GDPR Compliance in the U.S.: What to Know
In 1992, Singapore banned the sale of all chewing gum. But if you...
Read NowThe simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline the DSAR workflow
Ensure your customers’ data is in good hands
Gain insights with privacy assessment templates and workflow management
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
August 24, 2022
For a long time, California has been a leader in making sure its citizens’ privacy is protected. In the early days of the modern Internet, it was California that led the charge in making sure websites didn’t deceive visitors or otherwise use deceptive practices by collecting data without a privacy notice. Today, it is California, too — with the California Privacy Rights Act (CPRA) building on the California Consumer Privacy Act (CCPA) — that is leading the way in making sure consumers have control over how businesses collect and share their personal data.
As more states — like Virginia, Connecticut, Colorado, and Nevada — join California in implementing comprehensive privacy legislation, it is vital to understand the requirements of California’s privacy regime. Not only will it allow you to continue to access what amounts to the world’s 5th largest economy, but it will also put you in good standing with the rest of the U.S. states and get you in good shape for complying with stricter global privacy laws, like the EU’s GDPR or China’s PIPL.
In this blog, we’ll take a look at:
Let’s get started.
It’s best to think of the California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA) as essentially the same thing.
The CCPA passed through the California legislature and was signed by the governor in 2018, with an effective date of Jan. 1, 2020. However, the Californians for Consumer Privacy (the group that pushed hardest for the CCPA) almost immediately felt it wasn’t strong enough. They started a campaign to make it stronger and more protective of consumer rights to control the collection and use of personal information.
This led to a citizen’s initiative ballot question in 2020, called the CPRA, which built upon the CCPA, changing some of the text, adding other text, and clarifying some questions around enforcement and who’s actually covered by the law.
At this point, for all intents and purposes, the CPRA is the only law you need to worry about, as it’s like the CCPA+, or CCPA 2.0, and it covers the entirety of the text you need for understanding the California privacy law.
Further, the vast majority of it came into force on Jan. 1, 2023, so it’s barreling toward you, whether you’re ready for it or not, and the CPRA covers data collected starting Jan. 1, 2022, so in many ways, we’re already in the CPRA era.
The California Consumer Protection Act of 2018 is already in force, and now it is being updated by the California Privacy Rights Act, which came into force on January 1 of 2023, with enforcement beginning on July 1, 2023. This home page created by the drafters of the CPRA is an excellent resource if you’d like to really dive into the text changes and law updates.
The CPRA changed the rules for who has to comply only slightly. As of Jan. 1, 2023, the CPRA applies if you are a for-profit organization that “does business” in the state of California, collects the personal data of Californians or has it collected for you, and fits one or more of these criteria:
In theory, you could have to comply with CPRA one year and not the next, depending on your revenue mix and business initiatives, but the CPRA is in line with many laws around the country and the world, and most of what it requires will likely soon be considered general best practice, so it doesn’t make a lot of sense to try to figure out each year whether you can get out of it.
The penalties for not complying with the law haven’t changed much from CCPA to CPRA. However, the new CPRA empowers the Attorney General, California’s 62 different district attorneys, and a brand-new California Privacy Protection Agency to enforce it, with those powers coming into force on July 1, 2023.
That means there are a lot more “cops on the beat,” so to speak, with the ability to investigate business practices and bring actions to penalize those organizations that are not in compliance.
Each person affected in a violation constitutes an “offense,” so the fines can add up quickly, especially if you are willfully negligent. And, the bad news: If you’re reading this, and then decide not to bother with compliance, you’re being willfully negligent. Oops.
Is it likely that California enforcers will look kindly on businesses that make small mistakes or have small oversights in their compliance plans, especially in the first few years? Absolutely.
Is it likely that “I had no idea I had to comply with this law,” will work as an excuse when a regulator comes calling? Absolutely not.
How serious is California? In the CCPA, there was a 30-day grace period where you were offered a chance to fix your violations. In the CPRA, there is no such grace period.
First, and most importantly, you need to make sure “consumers” (which with the CPRA now includes your employees if they are California residents) can exercise their new rights to control the collection and use of their personal data, many of which have been augmented in some way.
Remember: “Personal data” or “personal information” is defined broadly in both the CCPA and the CPRA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Unless you take steps to de-identify data after you collect it, much of the data you collect from customers and employees is personal data by law in California.
The CPRA also now puts the onus on you to make sure consumers (and employees) know their privacy rights, which means explaining their rights at the point of collection as part of the notice provided to people right when they’re giving you their data.
You also need to abide by a new set of “privacy principles” in all of your data-handling practices, many of which are new with the CPRA:
The brand-new California Privacy Protection Agency (known as the CPPA, which isn’t confusing at all, surely) is tasked by the CPRA to create a number of “rules” after consultation with stakeholders. These rules were supposed to be issued by July of 2022, but they have still yet to issue final rulemaking.
As of late-August, 2022, these were the proposed regulations from the CPPA, which were not yet final. At 66 pages, this additional rule-making adds considerable complexity. Make sure to keep tabs on it. Perhaps most helpful, you’ll find in the draft regulations from the CPPA a number of examples and scenarios that help you understand how to comply with some of the rules and consumer rights.
One rule that you can certainly expect to come through, as the CPRA instructs the CPPA to create regulations, is that certain collections and uses of personal information will trigger mandatory “risk assessments,” which must be filed with the CPPA to prove you’ve considered the dangers surrounding the data collection and mitigated the risk of harm to the consumer.
