CPRA (Prop 24) has passed. Here’s what to expect.
On November 3, Californians voted to approve Proposition 24, also known as the California Privacy Rights Act of 2020 (CPRA), a new data privacy law that modifies and expands the regulations of the California Consumer Privacy Act of 2018 (CCPA). Yes, just a few months after CCPA went into effect on January 1, 2020 with an enforcement date of July 1, 2020, we already have a substantial update. The good news is that if your organization is ready for CCPA in terms of data management and data governance, chances are most of your preparations for CPRA will require adjustments to what you’re already doing operationally rather than an entire reset.
CPRA is set to go into effect on January 1, 2023. While the two-year window means there’s no immediate need to panic, businesses should avoid the temptation to postpone their readiness efforts. As many organizations learned with GDPR and CCPA, preparing for data privacy laws on an operational level takes time and coordinated effort, so waiting until the last minute can mean waiting too late, particularly since CPRA provisions will apply to any personal data collected on or after January 1, 2022—one year before its effective date—except with respect to access requests.
In this article, we first describe the higher-level conceptual differences between CCPA and CPRA. Next, we’ll review a few aspects of CPRA with significant practical impact on businesses—particularly from a data management and data governance perspective—and what they mean for organizations that have already prepared for CCPA. Read on to learn
- • High-level differences between CCPA and CPRA
- • The nitty-gritty details of CPRA readiness
- • What will not be changing
Data privacy is about data. Is yours up to the challenge?
High-level conceptual differences
It is helpful to keep in mind conceptual differences between CCPA and CPRA. CPRA is an attempt to harmonize California law with GDPR’s stronger data privacy concepts of data as a human right (which is inalienable), as opposed to CCPA’s slant toward data as a property right, (which is alienable). Whereas the conceptual focus of CCPA is on transparency and enabling consumers to control the sale (broadly defined) of personal data, CPRA concepts are more aligned with GDPR principles around the use of personal data, such as data minimization, purpose limitation, and storage limitation, discussed more fully below.
CPRA also addresses digital practices of monitoring and manipulating:
“Don’t Monitor Me”: CPRA recognizes the need for greater regulation around technological advances in machine learning and AI, and the data that might be collected along with it leading to potential biases in profiling practices. It gives people the right to know if businesses are profiling them and deciding which advertising to send, and to demand that businesses turn over meaningful information about the logic behind how those decisions are being formed. So essentially, CPRA gives people the right to say “don’t use my sensitive personal information, don’t track me from device to device, and don’t track me across unrelated businesses.”
“Don’t Manipulate Me”: Currently, people don’t know if they are being pushed in a certain direction because of algorithms, and even AI companies lose control over their algorithms at a certain point. CPRA adds a new concept of cross-context behavioral advertising. This prohibits targeted advertising based on a profile or predictions about the consumer related to the consumer’s activities over time and across multiple businesses or distinctly branded services, websites, or applications. Further, CPRA specifically limits service providers from engaging in any cross-context behavioral advertising.
This, combined with CPRA’s new concept of “dark patterns,” which it defines as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice,” addresses the social media practices of creating and reinforcing “filter bubbles.” Notably, CPRA states that agreement obtained through use of dark patterns does not constitute consent.
CPRA creates (and increases the current CCPA enforcement budget for) the California Privacy Protection Agency (CPPA), which will be “vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act,” not unlike the network of Data Protection Authorities formed under GDPR.
CCPA currently places enforcement responsibility on the California Attorney General’s office, which admittedly has limited resources to police data protection efforts across a wide swath of businesses. The newly formed CPPA will extend enforcement, including imposing penalties for negligence resulting in theft of emails and passwords, and tripling the fines for violations involving children. The establishment of a dedicated agency will provide continuity and expertise, and denotes an elevated commitment to holding organizations accountable.
CPRA’s adoption of GDPR-like protections may result in California being deemed an “adequate territory” for cross-border transfers between it and Europe, assuming the national state surveillance issues like the FISA and NSA surveillance can be addressed. Considering that more than $7 trillion of commerce exists between the United States and Europe, this may lead to California becoming the hub for U.S. data centers. Another scenario is that other states will see the benefits of enacting CPRA-like statues of their own— particularly in light of increasing consumer attention to how businesses handle their personal information. In short, CPRA pushes forward the notion of all of us being in charge of our own data.
