Privacy Regulatory Trends: CPRA and Beyond
Blog Summary [5-minute read]
- 5 substantial provisions from CPRA
- Influence on other states
- 8 provisions for organizational compliance
As with surfing, fashion, music, and food fads, trends in privacy law often spring up in California. The California Online Privacy Protection Act of 2003 was the first privacy law in the United States to require commercial websites and online services to post a privacy policy. The California Consumer Privacy Act (CCPA), which took effect January 1, 2020, has spawned more rigorous privacy laws in other states. And now the California Privacy Rights Act (CPRA) has expanded privacy with new definitions of personal information and individual right of action for privacy breaches. While CPRA’s expanded privacy rights are great for consumers, the law complicates the work of privacy teams, especially as other states adopt their own versions of these expansions.
Recently customers have been asking if Radar covers CPRA, as it just came into effect. The answer is yes! Radar helps your organization future-proof compliance with just the click of a button.
Broad Strokes and Devilish Details
While the CPRA initially made headlines for sweeping changes such as expanding definitions of “sensitive personal information” and expanding individual right of action, there are also plenty of other substantial provisions and nitty gritty details guaranteed to create new work for privacy teams. Here are just a few:
- Expanded rights for employees and contractors: The Act extends the privacy rights of consumers to job applicants, employees, and independent contractors. According to the National Law Review, more of the information routinely collected from applicants and employees will now be regulated by CPRA.
- Right to correct: The CPRA gives consumers the right to correct inaccurate personal information that businesses hold.
- New notice requirements: CPRA businesses to notify consumers whether their sensitive information will be sold or shared; what kinds of personal information are being collected, and how long it will be retained.
- A new enforcement body: The California Attorney General is responsible for enforcing the CCPA, but CPRA creates a new enforcement authority, the California Privacy Protection Agency (CPPA.) And while the AG is complaint-driven, the CPPA will actively monitor and audit businesses for compliance with California privacy laws.
- Mandatory annual risk assessments and audits: Organizations whose processing of personal information presents “significant risk to consumers’ privacy or security” will be required to perform an annual cybersecurity audit and submit a risk assessment to the CPPA.
Who Does it Affect?
The CPRA applies to any organization that does business in California and has annual gross revenue over $25 million in the previous calendar year; buys, sells or shares the personal information of at least 100,000 California consumers or households; or derives at least fifty percent of annual revenue from selling or sharing consumers’ personal information.
Privacy teams in some businesses will need to monitor revenue levels and revenue sources to know if their businesses need to comply with CPRA.
The CPRA expanded the number of organizations subject to the CCPA by including all businesses that share data. If a business was subject to the Consumer Privacy Act, it’s likely subject to the CPRA as well.
Additionally, the CPRA now also covers service providers, contractors, and third-party organizations that process, possess, or receive California consumers’ personal information on behalf of a business.
Will Other States Follow CPRA?
There is continued speculation about how CPRA will influence privacy laws in other states. An article in CSO presented both sides of the debate: will CPRA’s treatment of data privacy be too restrictive for American sensibilities, or will its improvements to the CCPA make it a logical model for states that already have CCPA-like laws in process?
Just as other states have modeled their privacy laws on the CCPA, we expect additional states to update their laws using the CPRA as a model. The appeal may be particularly strong in states with strong tech industry, the law’s similarity to GDPR may make California the first state to receive an adequacy decision from the European Commission since the Schrems II decision invalidated the Privacy Shield protecting EU-U.S data transfer.
Keeping up-to-date with changes in privacy regulation is an exhaustive effort. With RadarFirst, you can sleep better at night knowing you have future-proof compliance with the click of a button.
Momentum for state-level comprehensive privacy bills is at an all-time high. The RadarFirst Global Breach Law Library provides an up-to-date library of global data breach laws that are mapped to an automated risk assessment, including regulatory watchlists that track proposed and recently passed legislation.
Although many of the proposed bills may fail to become law, comparing the key provisions helps to understand how privacy is developing in the United States.
CPRA is Now in Effect, Enforcement Starts July 1, 2023
CPRA went into effect on January 1, 2023. Enforcement won’t start until July 1, 2023 and applies only to violations occurring on or after that date. Businesses are given a six-month window to comply with this new law.
A number of its provisions will apply to consumer information collected on or after January 1, 2023. So, organizations affected have no time to waste.
Whether a business needs to create privacy or security programs or update existing programs to comply, it should move quickly to complete or update the following tasks:
- Map, classify and manage all the “sensitive personal information” newly protected by CPRA
- Revise workforce disclosures and processes to comply with CPRA’s new workforce privacy protections
- Review child privacy policies and practices, since the CPRA mandates steep fines for violation of children’s data privacy
- Review data usage and retention policies and creating required new consumer notices, disclosures, and procedures enabling consumers to correct inaccurate personal information held by the organization
- Conduct risk assessments in preparation for CPRA’s mandatory audits
- Proactively build a contact list and build relationships with the new California Privacy Protection Agency
- Update and audit existing contracts with third-party service providers and contractors
- Ensure your website and all back-end systems are updated and compliant
Even if your organization doesn’t currently fall under CPRA requirements, data management, regular risk assessment, policy reviews, and building regulator relationships are all good practices.
Surf’s up, people! Get ready to ride this California wave!
It’s important to streamline and automate day-to-day processes such as risk assessment and privacy incident response processes, so that your team has bandwidth to adapt for CPRA and future CPRA-based laws. Because anyone who thinks CPRA will be a one-time thing is “California dreamin”.
As Laura Jehl, global head of McDermott’s Privacy and Cybersecurity Practice, told CSO, “[other state laws] won’t copy all aspects of CPRA and they’ll include some components that aren’t in CPRA, which means that U.S. privacy compliance is about to get even more complicated.”