Be prepared to create a process in your organization for conducting these risk assessments.
For a quick, at-a-glance look at other changes from CCPA to CPRA, here’s a handy chart:
What’s Changed Between CCPA and CPRA? |
||
|
CCPA |
CPRA |
Enforcement |
California Attorney General’s Office |
Newly created California Privacy Protection Agency, plus the AG and District Attorneys |
Profiling |
N/A |
Consumers can opt out of automated decision-making. |
Sensitive data |
N/A |
New definition of some data as “sensitive.” Businesses must disclose how they collect, use, sell, and share sensitive data. Consumers may opt out of the use, entirely, of their sensitive data. |
Data minimization |
N/A |
Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose. |
Consumer remedies |
Consumers may file a private right of action when a lack of reasonable security leads to a breach. |
Expands the private right of action to include remedy for breached data that includes consumers' email address and password or security question. |
Risk Assessments |
N/A |
For certain collection and use of personal information, organizations will have to conduct risk assessments before beginning the collection or use process. |
Deletion |
Businesses must fulfill validated consumer requests to delete their data. |
Companies fulfilling legitimate deletion requests must also notify third parties to delete such information. |
Third parties |
Not defined. |
Third-parties defined, excludes service providers and contractors. Businesses must impose CPRA-level contractual obligations on third parties before sharing, selling, or disclosing personal data. |
Opt-out links on websites |
Businesses must have a “Do not sell my personal information” link. |
Companies must have a “Do not share my personal information” link and a “Limit the use of my sensitive personal information” link. |
Fines |
Up to $7,500 per violation or $2,500 per unintentional violation. |
Automatic $7,500 fine for violations of minors’ data (children under the age of 16). |
CCPA and CPRA compliance is an all-hands-on-deck sort of thing, but will look different at every organization, depending on the type of personal information you’re collecting and your business plan. CEOs and CIOs often lead the charge, but because so many departments collect and use consumer data, they all must understand the new data privacy law and take responsibility for what they do with personal information.
Often, organizations appoint a chief privacy officer (CPO) or a privacy director of some kind, often in the legal or compliance team, who is tasked with establishing and overseeing a privacy compliance program, which is ongoing and regularly audits how personal information is being collected and used.
For example, marketers consistently rely on consumer data to influence their campaigns. Consumer data is precisely what makes companies able to effectively target their marketing efforts to the right people at the right time to increase sales. Every time a consumer is tracked with a website cookie, fills out a form, or makes a purchase online, they are giving the company their personal information, which is now protected by the CCPA and the CPRA.
These marketers need to be trained in how to comply with the law and systems need to be put into place to make sure they follow policy.
The same goes for your sales department. All of that customer data that's stored in systems such as Salesforce must be protected and only used appropriately. If it's shared with other departments, those departments now have some ownership. You can see how quickly and easily consumer data spread across the organization.
Of course, many large companies will be using third parties that do things like perform sophisticated data analytics, fill in profiles for people with only partial records, and more potentially privacy-invasive activities. These third-party relationships must be managed via contracts and audits, as you’ll be responsible for how they handle the data supplied to you by your customers and employees.
For this reason, companies should establish a systematic way to adhere to CCPA and CPRA requirements. That means cleansing and reviewing all databases to ensure the organization can identify consent. It means putting consent pop-ups and policies front and center on your website. It means notifying consumers of how their personal data is collected, stored, used, and shared. Being proactive is the best way to minimize the risk of non-compliance.
Does compliance sound difficult? It is. The CPRA, especially, represents a step-change in the responsibilities many American companies have in regard to handling personal data.
Luckily, many companies, like Osano, have created software packages that allow you to:
Well, yes and no. The CCPA and CPRA don’t focus on the mechanisms involved with how personal data is collected and used, they just focus on the fact that personal data is actually being collected and used.
Thus, if your cookies don’t collect personal information, California privacy law isn’t particularly worried about them. But, if your cookies do pass along personal information to your organization or others, then all of the CCPA and CPRA rules apply.
Got it? Luckily, there are plenty of cookie consent managers out there to help make sure you know the difference between essential cookies and those that collect data (and those that do both).
The people behind the CCPA and the CPRA, and now the staff of the newly created California Privacy Protection Agency are first and foremost concerned with protecting the privacy of California consumers. They are very likely to prioritize enforcement against the most egregious violators of the law.
However, that does not mean they don’t care about the little guys. While how the CPPA will act is somewhat unpredictable, you should expect audits of classes of websites, round-ups of certain types of violations that include large groups of companies, and other enforcement action that seeks to prod large sections of the California marketplace into compliance.
Most especially, you don’t want to be caught looking like you don’t care. Good faith efforts will result in kind attention from the regulators; pleas of ignorance will result in much harsher treatment, indeed.
Wondering how to meet CPRA compliance? Our eBook breaks down the major tasks you need to complete and how Osano can help.
Download NowWriter at Osano
Writer at Osano
Sam is a journalist and head of West Gray Creative, a content services firm based in Maine. In a former life, he was director of content at the IAPP and has run publications in the security, workboat, and 3D reality capture spaces. Currently, he serves as the chair of his local school board, fronts the World Famous Grassholes, and would like to be a professional baseball player when he grows up.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
Simplify CPRA compliance with Osano. Let us show you exactly how easy meeting your CPRA obligations can be.