After CCPA: CPRA and The Future State of US Privacy
In BigIDeas on the Go, a new podcast that focuses on industry leaders and relevant conversations around data privacy, security, and governance, CCPA co-author Rick Arney talks with BigID CEO Dimitri Sirota about how the California Privacy Rights Act (CPRA), the latest privacy initiative out of California, is “CCPA, gone stronger.”
The California Privacy Rights Act (CPRA) is the next evolution of California privacy regulations, aimed at strengthening, expanding, and putting “real teeth” behind regulations established by the California Consumer Privacy Act (CCPA). From steeper data disclosure requirements to stronger enforcement, CPRA builds upon CCPA’s core protections to give individuals more control over their data.
The Pre-CCPA Landscape: Privacy Is “Out of Control”
The CCPA changed organizational and consumer thinking about privacy and data rights in the United States. But in a pre-regulated world, getting legislators to act toward meaningful change in privacy law presented a challenge—especially given the power and size of the moneyed organizations that had vested interest in maintaining the status quo.
When Arney co-wrote the bill, it began as a ballot initiative with enough signatures to take it straight to the voters. Interest groups showed interest, focus groups focused, and polling at 89% got lawmakers paying attention. California passed CCPA into law to maintain jurisdiction over the law’s future amendment and modification, rather than let it go straight to the ballot—and straight to the California voter—as a proposition.
While the passing of CCPA was an important measure, a central takeaway is this: The California legislature has the power to amend CCPA. Bills are frequently proposed toward that effort. And that could weaken it.
The Right to Know: Create Awareness, Create a Movement
CCPA’s popularity among California residents was no small revelation. Historically, privacy initiatives have come across some resistance due to a lack of awareness and visibility into what’s actually at stake.
“If you ask people, what do you think of privacy, almost everybody says, ‘Yeah, I’m pro-privacy,’” Arney says. But once you start to put regulations in place that might make things a little more difficult for those very same folks, they tend to fold. The CCPA started to turn that around by giving people transparency into the data that was actually being collected about them, and how it was being used.
CCPA’s “right to know” gives people the right to find out what information companies are collecting on them: revealing that companies have access to their health conditions, religious affiliations, political opinions, sexual histories, and a slew of other sensitive information that sits stored in various databases—often for sale to the highest bidder.
“When people find out their personal information is potentially for sale, it only enhances people’s movement toward more privacy,” says Arney.
In other words, this data is valuable—and individuals often don’t realize it exists beyond their own personal records. CCPA not only informs them that they have the right to know, but attempts to put the power over that data back in the individual’s hands, not the conglomerate’s.
What’s Different About CPRA?
Laws are important, but the ability to enforce them is even more so. And that’s a central part of CPRA’s goal. Arney identifies some of the highlights that CPRA brings to the privacy landscape:
Enforcement
The CPRA doubles down on accountability with a transformative approach to enforcement. It would establish a new agency in the state of California, charged with actually enforcing new regulations proposed under the initiative—plus all those included in CCPA.
Enforcement under the new agency includes subpoena and auditing powers, which would change the urgency and manner in which companies adopt privacy standards.
New rights and penalties included under CPRA
- The right to opt out of precise geolocation, currently defined as less than a third of a mile.
- Tripled fines for misusing the collection of children’s information. CCPA prevents the sale of children’s information, and these new fines under CPRA drive that regulation home.
- Data minimization to prevent companies from collecting more information than is actually needed.
Reinforcing the floor
To address the aforementioned threats CCPA has faced since its adoption, CPRA ensures that the regulations under CCPA cannot be weakened moving forward. CPRA has a mechanism in it that will allow legislation to continually amend CPRA—a necessity since technology changes so quickly—but only in ways that are pro-privacy. If the changes in any way weaken privacy, the legislature is not allowed to pass.
In essence, this makes CPRA the floor—not the ceiling—for privacy regulations and enforcement going forward.
Privacy in the Time of Coronavirus
It’s an interesting moment for privacy. Within the context of Covid-19, “people are thinking about privacy, particularly … tracking people that are infected.”
This may sound fine when it comes to saving lives and preventing the spread of the disease. But it entails the collection of personal medical information, and the associated insurance profiling that comes with it. Beyond that, “we don’t know what the aftereffects of Covid-19 are,” says Arney, or the implications that could come out of companies possibly selling that data.
Voluntarily providing this information is one thing, but people should understand (and be informed) if there are no adequate controls over it. There are ways to responsibly use information to slow the spread, and make sure there are controls on the information and that it’s protected: “There are ways to use this information to save lives.”
The Future of Data Privacy: Good Privacy Is Good Business
As CCPA gains popularity in other states, it starts to become clearer that “good privacy is good business.” Many companies want it to become the defacto standard for other states, since it makes compliance easier.
From public enforcement of CCPA’s privacy regulations to creating a “privacy floor” for future modification efforts, CPRA builds on an evolving privacy legacy in maintaining personal rights. “I think,” Arney says, “other states are going to pick up on this, it will become a national standard. Eventually the federal government might actually pass something that looks similar to it, and hopefully that looks like CPRA, to be honest.”