As predicted, California’s Proposition 24, which will enact the California Privacy Rights Act (CPRA) passed by a margin of 56% to 44%. In the continued absence of an overarching federal privacy law, CPRA is predicted to be a bellwether and model for other state laws. While CPRA implementation details are still being finalized, the CPRA implements key changes to the CCPA that privacy rights advocates and companies that do business in California should watch closely:
- The CPRA goes into effect and is enforceable January 1, 2023, and introduces a new sub-category of personal information: “sensitive information”. This includes information such as social security numbers, driver’s license, and passport numbers, consumer account logins, precise geolocation, genetic information, sexual orientation, and more, broadening the scope of personal information to more closely align with General Data Protection Regulation (GDPR) in Europe.
- New definition of “sharing” as disclosing to a third party for cross-context behavioral advertising, even when not for consideration (with some exceptions).
- The CPRA clarifies that opt-in consent is required for selling personal information of children under 16. In addition, administrative fines for violations are 3x “regular” violations - $7,500/violation - when the business has actual knowledge that the consumer is under 16.
- The CPRA introduces additional requirements relative to the CCPA, including:
- Penalties if email / password combination is stolen due to negligence;
- Provides consumers the right to restrict use of their data;
- Provides consumers the right to correct data (consumers will have the right to correct inaccurate personal information, and businesses must create a “limit the use of my sensitive personal information” link, similar to the “do not sell my personal information” link required under the CCPA);
- Extends the right to access beyond 12 months and prevents storage longer than necessary;
- Ensures use is “reasonably necessary and proportionate” to accomplish the stated purposes (data minimization and purpose limitation);
- Provides transparency around profiling and automated decision making; and
- Requires regular cyber audits and risk assessments for high risk processors.
For many companies, the lift to support additional requirements may be significant. In our experience and lessons learned from GDPR and CCPA over the last 4 years, we recommend companies consider the following as the assess impact and prepare to comply with the act:
- Start early: If GDPR, CCPA, LGPD and the like provide any indication, you will inevitably run into unforeseen challenges along the way. Starting early to build a plan, educate stakeholders, and execute in a coordinated way across functional owners is key
- Revisit retention practices, policies and schedules: While this has always been better practice and in some cases legally obligated, the CPRA brings renewed focus to the importance of effective data management and retention
- Evaluate and refine existing practices and capabilities where possible: For example, automated inventory and privacy workflow management can and should be augmented to account for additional obligations, but for companies that invested beyond the bare minimum, now is the time to reap the benefit of those investments
- Conduct a detailed evaluation of the impact to data management and data leverage initiatives (e.g. automated decisioning), and develop a plan to modify privacy policies and notice and/or business impact of modifying data usage practices. The ability to balance consumer rights while maximizing insights and business value from consumer data will require new and creative approaches
- Consider implementing a fine-grained consent management solution to allow consumers added flexibility in fulfilling their existing and extended rights. While this requires a good foundation of data visibility and governance, this can dramatically reduce manual overhead, associated with consumer rights request fulfilment, while enriching digital trust with consumers