CPRA gives consumers the right to say
“Don’t use my sensitive personal information.”
“Don’t track me from device to device.”
“Don’t’ track me across unrelated businesses.”
Which businesses does CPRA cover?
In recognition that the added regulatory hurdles may be too burdensome for many small and medium businesses, CPRA raises the threshold for who must comply from a business that buys, sells, or receives or shares for the business’ commercial purposes, the personal information of 50,000 consumers, households, or devices to those that buy, sell or share personal information of 100,000 consumers or households. Particularly with the removal of the word “devices,” this reduces the number of small and medium-sized businesses that must adhere to California’s expanded data privacy regulation.
On the flip side, CPRA expands its reach slightly by including joint ventures or partnerships where each business has at least a 40 percent interest in what is considered a single business, and it allows for voluntary self-certification of agreement to bound by the updated regulations. CPRA also expands applicability to businesses that generate most of their revenue from sharing personal information (not just selling it), where sharing means sharing, disclosing, making available, or communicating in any manner with third parties for purposes of cross-context behavioral advertising, whether or not money or other consideration is exchanged.
CPRA introduces a new focus on data uses with increased transparency requirements that bring California closer to GDPR standards. This will require businesses to revisit their data privacy and governance practices put in place for CCPA compliance programs with an eye toward these in businesses that have not had to comply with GDPR:
- • Purpose limitation: “Tell me why you are collecting and using my personal data, and don’t use if for a different purpose (a duty to avoid secondary uses).”
- • Storage limitation: “Tell me how long you’re going to keep my information, and then don’t keep it longer.”
- • Data minimization: “Don’t collect more information than you need to do the thing you say you are going to do with my information.”
CPRA introduces a new focus on data uses with increased transparency requirements
that bring California closer to GDPR standards.
First, businesses will need to have a clear understanding of WHAT, WHY and HOW they are collecting and using personal information, and then to communicate this in a transparent way at the time of collection. A business may collect, use, retain, and share personal information only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared, as noticed at the time of collection. Any additional uses must be disclosed at the time of that new use.
This means that a covered business must have internal processes and systems that will alert any use not anticipated at the time of collection. For siloed enterprises with siloed data sets that are shared among lines of business or departments, this may present a challenge that will need to be considered when forming its data governance programs. Lines of business that are access points for personal data will need to have a heightened understanding of where that data travels throughout the organization and whether it is shared outside the organization.
Businesses cannot retain personal information for longer than is reasonably necessary for that disclosed purpose, and the retention periods must be communicated at the time of collection (or, if not possible, the criteria used to determine the retention period). This also may present a data governance challenge when data is used by multiple lines of business or departments, who will need to tightly coordinate, for example, when the initially stated use is longer relevant to one department, but may still be relevant to another.
Together, these new concepts strengthen the need for focused and regularly updated attention on data and system inventories, data flow diagrams and data retention practice to ensure that business processes and technology systems remain consistent with the provisions of CPRA.
CPRA increases the need for focused and regularly updated attention
on data and system inventories, data flow diagrams, and data retention practices.
CPRA creates a new category of “sensitive personal information”
Sensitive personal information under CPRA covers two categories: (1) personal information that reveals government identifiers (e.g. Social Security number, driver’s license, passport); financial account and login information (e.g. a credit card number plus login credentials); precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; content of mail, emails and text messages (excluding those sent to the business); and (2) processing of biometric information to uniquely identify a consumer, or personal information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation, when such information is not public.
Covered businesses must ensure their business processes and systems workflows
adhere to the heightened requirements around sensitive personal information as defined in CPRA.
CPRA imposes separate obligations of disclosure, opt-out (or “Limit the Use of My Sensitive Personal Information” links), and purpose limitation requirements on sensitive personal information. Businesses that are ready for CCPA should already have in place the data management and data governance practices to be able to disclose and limit how they use personal data, as well as procedures for handling data subject requests. Covered businesses will need to revisit their business processes and systems workflows to make sure that they adhere to the heightened requirements around sensitive personal information.
CPRA introduces new requirements to qualify as a service provider and clarifies some CCPA confusion by adding a new category of “contractors”—recipients of personal information from businesses with the same contractual obligations placed on service providers. It also places obligations on service providers and contractors to assist businesses with CPRA compliance activities. CPRA further clarifies and provides additional limitations regarding service providers and contractors’ uses of personal data and requires that they silo personal data received form or on behalf of the business from personal data received from other sources, including itself. Although large data hosting providers already silo their customers’ data, this requirement may present a technical challenge for smaller service providers or contractors who do not currently do so.
