extension of an exemption for businesses in terms of their employees' data. The CPRA gives businesses the exemption from meeting the consumer privacy requirements' tough standards for their employees until January 1, 2023. However, businesses will have to comply with certain aspects of employee privacy protection between now and then.
There is lots of chatter about whether CPRA would become a model for privacy laws in other states. There are said to be at least eight other states that have copycat versions in the works, including New York, Virginia, Florida, New Hampshire, Washington, Nebraska, Maryland, and North Dakota. The pandemic has slowed all those initiatives down but it is likely they'll be back once "normal" life begins again.
One of the mysteries of the data privacy movement to me is exactly who is driving it. All the action in California and perhaps elsewhere is being pushed by large, well-funded advocacy groups. Maybe this is a misconception on my part, but Individual consumers don't seem all that concerned or interested. Does anybody have thoughts?