Just days before the enforcement of the California Consumer Privacy Act (CCPA) began on July 1st, 2020, the California Privacy Rights Act (CPRA) received enough signatures to qualify to be on the November ballot. This ballot initiative, also referred to as Prop 24, was drafted by the non-profit organization Californians for Consumer Privacy, and looks to extend and clarify several of the provisions in existing California privacy law. If this measure is approved, it will have major impacts on any company that works with the data of a California citizen.
CPRA vs CCPA
The new California Privacy Rights Act incorporates the provisions set forth by the California Consumer Privacy Act (CCPA), but imposes new substantive obligations on businesses, grants consumers new rights, and modifies the CCPA’s enforcement provisions. Alastair Mactaggart, one of the main proponents of the ballot initiative that later served as the foundation of the CCPA, believes that the CCPA serves as a great baseline, but thinks that there are additional rights that California residents deserve.
Establishes the California Privacy Protection Agency which will serve to enforce the regulation and protect the privacy of Californians
Defines and establishes a new category of sensitive information, Sensitive Personally Identifiable Information, acknowledging that not all PII is created equal with some categories being more sensitive than others
Provides consumers with new rights
Right to Correction which grants consumers the ability to request that a business corrects inaccurate personal information that has been collected
Right to restriction providing consumers the right to limit a business’s use of their sensitive personal information
Increases penalties for breaches that involve the data of minors
Redefines key terms such as the scope of a “business” and what constitutes a “breach”
Imposes limitations upon the California Legislature to amend the privacy law
Who Does it Affect?
The CCPA defined a “business” as any entity that operates for the profit or financial benefit of its shareholders that collects consumers’ personal information that does business within the State of California that meets one or more of the following thresholds
Has an annual gross revenue in excess of $25 million
Annually buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
Derives 50% or more of its annual revenues from selling consumers’ personal information
The CPRA adjusts this definition by
Doubling the threshold from 50,000 to 100,000 for an entity that “buys or sells or shares the information of 100,000 or more consumers or households”
Removes the criteria for a business’s need for a commercial purpose in the buying or selling of personal information
Adds the definition of business joint ventures or partnerships composed of businesses in which each business has at least a 40% interest
How Can Businesses Prepare for CPRA Compliance?
While it is widely regarded that the CPRA ballot initiative is likely to pass, businesses should continue to progress and maintain their CCPA compliance efforts. However, they should also monitor privacy developments not only in California but also at the federal level. If the CPRA is not approved, then businesses should prepare for the January 1st, 2021 expiration of the temporary exemptions for employee and business to business information.
In order to adhere to the expanding data privacy regulations, organizations will have to follow common core principles and practices of data privacy and security. In order to do so, they should:
Leverage the necessary tools in order to maintain an ongoing understanding of where sensitive data (specifically personal information) exists
Enforce strong Data Access Governance practices to ensure that the right controls are in place in order to prevent unauthorized access to personal data
Conduct regular risk assessments to minimize and address any risks to personal data
Deploy monitoring tools in order to detect and respond to threats in real-time