New and expanded consumer rights
In addition to the rights granted under CCPA, California residents will now have the rights to: (1) correct inaccurate information, (2) opt out of automated decision-making technology, (3) access information about automated decision making, and (4) limit use and disclosure of sensitive personal information. Additionally, CPRA allows consumers to see all personal data held by covered businesses, rather than the prior 12 months limit, starting with any personal data collected on or after January 1, 2022.
California residents will now have the rights to correct inaccurate information,
opt out of automated decision-making technology, access information about automated decision making,
and limit use and disclosure of sensitive personal information.
Here again, organizations that are set up to accommodate the consumer rights granted under CCPA will be well-positioned to adapt to CPRA’s expansion. For the correction rights, businesses will need to make sure that the corrections permeate through the business’ IT systems so that all copies of the personal information are corrected. For the rights related to automated decision making, organizations that have accurately mapped their data systems, data processes, and data flows in preparation for CCPA should have the foundation they need to disclose information about their algorithm-driven decision-making and to opt individuals out of these processes as requested.
While CCPA focused on enabling consumers to control the sale of their information, CPRA explicitly expands this control to include sharing of sensitive personal information unless the sensitive personal information is collected or processed without the purpose of inferring characteristics of a consumer. CCPA’s broad definition of “selling” to include “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating” covered many disclosures of personal information, but still had the requirement that “valuable consideration” be received to qualify as a sale. CPRA’s addition of sharing to the area of consumer control has no such requirement, so this modification broadens consumers’ ability to control the proliferation of their personal information for purposes of cross-context behavioral advertising.
CPRA also ...
- • Expands the private right of action for consumers to cover breach of an email address in combination with a password and security question-and-answer permitting access to the email account;
- • Extends employee/B2B exception to January 23, 2023, but notice requirements and security breach provisions remain effective now;
- • Limits 30-day cure period for violations;
- • Provides certain limited educational exclusions like grades and standardized test scores, and school yearbooks; and
- • Clarifies that businesses may offer loyalty, rewards, premium features, discounts or club card programs.
What will not be changing
To be sure, the California Privacy Rights Act is not to be taken lightly among businesses that handle the personal information of California residents. However, preparing for enforcement of the law requires the same basic foundation as readiness plans for GDPR and CCPA. Businesses still need to understand and continuously update their data inventories and data flows. They still need to align people, processes, and technologies with requirements of applicable data privacy laws. And they still need a governance plan to maintain readiness amid any number of triggers that can impact their compliance status.
Keeping in mind that privacy is part of digital ethics and is central to trust—with roughly 90 percent of Americans considering data privacy a human right—we continue to recommend that businesses:
- • Create an ethical framework for data management;
- • Build data privacy programs around principles-based approaches and step away from a check-the-box mindset;
- • Have a very clear understanding both why personal data is needed and the complete data lifecycle of all personal information;
- • Get rid of redundant, obsolete, and trivial data;
- • Strengthen and enforce data retention programs;
- • Review and enforce access controls for personal data; and
- • Build Privacy by Design principles into all digital transformation initiatives.
I’ve often said that organizations need to think strategically about data collection and flows— collecting as little data as necessary (and only what they’re allowed to collect/process), giving access to as few people as possible, and only holding it as long as it’s needed. Not only does this enable them to prepare for GDPR—and now, CPRA—but it also reduces their data footprint, making the task of data management and governance more manageable. The end result is that people will have more trust in the business—which is never a bad thing when it comes to the bottom line.
Logic20/20 has helped numerous clients prepare their data management and governance environment for GDPR, CCPA, and other data privacy laws—a process that begins with gaining a clear understanding of their data and mapping the systems, processes, and flows around it. If you have questions about how to prepare for CPRA, feel free to give us a call.
Questions about how to operationalize data privacy for your organization?
Logic20/20 can help.
General Manager of Data Privacy Jill Reber is a nationally recognized expert on data privacy—particularly GDPR, CCPA, and other data protection laws—and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, Information Management, the American Bar Association, and other national and international organizations.
Follow Jill on LinkedIn