CPRA: A New Era of Consumer Data Privacy and Transparency
While we’ve already talked extensively about the existing California Consumer Privacy Act (CCPA) which came into being on January 1, 2020, consumer privacy laws are fluid and rarely stop at the status quo. Enter the new California Privacy Rights Act (CPRA), a data privacy bill that passed in November of 2020 and will become law as of January 1, 2023.
The key thing to understand here is that the CCPA and CPRA are not two separate laws. The CCPA simply lays the foundation of consumer data privacy rights in California.
The CPRA is an addendum to the existing CCPA law that expands upon its provisions, clears up ambiguous passages, adds technical regulations for all web traffic, puts clear regulations on businesses regarding how they can use consumer data and puts up new securities for all consumers throughout their digital journeys in California. Again, the CPRA is set to come into effect on January 1, 2023 with a ‘lookback period’ that extends from January 1, 2022. This means that businesses are liable for adherence to the CPRA for all data collected in California from January 1, 2022.
Why did CPRA come about?
The CPRA came into being as a result of a second data privacy ballot by Californians for Consumer Privacy, a non-profit heralded by Alastair and Celine Mactaggart. The CPRA was filed on November 13, 2019, a month after the CCPA amendments were made into law. The ballot garnered over 900,000 signatures in support on June 25, 2020 that qualified it for the November 3, 2020 ballot.
The process for formally articulating and adopting the CPRA regulations into the CCPA is expected to start on July 1, 2021. This essentially means that businesses with digital activities that fall under the jurisdiction of California have a two-year period to comply with the CPRA regulations.
What’s new in the CPRA?
Creation of the California Privacy Protection Agency – The CPRA will give rise to the California Privacy Protection Agency, a new entity comprising a five-member board that will oversee the implementation and enforcement of the CPRA. The members are expected to feature individuals with distinguished expertise in privacy, technology and consumer rights, and each will serve for a single 8-year term.
The California Governor has the right to appoint the chairman of the board as well as one other board member. The Attorney General, Senate Rules Committee and Speaker of the Assembly will appoint the rest of the members. The Agency is also set to engage a Chief Privacy Auditor who will be responsible for regular business audits to ensure compliance with CPRA.
Protection of Consumer Rights – The CPRA essentially adds teeth to the CCPA by both modifying rights granted by the CCPA and providing new rights more in line with the EU’s overarching data privacy rights guaranteed by the GDPR. Most notably, the CPRA makes it mandatory for all businesses and service providers to comply with requests for consumer data deletion.
The CPRA redefines the term ‘sharing’ of information to include sharing personal information to any third parties for the purpose of cross-context behavioral advertising. It expands on the consumer right to opt out of sale of personal information by also including the option to opt out of sharing of personal information.
Personal information is broadly defined as data containing ID numbers, account details, location, biological, genetic, and diversity data, as well as mail content. Additionally, consumers now have the right to correct data if recorded inaccurately as well as restrict the use of their personal information. To adhere to the law, businesses need to update existing opt-out links with “Do Not Sell or Share My Personal Information.”
Effective Cloud Migration solution providers should take note of the updated provisions to ensure that they offer solutions that are in compliance.
Want to learn more about CPRA/CCPA?
Clear technical obligations by Businesses and Service Providers
While the CCPA had passages that were open to interpretation; the CPRA goes into exact technical details and spells out the parameters for personal information usage by businesses. These include:
- Clearly stating the length of time that businesses intend to store personal data
- Maintaining contact with each entity with which they have shared personal information and ensure protection of all personal information
- Change in definition of ‘business purpose’. To that point, the CPRA categorically states that non-personalized advertising that is essentially based on a consumer’s current interaction with a business constitutes valid business purpose. In that case, the CPRA disallows the use of precise geolocation data (a radius of 1,850 feet around an individual).
- The CPRA also disallows cross-context behavioral advertising as a business purpose. It is defined as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
- Exemption for employee and B2B information. The CPRA continues to allow for the CCPA’s exceptions for personal information collected in the course of employment and business-to-business contexts. Their sunset provisions extend until January 1, 2023.
Adherence to privacy regimes should be a key component of any Cloud Migration Assessment now.
- Scope of the CPRA – The CPRA is applicable to all businesses that process over 100,000 California consumers’ personal information.
- Governing Agreement with all parties privy to the share of PI – Building on its intent to maintain contact with businesses that organizations have shared consumer personal data with, the CPRA makes it mandatory for businesses to have governing agreements with any entity with which it could have shared consumer PI. This must clearly spell out the limited and specific purposes for the sharing of the data.
Ensure business compliance with Cookiebot
With governments across the globe tightening regulations around data privacy including the EU’s GDPR/ePR, Brazil’s LGPD, South Africa’s POPIA and more, businesses now need a plug-and-play solution for consent management platform (CMP). Cookiebot currently offers full compliance with the combined CCPA/ CPRA data privacy regime. Improved Enterprise Security Solutions offerings should also include provisions for compliance with data privacy regimes.
Shamrock can help your business prepare for CCPA compliance
Shamrock Consulting Group is an industry-leading solutions provider for managed data security services. Our Enterprise Security Solutions experts understand exactly how your business utilizes data and how the information flow can be managed for strict compliance to ensure transparency for your customers.
More importantly, we can help you stick to compliance and avoid heavy penalties in a way that proves to be the most cost-effective and easily repeatable solution for your business.