Californians voted yes on Proposition 24 — also known as the California Privacy Rights Act of 2020 (CPRA).
While the CPRA, an amendment to the California Consumer Privacy Act of 2018 (CCPA), has been hotly contested and faced opposition from both businesses and privacy advocates, the passage of this legislation is a big step forward for the US privacy landscape.
What Changes Under CPRA?
CPRA amends the CCPA to create additional consumer privacy rights, such as the right of correction and the right to limit the use and disclosure of sensitive personal information. It also establishes the California Privacy Protection Agency (CPPA), shifting rulemaking and enforcement authority from the California Attorney General to the new state agency.
The CPPA will be the first US agency dedicated solely to privacy — similar to how EU member states have their own individual data protection authorities under GDPR.
“Do Not Sell” Under CPRA
CPRA directly impacts the ad tech community, as it strengthens the CCPA mandate of “do not sell” personal information. While some have made the argument that CCPA does not require an opt-out of targeted advertising, CPRA effectively nullifies the debate, incorporating individuals’ ability to opt-out of the sharing of information — not just its sale — for behavioral advertising purposes.
With the combination of the CPRA, privacy efforts made by major browsers, and the recent iOS14 updates to do away with third-party tracking, the ad tech industry will likely fight back or need to comply with privacy regulations.
Sensitive Personal Information (SPI) Under CPRA
CPRA introduces a new definition of “sensitive personal information” (SPI), with broader requirements than the GDPR’s “special categories of personal data.” CPRA’s SPI definition includes:
- government-issued identifiers
- account log-in credentials
- financial account information
- precise geolocation
- contents of certain types of messages
- genetic data
- racial or ethnic origin
- religious beliefs
- health data
- data concerning sex life or sexual orientation
Under CPRA, companies must offer consumers the ability to limit the use and disclosure of their sensitive personal information. In other words, a consumer could direct a business to use their SPI for purposes only necessary to perform the service or provide the goods requested. Companies would then be required to respect such requests unless the consumer provided subsequent authorization to use the SPI for additional purposes.
In addition to the expanded scope of regulated information, the proposed law includes data minimization and data retention requirements. Businesses would have to disclose how long they keep data and ensure that the timeline is only as long as is “reasonably necessary.”
Annual Audits and Risk Assessments
Another new provision of CPRA — and new in American privacy legislation — includes the requirement of annual audits and risk assessments for any high-risk processing activities, which the AG and, eventually, the new protection agency would regulate.
Those regulations will require businesses whose processing presents significant risks to consumer privacy or security to perform a thorough and independent cybersecurity audit every year.
To determine what would merit such an audit, the regulations would consider the size and complexity of the business — and the nature and scope of the processing. Implicated companies would need to submit regular risk assessments to the CPPA establishing the goal of the processing — and balancing its benefit to all stakeholders with the risks to the consumer.
CPRA and Cross-Border Data Transfers
To add to all of this, there is a small but notable chance that CPRA could help temporarily solve challenges around the invalidation of the EU-US Privacy Shield.
Certain provisions of the CPRA — such as the consumer right of correction, retention requirements, purpose limitation, and data minimization — could help to push the state of California into being an “adequate” jurisdiction under GDPR for cross-border data transfers. With more than $7 trillion of commerce between the US and EU on the line, California could end up as the central data hosting hub.
What Does CPRA Mean for the Privacy Landscape — and a Federal Law?
Looking ahead, it’s unclear what impact CPRA will have on the broader privacy landscape — particularly as it relates to federal legislation.
On the one hand, the new version of California’s privacy law will go into effect in January 2023, with retroactive oversight into a company’s data practices as far back as January 2020. With two years between national adoption and implementation, the CPRA could give Congress the push it needs to implement federal US privacy legislation.
In addition, we will likely see a resurgence of privacy bills in 2021 — like the Washington Privacy Act bill, which has surfaced for the third time in the state legislature and borrows elements from both CCPA and GDPR.
The industry is also closely watching the controversial State Uniform Law Commission (ULC)’s draft proposal, which states could potentially adopt as a model for their own privacy legislation. If we start to see CPRA and other privacy proposals come to fruition, then the call for a federal mandate will become even stronger.
Check out BigID’s Guide to CPRA Compliance to learn more about what’s new in CPRA — and how to get your organization ready for CPRA compliance.