It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: April 11, 2023
Published: January 27, 2022
In January 2022, Osano assembled privacy attorneys with extensive experience working on compliance with California's latest privacy law: The California Privacy Rights Act. The following is a transcript of the highlights.
You'll hear from Catherine Dawson, general counsel at Osano; Julian Flamant, associate at Hoan Lovells; and Jevan Hutson, associate at Hintze Law.
If you prefer, you can watch the webinar in full here.
How do I know if the CPRA covers me?
The CPRA covers companies that make more than 50% of annual revenue from selling or sharing personal information. It also can apply based on size: Any company doing business in California that did more than $25 million in revenue the preceding year is covered. It can also apply based on scope: If you sell or share the personal information of more than 100,000 consumers or households in California.
The CPRA created:
Does CPRA shift the landscape?
Catherine Dawson: Yes, the legal landscape is really evolving, and I think it'll just continue to evolve. The CPRA is one big piece of that. CPRA will have additional regulations (on top of the CPPA), and there's a new privacy office that's been established under the CPRA. The changes involve much more than amending your privacy policies and adding a "do not sell" link. The CPRA will require companies to have a very good handle on what personal information they collect, what they do with it, where they store it, and with whom they share it. This is a shift for companies that have not been subject to the GDPR or have not devoted significant resources to the GDPR or compliance. It takes a lot of cross-team support within organizations to really be in compliance.
What are the most significant changes to the CCPA under the CPRA?
Julian Flamant: The exemption for employee and business-to-business data goes away. Under the CCPA, businesses only have to give notice at the point of data collection. But now, employees have access rights to their data. They may ask to see the data that's been collected and request deletion or correction. The same goes for B2B communications. An individual has rights to the data collected about them if it occurred as part of a B2B relationship.
There's a potential to need a lot of resources for that because employees tend to be interested in what their employer is saying about them.
Dawson: That's a really important point. Under the GDPR in Europe, claims with respect to access to employee data has been an area where there's been a lot of litigation. It's unfortunate that this exemption is going to go away.
Flamant: Those complaints can lead to pretty significant enforcement actions, so this is really an area to pay attention to.
Access and deletion rights
Under CPRA, there's a new right for correction and a right to restrict the use of sensitive data. There's also an opt-out for data sharing, and there's no longer a 30-day "cure" period for companies to remedy breaches or slipups before a regulator considers enforcement action.
Flamant: Companies need to be a lot more thoughtful and potentially risk-averse at the outset when they're developing their compliance practices.
What should small companies do?
Jevan Hutson: Small companies really need to determine whether the CPRA applies in the first place. The change in the law's threshold from 50,000 consumers to 100,000 consumers is likely to mean that more small businesses and small companies are likely to be outside the scope of the CPRA. We always have to figure out whether CPRA is in scope.
We look back to some of the points made at the beginning of this call. It really comes down to understanding your data flows and data inventories. Sometimes smaller teams don't really have the appropriate accounting.
From there, we want to think about identifying and reviewing third parties that are processing personal data on the company's behalf and then reviewing public-facing representations and policies.
If I'm a small company and comply with CCPA, am I pretty close to CPRA?
Hutson: I think you're in a good spot, especially now that you will have 13 months until the CPRA comes into compliance.
So we're seeing a dynamic environment where you know, new potential regulations and rules are to coming into play, where we're dealing with a moving landscape, and that's going to be harder (to comply).
Enforcement
The CPRA created a new privacy enforcement agency, the California Privacy Protection Agency. It can bring the same fines the state attorney general can but on an administrative basis.
Flamant: So you have a lot more liability in dollar figures because of the possibility for that administrative fine. The CPPA and the California Attorney General are going to work together, and ultimately the California Attorney General has to step in and pursue civil penalties for the courts. My sense is that's kind of reserved for potentially much larger actions.
There's also the advantage that the deadline for adopting the regulations is July 1, 2022, so about a half of a year before the law actually comes into force. I'm certainly grateful for that timeline, and I think companies will be too.
To watch the webinar in full, go here.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.