If you haven't paid much attention to the California Consumer Privacy Act (CCPA), now is the time to care. The California Privacy Rights Act (CPRA) (or Proposition 24) adds stronger privacy protections to the act and establishes the California Privacy Protection Agency. What exactly is changing?
Alastair Mactaggart, a real estate developer and investor based in San Francisco, surely doesn’t want California to lag behind the EU when it comes to protecting personal data. In the words of Christiane Amanpour, he’s the one challenging the tech giants. It was his initiative that led to the adoption of the CCPA, the first significant data privacy law in the United States. And now he’s pushing the law even further.
Why? According to Mactaggart, the CCPA had weaker consumer protections than his original ballot measure in the interest of getting the law passed, states Vox. These weaknesses were mainly caused by the amendments made in 2019. To create a stronger data protection law, Mactaggart launched a new initiative. As Vox stated, he aims to fix the shortcomings of the CCPA and give California a law on par with the European Union’s General Data Protection Regulation(GDPR).
In November 2020, Mactaggart’s 52-page proposition was passed by the voters. The CPRA becomes effective as of January 1, 2023, and will apply to the personal data of Californians collected by companies that are required to comply with the legislation. “The intention of the act is to strengthen consumer privacy rights. Companies need to be aware that the new legislation will apply to data collected from January 2022,” says Tony Anscombe, ESET cybersecurity expert.
What should you know about the new amendment to the CCPA?
- It leads to the creation of a brand-new institution that will enforce the rules. The California Privacy Protection Agency will take up the Attorney General’s rulemaking authority on July 1, 2021, or six months after it notifies the Attorney General that it is prepared to begin rulemaking, whichever is later. It will operate with a budget of $10 million to fund its investigation and enforcement activities. “This authority will be responsible for not only the update to CCPA, but it also establishes a body that is likely to issue new rules. This is the enforcement arm that will ensure the modified and previous legislation is adhered to,” Anscombe says. “This agency will also be tasked with education, awareness, guidance to businesses and consumers, and cooperation with other agencies.”
- The CPRA doesn’t apply only to businesses that collect consumers’ personal information. It makes it more explicit that the term “do not sell” includes data shared between two or more companies. Therefore, any business acting as a third party that controls the collection of personal data is now in the game too. The CCPA has already provided consumers with the right to opt out and stop businesses from selling their personal information. Now the act also regulates its sale and sharing. “This, importantly, also covers online ad networks in the context of cross-context behavioral advertising,” explains Anscombe.
- Any California resident now has the right to tell businesses not to use certain categories of his or her sensitive information. This applies to race, health conditions, religion, precise location, consumer’s sex life or sexual orientation, and biometrics. According to Anscombe, the rule limits the use and disclosure of sensitive personal information. Nevertheless, some data usage may be authorized by the consumer so the service or goods requested can be provided.
- Businesses must provide consumers with an opt-out option for having their sensitive personal information used or disclosed for advertising or marketing purposes, as defined by the law.
- Businesses now cannot share any consumers’ personal information when the consumer is less than 16 years old. There are, however, exceptions for the following:
- Consumers aged 13-16 who give their explicit consent to the sale or sharing of their personal information
- Consumers aged <13 whose parent or guardian has affirmatively authorized the sale or sharing of the data
In such cases, personal information can be sold or shared, but prior consent is always needed.
- The CPRA has tripled new penalties for privacy violations in cases where the consumer is less than 16 years old.
- It allows consumers to ask businesses to correct any inaccurate personal information.
What does the CPRA mean for the companies?
It’s likely that fewer companies will need to comply
According to The National Law Review, the CPRA changes the thresholds for businesses to be subject to the new law. Your company has to comply with the CPRA if your business derives at least 50% of its annual revenue from selling – and now even sharing – the personal information of California consumers, and buys and sells or shares the personal information of more than 100,000 California consumers or households. This will have an impact, especially in the ad tech sector. By increasing the relevant number of consumers or households for whom a for-profit entity annually buys, sells, or shares personal information from 50,000 to 100,000, the CPRA removes the need to comply for many small businesses.
The usage of data in your business should be monitored
Do you need to collect any data that might be classified as sensitive personal information? If you want to prevent violation of privacy rights, you need to have procedures in place to manage the data securely, according to Ethyca. You will have to provide a separate opt-out option for customers with a website notification so they can make a choice regarding the usage of their sensitive personal information.
The private right of action for consumers has expanded
The CCPA allows private action for any data breach, but the CPRA has added another right: If California residents feel the need to bring claims against a business for unauthorized access or disclosure of an email address, password, or security question that would allow access to an account if the business failed to maintain reasonable security, they can now do it. Even one security question can cause problems if it permits access to an account, along with access to a consumer’s unencrypted and unredacted personal information.
The period for collection and retention of personal data will be shorter
The CPRA requires a business to retain only data that is reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed. The companies also have to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information or the criteria used to determine that period, according to The National Law Review.
The rules are now stricter when it comes to noncompliance
Proposition 24 has removed the option for businesses to fix violations before being penalized. Also, businesses will no longer have a 30-day window to cure alleged noncompliance before being subject to administrative enforcement. That’s why your company should take the necessary steps to be compliant with the CPRA before the legislation becomes active. So, if your company collects any consumer data or shares any data with other companies, be sure that your work team understands how to treat personal data responsibly. On top of that, consider auditing your vendors to see if they understand new data compliance regulations and have an action plan to comply with them.
Automated decision-making technology has new rules
The CPRA gives the consumer the right to access information about the logic and processes involved by automated decision-making technology, together with the description of the likely outcome of the process for the consumer. The CPRA mandates the development of regulations to address access and opt-out rights relating to profiling technology. If you use any machine learning algorithms to automate decisions related to consumer marketing, you will have to share your process with the public.
The final regulations under the CPRA should be adopted by July 1, 2022. If you are wondering whether the new regulations might have a negative impact on your company operations, you should know that enforcement authority will not begin until July 1, 2023, and will only apply to violations occurring after that date but will apply to personal data collected on or after January 1, 2022. So far, the changes for companies that are already in compliance with 2018's CCPA – and especially with Europe's GDPR – will be minor.