The proposed California Privacy Rights Act (CPRA) is the latest attempt to address consumer expectations on the collection and use of network activity and identity data. Notably, these statutes are increasingly driving security and compliance requirements, yet without a federal effort they are poised to proliferate. Interestingly, this is being driven by initiative, and not the California legislature.
The proposed Act differs from the existing California Consumer Privacy Act (CCPA) in that:
- The thresholds for applicability are changing slightly. CPRA applies to businesses that process the personal information of 100,000 California residents or households, up from 50,000.
- Data subjects have new rights, specifically the right to correct data and to opt-out of the sale of personal information. Websites, mobile apps, etc. will need to clearly display an option to limit the use (sale) of sensitive information, which also has an expanded definition.
- Businesses will be required to provide the ability to produce data over a longer look-back
- Fines are increased for knowingly sharing data on a minor
- A data subject has a right to redress if the unauthorized disclosure of protected information is due to a failure to use appropriate user authentication controls
- Information collected may not be retained “for longer than is reasonably necessary for that disclosed purpose”, and data retention policies will need to line up with this requirement.
- It includes a “portability requirement” to ensure that data are provided in a format that is transferable
- It increases third-party security requirements, such that all contractors must now have executed agreements that specify mandatory controls and security expectations, and this increases the span of control of the statute.
CPRA Next Steps
If passed, the changes necessitated must be in place by July 2023. Policies will have to be addressed for compliance with the opt-out mechanism and aligned with data retention processes (this will be a heavy lift for some companies). The ability to produce, on-demand, consumer records and allow them to be “corrected” must be implemented and tested.
Compliance may require new capabilities – especially if your company is in the new category of ‘contractor’, and the business associate agreements include data retention and destruction processes that do not currently exist. Companies would be well-advised to perform a data inventory and limit the collection and storage of elements that are not needed, as this information can quickly become a liability.
An enforcement organization will be created if the initiative passes and endowed with $10M to operate. It will have rulemaking and audit authority. It’s not clear that the penalties will be any different than those articulated in the CCPA; the CPRA is designed to strengthen the privacy provisions in the CCPA, while removing the ability for the legislature to weaken privacy controls in the future.
Should the initiative pass on November 3rd, businesses in scope should be advised to review data taxonomy, assign retention schedules, develop opt-out and data correction processes, and ensure that public-facing policy is consistent with practices.