In May 2020, the privacy advocacy group “California for Consumer Privacy” surprised everyone when they announced that they had collected 900,000 signatures to place the California Privacy Rights Act (“CPRA” or “CCPA 2.0”) on the November 2020 ballot. Current polling suggests that the bill will pass on election day.
The CPRA expands and amends the California Consumer Privacy Act (“CCPA”). The CCPA went into effect at the beginning of 2020. This is why its promoting privacy advocates groups call it “CCPA 2.0”. The CCPA has already had a significant impact outside the borders of California, becoming the de facto standard for data privacy throughout the United States. That is why this bill will be closely watched - it could have a big impact on your business regardless of how close you are to California.
The CPRA brings some new things to the data privacy scene. Let’s take a look at the new provisions, and how the CCPA 2.0 compares to its predecessor.
A New Privacy Enforcement Authority
When the EU’s General Data Protection Regulation (“GDPR”) was enacted, they established an organization called the Data Protection Authority to enforce the laws. The United States hasn’t had an analogous authority that is solely dedicated to enforcing consumer’s privacy rights.
CCPA 2.0 solves this problem by establishing the California Privacy Protection Agency (“CPPA”). The CPPA will be empowered to fine transgressors, to hold hearings about privacy violations, and to clarify privacy guidelines.
Clarity About How to Comply
Since the law passed, the CCPA’s regulations have been criticized for being too vague. Companies often knew they had to comply with the law, but couldn’t figure out how to comply. Requests to clarify details of the law were met by assurances from the California Attorney General that more information was forthcoming, but businesses are still in limbo. The CCPA became effective on January 1, 2020, and began being enforced 6-months later on July 1, 2020.
The CPPA should solve some of these issues. They’re tasked with informing businesses about their compliance (or lack thereof) of the CCPA and CPRA. They’ll also aid offending companies with getting their privacy practices back onside.
New Law. New Terminology
In addition to providing enforcement and clarity, the CPRA will introduce some entirely new concepts to data privacy in California. Here are a handful of GDPR concepts that will be added to the US privacy lexicon with CPRA:
- Right to rectification - Updating and adding to the consumer’s right to correct inaccurate personal information.
- Right to restriction - Granting consumers the right to limit the use and disclosure of their sensitive personal information.
- Sensitive personally identifiable information - Not all personally identifiable information (“PII”) will be created equal with the new law. Certain types of information, like your Social Security Number, will carry a “sensitive” distinction.
New consumer rights must be submitted as “verifiable requests” as determined in the CCPA for the rights to deletion and to disclosure, referring to the specific right which is being requested.
Automated Decision Making and Information of Minors
The CPRA determined that companies collecting personally identifiable information of consumers are required to clearly and transparently inform them when they employ automated decision-making technology.
The CPRA beefs up punishments for breaches involving children’s data. Any administrative fines are three times as much for kids’ PII. Additionally, the law also will affect how consent is managed and obtained by regulated companies, allowing parents to have more control over the personal information of their children.
Other changes introduced by the CPRA
The sections above only include some of the most significant updates slated to come with the passing of the CPRA. Some other notable changes include:
- The obligation of companies to protect privacy rights of their employees and independent contractors. Businesses are explicitly obligated to protect their employee’s data privacy, but there are some minor distinctions between their privacy and how consumers’ privacy is handled.
- Lawyers love defining words. They took the CPRA as an opportunity to redefine some key terms. These include the meaning and scope of the term “business” in the CCPA, what a “breach” includes and the reparation or “cure” thereof.
- Grant flexibility to the created agency to keep the privacy laws up to date over time, in an attempt to keep the law current and applicable.
- Give the agency authority to prevent future attempts by businesses to circumvent or otherwise not comply with the CPRA. This is an important wrinkle, as nefarious actors tried to undermine the level of protection granted to consumer privacy as soon as CCPA 1.0 was passed.
There’s No Time to Waste
If the bill passes, businesses will have a year to prepare. The law will technically become January 1, 2023 and become enforceable on July 1, 2023. BUT, the bill would apply over personal information collected by companies on or after January 1, 2022.
A year and a half to prepare for new privacy regulations might sound like a long time to you and me, but these new rules can get complicated fast at larger organizations. That’s why we’d recommend that you get a platform like Osano that keeps your privacy compliance up to date as the laws change.
Update - June 26th, 2020
CPRA has qualified for listing on November's general election ballot. The National Law Review has a good writeup about the ballot qualification. Caliornian's have overwhelmingly voiced their support for this initiative and it is widely expected to become law.