While the nation was preoccupied with the presidential race, California voted “YES” on the California Privacy Rights Act (“CPRA”), which amends and expands on the CCPA. Our previous post sets forth the highlights of the balloted Proposition 24, but in a nutshell, the CPRA was designed to close a number of loopholes in the CCPA, strengthen consumer privacy protections, and establish the California Privacy Protection Agency as the primary enforcement authority.
Some dates to keep in mind – The CPRA amendments become effective on January 1, 2023, and will apply to personal information (“PI”) collected by covered businesses on or after January 1, 2022. The CCPA’s existing exemption for PI collected for employment purposes or in connection with business-to-business (B2B) communications was extended until January 1, 2023 (previously January 1, 2022). The California Privacy Protection Agency must be established by July 1, 2021 and must adopt final regulations by July 1, 2022. Enforcement of the CPRA amendments by the Agency will not begin until July 1, 2023.
While the key dates seem far off, companies should start thinking, sooner versus later, about what steps they will need to take to implement the new privacy law. And the good news is that you don’t have to start from scratch – compliance with the CPRA should simply build on current efforts towards compliance with the CCPA (which is still enforceable as currently implemented).
So what steps should your business take now?
- Determine if your business is covered by the CPRA. The CPRA changes the thresholds for businesses that are subject to California’s privacy law. For instance, the CPRA defines covered businesses as those engaged in the buying, selling, or sharing of the PI of more than 100,000 California consumers/households. This is an increase from 50,000 under the CCPA, meaning that more small businesses are now excluded from the regulation. However, the specific addition of businesses that “share” PI, clarifies and expands the scope of the law, to now cover businesses who provide PI to others, whether or not for monetary or other valuable consideration (in an effort to further regulate the use of PI for behavioral or targeted advertising purposes).
- Revamp your data subject request systems. The CPRA creates new rights for California consumers, including the right to correct PI, the right to limit the use of sensitive PI, and the right to opt out of the “sharing” of PI. Your business should thus implement changes on the system back-end to accept and act on such requests by consumers. Companies will also need to consider how to distinguish and separate out “sensitive personal information,” which includes SSN, driver’s license number, passport number, credit card info in combination with log-in credentials for a bank account, geolocation data, health and biometric data, and information about race, ethnicity, religion, and sexual orientation.
- Review and revise business agreements. The CPRA places new contractual obligations on service providers, contractors, and third parties. Specifically, it requires that businesses sending PI to third parties enter into an agreement binding the recipient to the same level of privacy protections provided by the CPRA, granting the business rights to take reasonable steps to remediate unauthorized use, and requiring the recipient to notify the business if it can no longer comply.
- Enhance data security and implement risk assessments. The CPRA requires businesses to take reasonable precautions to protect consumers’ PI from a security breach. In addition, under the California Privacy Protection Agency’s rulemaking, businesses that process PI that presents a significant risk to consumers’ privacy or security must (i) perform an annual cybersecurity audit, and (ii) submit to the Agency on a regular basis a risk assessment with respect to the potential risks related to their processing of PI.
If you need any help navigating or implementing California’s evolving privacy law, please contact us at email@example.com.